From 58612dbbef39ec0390caa48f06c9a2f34cdbbc3e Mon Sep 17 00:00:00 2001 From: Christopher Co <35273088+christopherco@users.noreply.github.com> Date: Tue, 30 Jul 2024 09:52:42 -0700 Subject: [PATCH 01/43] Patch waagent.conf to add firewall rules (#8335) Add EnableFirewall flag to waagent.conf to protect access to Azure host node services --- SPECS/WALinuxAgent/WALinuxAgent.spec | 8 +++++-- SPECS/WALinuxAgent/add_firewall_rules.patch | 24 +++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 SPECS/WALinuxAgent/add_firewall_rules.patch diff --git a/SPECS/WALinuxAgent/WALinuxAgent.spec b/SPECS/WALinuxAgent/WALinuxAgent.spec index da639121d6..df21f132a8 100644 --- a/SPECS/WALinuxAgent/WALinuxAgent.spec +++ b/SPECS/WALinuxAgent/WALinuxAgent.spec @@ -1,7 +1,7 @@ Summary: The Windows Azure Linux Agent Name: WALinuxAgent Version: 2.3.1.1 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -11,6 +11,7 @@ Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{versi Source1: ephemeral-disk-warning.service Source2: ephemeral-disk-warning.conf Source3: ephemeral-disk-warning +Patch0: add_firewall_rules.patch BuildRequires: python3-distro BuildRequires: python3-setuptools BuildRequires: python3-xml @@ -38,7 +39,7 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk images that are built to run in the Windows Azure environment. %prep -%setup -q -n %{name}-%{version} +%autosetup -n %{name}-%{version} -p1 %pre -p /bin/sh @@ -90,6 +91,9 @@ python3 setup.py check && python3 setup.py test %{python3_sitelib}/* %changelog +* Tue Jan 30 2024 Nan Liu - 2.3.1.1-4 +- Patch waagent.conf to add firewall rules to protect access to Azure host node + * Tue Nov 10 2022 Nan Liu - 2.3.1.1-3 - Add ephemeral-disk-warning.service diff --git a/SPECS/WALinuxAgent/add_firewall_rules.patch b/SPECS/WALinuxAgent/add_firewall_rules.patch new file mode 100644 index 0000000000..9e8ac29d06 --- /dev/null +++ b/SPECS/WALinuxAgent/add_firewall_rules.patch @@ -0,0 +1,24 @@ +From 9ac40d805925f130283ed54f3cbb424afad41461 Mon Sep 17 00:00:00 2001 +From: Nan Liu +Date: Tue, 30 Jan 2024 17:58:36 +0000 +Subject: [PATCH] Add firewall rules to protect access to Azure host node + services + +--- + config/mariner/waagent.conf | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/config/mariner/waagent.conf b/config/mariner/waagent.conf +index 65da131..cda61de 100644 +--- a/config/mariner/waagent.conf ++++ b/config/mariner/waagent.conf +@@ -78,3 +78,6 @@ AutoUpdate.GAFamily=Prod + # handling until inVMArtifactsProfile.OnHold is false. + # Default is disabled + # EnableOverProvisioning=n ++ ++# Add firewall rules to protect access to Azure host node services ++OS.EnableFirewall=y +-- +2.25.1 + From dc4b0b34f99508b5ef482ae9eb3b2816254214c7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 1 Aug 2024 01:42:47 -0700 Subject: [PATCH 02/43] [AUTO-CHERRYPICK] libcontainers-common: patch CVE-2021-43565 - branch main (#9975) Co-authored-by: Archana Choudhary <36061892+arc9693@users.noreply.github.com> --- .../libcontainers-common/CVE-2021-43565.patch | 56 +++++++++++++++++++ .../libcontainers-common.spec | 8 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 SPECS/libcontainers-common/CVE-2021-43565.patch diff --git a/SPECS/libcontainers-common/CVE-2021-43565.patch b/SPECS/libcontainers-common/CVE-2021-43565.patch new file mode 100644 index 0000000000..b7e53a2580 --- /dev/null +++ b/SPECS/libcontainers-common/CVE-2021-43565.patch @@ -0,0 +1,56 @@ +From 5770296d904e90f15f38f77dfc2e43fdf5efc083 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 9 Nov 2021 11:45:57 -0800 +Subject: [PATCH] ssh: don't assume packet plaintext size + +When reading GCM and ChaChaPoly1305 packets, don't make assumptions +about the size of the enciphered plaintext. This fixes two panics +caused by standards non-compliant malformed packets. + +Thanks to Rod Hynes, Psiphon Inc. for reporting this issue. + +Fixes golang/go#49932 +Fixes CVE-2021-43565 + +Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659 +Reviewed-by: Katie Hockman +Reviewed-by: Julie Qiu +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814 +Trust: Roland Shoemaker +Trust: Katie Hockman +Run-TryBot: Roland Shoemaker +TryBot-Result: Gopher Robot +Reviewed-by: Julie Qiu +Reviewed-by: Katie Hockman +--- + ssh/cipher.go | 8 ++++ + ssh/cipher_test.go | 100 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 108 insertions(+) + +diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go +index bddbde5dbd..f8bdf4984c 100644 +--- a/vendor/golang.org/x/crypto/ssh/cipher.go ++++ b/vendor/golang.org/x/crypto/ssh/cipher.go +@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) + } + c.incIV() + ++ if len(plain) == 0 { ++ return nil, errors.New("ssh: empty packet") ++ } ++ + padding := plain[0] + if padding < 4 { + // padding is a byte, so it automatically satisfies +@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([ + plain := c.buf[4:contentEnd] + s.XORKeyStream(plain, plain) + ++ if len(plain) == 0 { ++ return nil, errors.New("ssh: empty packet") ++ } ++ + padding := plain[0] + if padding < 4 { + // padding is a byte, so it automatically satisfies diff --git a/SPECS/libcontainers-common/libcontainers-common.spec b/SPECS/libcontainers-common/libcontainers-common.spec index 8172b4094a..40853cdd17 100644 --- a/SPECS/libcontainers-common/libcontainers-common.spec +++ b/SPECS/libcontainers-common/libcontainers-common.spec @@ -26,7 +26,7 @@ Summary: Configuration files common to github.com/containers Name: libcontainers-common Version: 20210626 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 AND GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -50,6 +50,7 @@ Source10: containers.conf Patch0: CVE-2021-44716.patch #Note (mfrw): The patch for CVE-2024-37298 only applies to podman. Patch1: CVE-2024-37298.patch +Patch2: CVE-2021-43565.patch BuildRequires: go-go-md2man Requires(post): grep Requires(post): util-linux @@ -70,7 +71,9 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo. %setup -q -T -D -b 9 -n common-%{commonver} %patch 0 -p1 + # copy the LICENSE file in the build root +%patch 2 -p1 -d ../podman-%{podmanver} cd .. cp %{SOURCE2} . @@ -165,6 +168,9 @@ fi %license LICENSE %changelog +* Mon Jul 29 2024 Archana Choudhary - 20210626-5 +- Patch CVE-2021-43565 + * Wed Jul 24 2024 Muhammad Falak - 20210526-4 - Address CVE-2024-37298 by patching vendored github.com/gorilla/schema From 1dcd90c10efb0dd077609486f51c050634a257c1 Mon Sep 17 00:00:00 2001 From: Archana Choudhary <36061892+arc9693@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:29:43 +0530 Subject: [PATCH 03/43] azcopy: upgrade version to 10.25.1 to fix CVE-2024-35255 (#9581) --- SPECS/azcopy/azcopy.signatures.json | 4 ++-- SPECS/azcopy/azcopy.spec | 7 +++++-- cgmanifest.json | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/SPECS/azcopy/azcopy.signatures.json b/SPECS/azcopy/azcopy.signatures.json index 21680cf70f..0c4250f6ac 100644 --- a/SPECS/azcopy/azcopy.signatures.json +++ b/SPECS/azcopy/azcopy.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "azure-storage-azcopy-10.24.0-vendor.tar.gz": "b0b0436e8e8aa280007d2daf5cb1ea06346d54e070062042c792a9fbd110e690", - "azure-storage-azcopy-10.24.0.tar.gz": "bbb09bee00207eb6e6e80a3ecf58ac39beb956c94f500b62888ed3404580430d" + "azure-storage-azcopy-10.25.1-vendor.tar.gz": "2e51019e29834b9b4ea2480fa80eaa95d2ce09601eb1be2edcf5febd927e5a4e", + "azure-storage-azcopy-10.25.1.tar.gz": "d62f0a88e8899a611d9ef627252e4379bee8530177caca081f155e28917e70d3" } } \ No newline at end of file diff --git a/SPECS/azcopy/azcopy.spec b/SPECS/azcopy/azcopy.spec index 50d3a21dc9..8e6a3fa49d 100644 --- a/SPECS/azcopy/azcopy.spec +++ b/SPECS/azcopy/azcopy.spec @@ -1,7 +1,7 @@ Summary: The new Azure Storage data transfer utility - AzCopy v10 Name: azcopy -Version: 10.24.0 -Release: 3%{?dist} +Version: 10.25.1 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -63,6 +63,9 @@ go test -mod=vendor %{_bindir}/azcopy %changelog +* Thu Aug 01 2024 Archana Choudhary - 10.25.1-1 +- Bump version to 10.25.1 to fix CVE-2024-35255 + * Wed Jul 17 2024 Muhammad Falak R Wani - 10.24.0-3 - Drop requirement on a specific version of golang diff --git a/cgmanifest.json b/cgmanifest.json index c7a361ff10..c96425d0a1 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -855,8 +855,8 @@ "type": "other", "other": { "name": "azcopy", - "version": "10.24.0", - "downloadUrl": "https://github.com/Azure/azure-storage-azcopy/archive/refs/tags/v10.24.0.tar.gz" + "version": "10.25.1", + "downloadUrl": "https://github.com/Azure/azure-storage-azcopy/archive/refs/tags/v10.25.1.tar.gz" } } }, From de885a996425a31123430237d55a76032fc5a19f Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Tue, 6 Aug 2024 13:11:26 -0700 Subject: [PATCH 04/43] Backport: Update toolkit's gonum to v0.15.0 (#9965) Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com> --- .github/workflows/go-test-coverage.yml | 2 +- toolkit/docs/building/prerequisites-ubuntu.md | 9 +++++---- toolkit/tools/go.mod | 8 +++++--- toolkit/tools/go.sum | 13 +++++++++---- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml index f7cd3c9542..194536f23d 100644 --- a/.github/workflows/go-test-coverage.yml +++ b/.github/workflows/go-test-coverage.yml @@ -12,7 +12,7 @@ on: permissions: read-all env: - EXPECTED_GO_VERSION: "1.20" + EXPECTED_GO_VERSION: "1.21" jobs: build: diff --git a/toolkit/docs/building/prerequisites-ubuntu.md b/toolkit/docs/building/prerequisites-ubuntu.md index 4cedf4d44e..4b78c2ea25 100644 --- a/toolkit/docs/building/prerequisites-ubuntu.md +++ b/toolkit/docs/building/prerequisites-ubuntu.md @@ -16,7 +16,8 @@ sudo apt -y install \ gawk \ genisoimage \ git \ - golang-1.20-go \ + golang-1.21-go \ + jq \ make \ parted \ pigz \ @@ -27,9 +28,9 @@ sudo apt -y install \ wget \ xfsprogs -# Fix go 1.20 link -sudo ln -vsf /usr/lib/go-1.20/bin/go /usr/bin/go -sudo ln -vsf /usr/lib/go-1.20/bin/gofmt /usr/bin/gofmt +# Fix go 1.21 link +sudo ln -vsf /usr/lib/go-1.21/bin/go /usr/bin/go +sudo ln -vsf /usr/lib/go-1.21/bin/gofmt /usr/bin/gofmt # Install and configure Docker. curl -fsSL https://get.docker.com -o get-docker.sh diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod index 813c64241a..5f53072b21 100644 --- a/toolkit/tools/go.mod +++ b/toolkit/tools/go.mod @@ -1,6 +1,8 @@ module github.com/microsoft/azurelinux/toolkit/tools -go 1.20 +go 1.21 + +toolchain go1.21.6 require ( github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 @@ -21,7 +23,7 @@ require ( github.com/stretchr/testify v1.9.0 github.com/ulikunitz/xz v0.5.10 golang.org/x/sys v0.21.0 - gonum.org/v1/gonum v0.14.0 + gonum.org/v1/gonum v0.15.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 @@ -47,7 +49,7 @@ require ( github.com/rivo/uniseg v0.1.0 // indirect github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect golang.org/x/crypto v0.24.0 // indirect - golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect + golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/text v0.16.0 // indirect ) diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum index 98873b8d74..88fbb4c6f2 100644 --- a/toolkit/tools/go.sum +++ b/toolkit/tools/go.sum @@ -5,6 +5,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmP github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.2.0 h1:Ma67P/GGprNwsslzEH6+Kb8nybI8jpDTm4Wmzu2ReK8= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.2.0/go.mod h1:c+Lifp3EDEamAkPVzMooRNOK6CZjNSdEnf1A7jsI9u4= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 h1:nVocQV40OQne5613EeLayJiRAJuKlBGy+m22qWG+WRg= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0/go.mod h1:7QJP7dr2wznCMeqIrhMgWGf7XpAQnVrJqDm9nvV3Cu4= github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= @@ -46,9 +47,11 @@ github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.0.2/go.mod h1:0MS4r+7BZKSJ5mw4/S5MPN+qHFF1fYclkSPilDOKW0s= @@ -75,6 +78,7 @@ github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c/go.mod h1:/rBeY22VG2Qpr github.com/rivo/uniseg v0.1.0 h1:+2KBaVoUmb9XzDsrx/Ct0W/EYOSFf/nWTauy++DprtY= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -88,8 +92,8 @@ github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6Gj github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= -golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w= -golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -106,12 +110,13 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -gonum.org/v1/gonum v0.14.0 h1:2NiG67LD1tEH0D7kM+ps2V+fXmsAnpUeec7n8tcr4S0= -gonum.org/v1/gonum v0.14.0/go.mod h1:AoWeoz0becf9QMWtE8iWXNXc27fK4fNeHNf/oMejGfU= +gonum.org/v1/gonum v0.15.0 h1:2lYxjRbTYyxkJxlhC+LvJIx3SsANPdRybu1tGj9/OrQ= +gonum.org/v1/gonum v0.15.0/go.mod h1:xzZVBJBtS+Mz4q0Yl2LJTk+OxOg4jiXZ7qBoM0uISGo= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From 298bda4a7d4a4b5d5eb0b1c6883983608157e7d6 Mon Sep 17 00:00:00 2001 From: Christopher Co <35273088+christopherco@users.noreply.github.com> Date: Tue, 6 Aug 2024 19:58:41 -0700 Subject: [PATCH 05/43] fix: correct moby-engine cherry-pick to keep consistency (#10028) Cherry-pick of CVE-2024-41110 from fast-track branch to main branch was malformed. Correct the inconsistency by keeping "-7" release version as the CVE fix since this is what is published via fast-track, and then update #9877 to be "-8" release, which will be built and published at next opportunity. fixes: #9966 : "[AUTO-CHERRYPICK] fix CVE-2024-41110 in moby-engine - branch main" Signed-off-by: Chris Co --- SPECS/moby-engine/moby-engine.spec | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 478b6a6f38..68e4eb4aa0 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 24.0.9 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -123,13 +123,11 @@ fi %{_unitdir}/* %changelog -<<<<<<< HEAD -* Wed Jul 17 2024 Muhammad Falak R Wani - 24.0.9-7 +* Mon Aug 05 2024 Muhammad Falak R Wani - 24.0.9-8 - Drop requirement on a specific version of golang -======= + * Mon Jul 29 2024 Rohit Rawat - 24.0.9-7 - Fix for CVE-2024-41110 ->>>>>>> dd2c6a30e (fix CVE-2024-41110 in moby-engine (#9951)) * Tue Jun 25 2024 Henry Beberman - 24.0.9-6 - Backport upstream change to search /usr/libexec for docker-proxy without daemon.json From ded22fb0a67d31b275782ed1420aedadcf8b8589 Mon Sep 17 00:00:00 2001 From: Ksenija Stanojevic Date: Wed, 7 Aug 2024 19:29:48 -0700 Subject: [PATCH 06/43] feat(cloud-init): add support for azure-proxy-agent (#9878) Adds preliminary support for azure-proxy-agent into cloud-init. This is opt-in only with fallbacks if the command isn't available. --- ...rovisionGuestProxyAgent-OVF-setting-.patch | 114 +++++ ...-ProvisionGuestProxyAgent-as-bool-51.patch | 54 +++ ...re-add-support-for-azure-proxy-agent.patch | 413 ++++++++++++++++++ SPECS/cloud-init/cloud-init.spec | 8 +- 4 files changed, 588 insertions(+), 1 deletion(-) create mode 100644 SPECS/cloud-init/0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch create mode 100644 SPECS/cloud-init/0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch create mode 100644 SPECS/cloud-init/0003-feat-azure-add-support-for-azure-proxy-agent.patch diff --git a/SPECS/cloud-init/0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch b/SPECS/cloud-init/0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch new file mode 100644 index 0000000000..e4e66fab0e --- /dev/null +++ b/SPECS/cloud-init/0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch @@ -0,0 +1,114 @@ +From 402e9331a72d543e779898667488a51ad3e3ec13 Mon Sep 17 00:00:00 2001 +From: Ksenija Stanojevic +Date: Fri, 9 Feb 2024 13:32:19 -0800 +Subject: [PATCH 1/3] feat(azure): Add ProvisionGuestProxyAgent OVF setting + (#4860) + +Add ProvisionGuestProxyAgent Boolean configuration setting into the OvfEnv class. +This PR is only logging the value of ProvisionGuestProxyAgent. +--- + cloudinit/sources/DataSourceAzure.py | 6 ++++++ + cloudinit/sources/helpers/azure.py | 8 ++++++++ + tests/unittests/sources/test_azure.py | 15 +++++++++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py +index 5a82aa34e..dc2b79a3a 100644 +--- a/cloudinit/sources/DataSourceAzure.py ++++ b/cloudinit/sources/DataSourceAzure.py +@@ -1784,6 +1784,12 @@ def read_azure_ovf(contents): + "PreprovisionedVMType: %s" % ovf_env.preprovisioned_vm_type, + logger_func=LOG.info, + ) ++ ++ cfg["ProvisionGuestProxyAgent"] = ovf_env.provision_guest_proxy_agent ++ report_diagnostic_event( ++ "ProvisionGuestProxyAgent: %s" % ovf_env.provision_guest_proxy_agent, ++ logger_func=LOG.info, ++ ) + return (md, ud, cfg) + + +diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py +index 6e5c1f433..2847a9e53 100644 +--- a/cloudinit/sources/helpers/azure.py ++++ b/cloudinit/sources/helpers/azure.py +@@ -1064,6 +1064,7 @@ class OvfEnvXml: + public_keys: Optional[List[dict]] = None, + preprovisioned_vm: bool = False, + preprovisioned_vm_type: Optional[str] = None, ++ provision_guest_proxy_agent: bool = False, + ) -> None: + self.username = username + self.password = password +@@ -1073,6 +1074,7 @@ class OvfEnvXml: + self.public_keys: List[dict] = public_keys or [] + self.preprovisioned_vm = preprovisioned_vm + self.preprovisioned_vm_type = preprovisioned_vm_type ++ self.provision_guest_proxy_agent = provision_guest_proxy_agent + + def __eq__(self, other) -> bool: + return self.__dict__ == other.__dict__ +@@ -1216,6 +1218,12 @@ class OvfEnvXml: + "PreprovisionedVMType", + required=False, + ) ++ self.provision_guest_proxy_agent = self._parse_property( ++ platform_settings, ++ "ProvisionGuestProxyAgent", ++ default=False, ++ required=False, ++ ) + + def _parse_ssh_section(self, config_set): + self.public_keys = [] +diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py +index 1ddbd3f39..6afde95fd 100644 +--- a/tests/unittests/sources/test_azure.py ++++ b/tests/unittests/sources/test_azure.py +@@ -356,6 +356,7 @@ def construct_ovf_env( + disable_ssh_password_auth=None, + preprovisioned_vm=None, + preprovisioned_vm_type=None, ++ provision_guest_proxy_agent=None, + ): + content = [ + '', +@@ -426,6 +427,11 @@ def construct_ovf_env( + "%s" + % preprovisioned_vm_type + ) ++ if provision_guest_proxy_agent is not None: ++ content.append( ++ "%s" ++ % provision_guest_proxy_agent ++ ) + content += [ + "", + "", +@@ -1316,6 +1322,7 @@ scbus-1 on xpt0 bus 0 + expected_cfg = { + "PreprovisionedVMType": None, + "PreprovisionedVm": False, ++ "ProvisionGuestProxyAgent": False, + "system_info": {"default_user": {"name": "myuser"}}, + } + expected_metadata = { +@@ -2668,6 +2675,14 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase): + self.assertTrue(cfg["PreprovisionedVm"]) + self.assertEqual("Savable", cfg["PreprovisionedVMType"]) + ++ def test_read_azure_ovf_with_proxy_guest_agent(self): ++ """The read_azure_ovf method should set ProvisionGuestProxyAgent ++ cfg flag to True.""" ++ content = construct_ovf_env(provision_guest_proxy_agent=True) ++ ret = dsaz.read_azure_ovf(content) ++ cfg = ret[2] ++ self.assertTrue(cfg["ProvisionGuestProxyAgent"]) ++ + + @pytest.mark.parametrize( + "ovf_cfg,imds_md,pps_type", +-- +2.34.1 + diff --git a/SPECS/cloud-init/0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch b/SPECS/cloud-init/0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch new file mode 100644 index 0000000000..1972d43ad4 --- /dev/null +++ b/SPECS/cloud-init/0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch @@ -0,0 +1,54 @@ +From e3ba5800d26065df9ce03ee2ac58ec6f08506423 Mon Sep 17 00:00:00 2001 +From: Ksenija Stanojevic +Date: Fri, 5 Apr 2024 16:52:26 -0700 +Subject: [PATCH 2/3] feat(azure): parse ProvisionGuestProxyAgent as bool + (#5126) + +--- + cloudinit/sources/helpers/azure.py | 1 + + tests/unittests/sources/test_azure.py | 12 ++++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py +index 2847a9e53..165f47429 100644 +--- a/cloudinit/sources/helpers/azure.py ++++ b/cloudinit/sources/helpers/azure.py +@@ -1221,6 +1221,7 @@ class OvfEnvXml: + self.provision_guest_proxy_agent = self._parse_property( + platform_settings, + "ProvisionGuestProxyAgent", ++ parse_bool=True, + default=False, + required=False, + ) +diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py +index 6afde95fd..255991ec3 100644 +--- a/tests/unittests/sources/test_azure.py ++++ b/tests/unittests/sources/test_azure.py +@@ -2675,13 +2675,21 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase): + self.assertTrue(cfg["PreprovisionedVm"]) + self.assertEqual("Savable", cfg["PreprovisionedVMType"]) + +- def test_read_azure_ovf_with_proxy_guest_agent(self): ++ def test_read_azure_ovf_with_proxy_guest_agent_true(self): + """The read_azure_ovf method should set ProvisionGuestProxyAgent + cfg flag to True.""" + content = construct_ovf_env(provision_guest_proxy_agent=True) + ret = dsaz.read_azure_ovf(content) + cfg = ret[2] +- self.assertTrue(cfg["ProvisionGuestProxyAgent"]) ++ assert cfg["ProvisionGuestProxyAgent"] is True ++ ++ def test_read_azure_ovf_with_proxy_guest_agent_false(self): ++ """The read_azure_ovf method should set ProvisionGuestProxyAgent ++ cfg flag to False.""" ++ content = construct_ovf_env(provision_guest_proxy_agent=False) ++ ret = dsaz.read_azure_ovf(content) ++ cfg = ret[2] ++ assert cfg["ProvisionGuestProxyAgent"] is False + + + @pytest.mark.parametrize( +-- +2.34.1 + diff --git a/SPECS/cloud-init/0003-feat-azure-add-support-for-azure-proxy-agent.patch b/SPECS/cloud-init/0003-feat-azure-add-support-for-azure-proxy-agent.patch new file mode 100644 index 0000000000..02f9748658 --- /dev/null +++ b/SPECS/cloud-init/0003-feat-azure-add-support-for-azure-proxy-agent.patch @@ -0,0 +1,413 @@ +From 8932242a65bae5504ba45134091767f215a441fa Mon Sep 17 00:00:00 2001 +From: Ksenija Stanojevic +Date: Mon, 15 Jul 2024 18:48:19 -0700 +Subject: [PATCH 3/3] feat(azure): add support for azure-proxy-agent + +--- + cloudinit/sources/DataSourceAzure.py | 40 ++++ + cloudinit/sources/azure/errors.py | 19 +- + tests/unittests/sources/test_azure.py | 254 ++++++++++++++++++++++++++ + 3 files changed, 312 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py +index dc2b79a3a..c2f74e173 100644 +--- a/cloudinit/sources/DataSourceAzure.py ++++ b/cloudinit/sources/DataSourceAzure.py +@@ -483,6 +483,41 @@ class DataSourceAzure(sources.DataSource): + or self._ephemeral_dhcp_ctx.lease is None + ) + ++ def _check_azure_proxy_agent_status(self) -> None: ++ """Check if azure-proxy-agent is ready for communication with WS/IMDS. ++ If ProvisionGuestProxyAgent is true, query azure-proxy-agent status, ++ waiting up to 120 seconds for the proxy to negotiate with Wireserver ++ and configure an eBPF proxy. Once azure-proxy-agent is ready, ++ it will exit with code 0 and cloud-init can then expect to be able to ++ communicate with these services. ++ Fail deployment if azure-proxy-agent is not found or otherwise returns ++ an error. ++ For more information, check out: ++ https://github.com/azure/guestproxyagent ++ """ ++ try: ++ cmd = [ ++ "azure-proxy-agent", ++ "--status", ++ "--wait", ++ "120", ++ ] ++ out, err = subp.subp(cmd) ++ report_diagnostic_event( ++ "Running azure-proxy-agent %s resulted" ++ "in stderr output: %s with stdout: %s" % (cmd, err, out), ++ logger_func=LOG.debug, ++ ) ++ except subp.ProcessExecutionError as error: ++ if isinstance(error.reason, FileNotFoundError): ++ report_error = errors.ReportableErrorProxyAgentNotFound() ++ self._report_failure(report_error) ++ else: ++ reportable_error = ( ++ errors.ReportableErrorProxyAgentStatusFailure(error) ++ ) ++ self._report_failure(reportable_error) ++ + @azure_ds_telemetry_reporter + def crawl_metadata(self): + """Walk all instance metadata sources returning a dict on success. +@@ -566,6 +601,11 @@ class DataSourceAzure(sources.DataSource): + + imds_md = {} + if self._is_ephemeral_networking_up(): ++ # check if azure-proxy-agent is enabled in the ovf-env.xml file. ++ # azure-proxy-agent feature is opt-in and disabled by default. ++ if cfg.get("ProvisionGuestProxyAgent"): ++ self._check_azure_proxy_agent_status() ++ + imds_md = self.get_metadata_from_imds(report_failure=True) + + if not imds_md and ovf_source is None: +diff --git a/cloudinit/sources/azure/errors.py b/cloudinit/sources/azure/errors.py +index 966725b00..b331cd686 100644 +--- a/cloudinit/sources/azure/errors.py ++++ b/cloudinit/sources/azure/errors.py +@@ -12,7 +12,7 @@ from typing import Any, Dict, List, Optional + + import requests + +-from cloudinit import version ++from cloudinit import subp, version + from cloudinit.sources.azure import identity + from cloudinit.url_helper import UrlError + +@@ -151,3 +151,20 @@ class ReportableErrorUnhandledException(ReportableError): + + self.supporting_data["exception"] = repr(exception) + self.supporting_data["traceback_base64"] = trace_base64 ++ ++ ++class ReportableErrorProxyAgentNotFound(ReportableError): ++ def __init__(self) -> None: ++ super().__init__( ++ "Unable to activate Azure Guest Proxy Agent." ++ "azure-proxy-agent not found" ++ ) ++ ++ ++class ReportableErrorProxyAgentStatusFailure(ReportableError): ++ def __init__(self, exception: subp.ProcessExecutionError) -> None: ++ super().__init__("azure-proxy-agent status failure") ++ ++ self.supporting_data["exit_code"] = exception.exit_code ++ self.supporting_data["stdout"] = exception.stdout ++ self.supporting_data["stderr"] = exception.stderr +diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py +index 255991ec3..9b6672e1e 100644 +--- a/tests/unittests/sources/test_azure.py ++++ b/tests/unittests/sources/test_azure.py +@@ -1,6 +1,7 @@ + # This file is part of cloud-init. See LICENSE file for license information. + + import copy ++import datetime + import json + import os + import stat +@@ -48,6 +49,16 @@ def mock_wrapping_setup_ephemeral_networking(azure_ds): + yield m + + ++@pytest.fixture ++def mock_wrapping_report_failure(azure_ds): ++ with mock.patch.object( ++ azure_ds, ++ "_report_failure", ++ wraps=azure_ds._report_failure, ++ ) as m: ++ yield m ++ ++ + @pytest.fixture + def mock_azure_helper_readurl(): + with mock.patch( +@@ -253,6 +264,14 @@ def mock_subp_subp(): + yield m + + ++@pytest.fixture ++def mock_timestamp(): ++ timestamp = datetime.datetime.utcnow() ++ with mock.patch.object(errors, "datetime", autospec=True) as m: ++ m.utcnow.return_value = timestamp ++ yield timestamp ++ ++ + @pytest.fixture + def mock_util_ensure_dir(): + with mock.patch( +@@ -3672,6 +3691,91 @@ class TestProvisioning: + } + + def test_no_pps(self): ++ ovf = construct_ovf_env(provision_guest_proxy_agent=False) ++ md, ud, cfg = dsaz.read_azure_ovf(ovf) ++ self.mock_util_mount_cb.return_value = (md, ud, cfg, {}) ++ self.mock_readurl.side_effect = [ ++ mock.MagicMock(contents=json.dumps(self.imds_md).encode()), ++ ] ++ self.mock_azure_get_metadata_from_fabric.return_value = [] ++ ++ self.azure_ds._check_and_get_data() ++ ++ assert self.mock_subp_subp.mock_calls == [] ++ ++ assert self.mock_readurl.mock_calls == [ ++ mock.call( ++ "http://169.254.169.254/metadata/instance?" ++ "api-version=2021-08-01&extended=true", ++ timeout=30, ++ headers_cb=imds.headers_cb, ++ exception_cb=mock.ANY, ++ infinite=True, ++ log_req_resp=True, ++ ), ++ ] ++ ++ # Verify DHCP is setup once. ++ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [ ++ mock.call(timeout_minutes=20) ++ ] ++ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [ ++ mock.call( ++ self.azure_ds.distro, ++ None, ++ dsaz.dhcp_log_cb, ++ ) ++ ] ++ assert self.azure_ds._wireserver_endpoint == "10.11.12.13" ++ assert self.azure_ds._is_ephemeral_networking_up() is False ++ ++ # Verify DMI usage. ++ assert self.mock_dmi_read_dmi_data.mock_calls == [ ++ mock.call("chassis-asset-tag"), ++ mock.call("system-uuid"), ++ ] ++ assert ( ++ self.azure_ds.metadata["instance-id"] ++ == "50109936-ef07-47fe-ac82-890c853f60d5" ++ ) ++ ++ # Verify IMDS metadata. ++ assert self.azure_ds.metadata["imds"] == self.imds_md ++ ++ # Verify reporting ready once. ++ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [ ++ mock.call( ++ endpoint="10.11.12.13", ++ distro=self.azure_ds.distro, ++ iso_dev="/dev/sr0", ++ pubkey_info=None, ++ ) ++ ] ++ ++ # Verify netlink. ++ assert self.mock_netlink.mock_calls == [] ++ ++ # Verify no reported_ready marker written. ++ assert self.wrapped_util_write_file.mock_calls == [] ++ assert self.patched_reported_ready_marker_path.exists() is False ++ ++ # Verify reports via KVP. ++ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0 ++ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0 ++ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1 ++ ++ # Verify dmesg reported via KVP. ++ assert len(self.mock_report_dmesg_to_kvp.mock_calls) == 1 ++ ++ def test_no_pps_gpa(self): ++ """test full provisioning scope when azure-proxy-agent ++ is enabled and running.""" ++ self.mock_subp_subp.side_effect = [ ++ subp.SubpResult("Guest Proxy Agent running", ""), ++ ] ++ ovf = construct_ovf_env(provision_guest_proxy_agent=True) ++ md, ud, cfg = dsaz.read_azure_ovf(ovf) ++ self.mock_util_mount_cb.return_value = (md, ud, cfg, {}) + self.mock_readurl.side_effect = [ + mock.MagicMock(contents=json.dumps(self.imds_md).encode()), + ] +@@ -3679,6 +3783,11 @@ class TestProvisioning: + + self.azure_ds._check_and_get_data() + ++ assert self.mock_subp_subp.mock_calls == [ ++ mock.call( ++ ["azure-proxy-agent", "--status", "--wait", "120"], ++ ), ++ ] + assert self.mock_readurl.mock_calls == [ + mock.call( + "http://169.254.169.254/metadata/instance?" +@@ -3736,6 +3845,93 @@ class TestProvisioning: + + # Verify reports via KVP. + assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0 ++ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0 ++ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1 ++ ++ def test_no_pps_gpa_fail(self): ++ """test full provisioning scope when azure-proxy-agent is enabled and ++ throwing an exception during provisioning.""" ++ self.mock_subp_subp.side_effect = [ ++ subp.ProcessExecutionError( ++ cmd=["failed", "azure-proxy-agent"], ++ stdout="test_stdout", ++ stderr="test_stderr", ++ exit_code=4, ++ ), ++ ] ++ ovf = construct_ovf_env(provision_guest_proxy_agent=True) ++ md, ud, cfg = dsaz.read_azure_ovf(ovf) ++ self.mock_util_mount_cb.return_value = (md, ud, cfg, {}) ++ self.mock_readurl.side_effect = [ ++ mock.MagicMock(contents=json.dumps(self.imds_md).encode()), ++ ] ++ self.mock_azure_get_metadata_from_fabric.return_value = [] ++ ++ self.azure_ds._check_and_get_data() ++ ++ assert self.mock_subp_subp.mock_calls == [ ++ mock.call( ++ ["azure-proxy-agent", "--status", "--wait", "120"], ++ ), ++ ] ++ assert self.mock_readurl.mock_calls == [ ++ mock.call( ++ "http://169.254.169.254/metadata/instance?" ++ "api-version=2021-08-01&extended=true", ++ timeout=30, ++ headers={"Metadata": "true"}, ++ exception_cb=mock.ANY, ++ infinite=True, ++ log_req_resp=True, ++ ), ++ ] ++ ++ # Verify DHCP is setup once. ++ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [ ++ mock.call(timeout_minutes=20) ++ ] ++ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [ ++ mock.call( ++ self.azure_ds.distro, ++ None, ++ dsaz.dhcp_log_cb, ++ ) ++ ] ++ assert self.azure_ds._wireserver_endpoint == "10.11.12.13" ++ assert self.azure_ds._is_ephemeral_networking_up() is False ++ ++ # Verify DMI usage. ++ assert self.mock_dmi_read_dmi_data.mock_calls == [ ++ mock.call("chassis-asset-tag"), ++ mock.call("system-uuid"), ++ mock.call("system-uuid"), ++ ] ++ assert ( ++ self.azure_ds.metadata["instance-id"] ++ == "50109936-ef07-47fe-ac82-890c853f60d5" ++ ) ++ ++ # Verify IMDS metadata. ++ assert self.azure_ds.metadata["imds"] == self.imds_md ++ ++ ### BACKPORT NOTE: 23.3 _will_ report ready later after failure. ++ ### In newer versions there will be no call to report ready after failure. ++ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [ ++ mock.call( ++ endpoint="10.11.12.13", iso_dev="/dev/sr0", pubkey_info=None ++ ) ++ ] ++ ++ # Verify netlink. ++ assert self.mock_netlink.mock_calls == [] ++ ++ # Verify no reported_ready marker written. ++ assert self.wrapped_util_write_file.mock_calls == [] ++ assert self.patched_reported_ready_marker_path.exists() is False ++ ++ # Verify reports via KVP. ++ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 1 ++ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 1 + assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1 + + def test_running_pps(self): +@@ -4315,6 +4511,64 @@ class TestProvisioning: + assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1 + + ++class TestCheckAzureProxyAgent: ++ @pytest.fixture(autouse=True) ++ def proxy_setup( ++ self, ++ azure_ds, ++ mock_subp_subp, ++ caplog, ++ mock_wrapping_report_failure, ++ mock_timestamp, ++ ): ++ self.azure_ds = azure_ds ++ self.mock_subp_subp = mock_subp_subp ++ self.caplog = caplog ++ self.mock_wrapping_report_failure = mock_wrapping_report_failure ++ self.mock_timestamp = mock_timestamp ++ ++ def test_check_azure_proxy_agent_status(self): ++ self.mock_subp_subp.side_effect = [ ++ subp.SubpResult("Guest Proxy Agent running", ""), ++ ] ++ self.azure_ds._check_azure_proxy_agent_status() ++ assert "Running azure-proxy-agent" in self.caplog.text ++ assert self.mock_wrapping_report_failure.mock_calls == [] ++ ++ def test_check_azure_proxy_agent_status_notfound(self): ++ exception = subp.ProcessExecutionError(reason=FileNotFoundError()) ++ self.mock_subp_subp.side_effect = [ ++ exception, ++ ] ++ self.azure_ds._check_azure_proxy_agent_status() ++ assert "azure-proxy-agent not found" in self.caplog.text ++ assert self.mock_wrapping_report_failure.mock_calls == [ ++ mock.call( ++ errors.ReportableErrorProxyAgentNotFound(), ++ ), ++ ] ++ ++ def test_check_azure_proxy_agent_status_failure(self): ++ exception = subp.ProcessExecutionError( ++ cmd=["failed", "azure-proxy-agent"], ++ stdout="test_stdout", ++ stderr="test_stderr", ++ exit_code=4, ++ ) ++ self.mock_subp_subp.side_effect = [ ++ exception, ++ ] ++ self.azure_ds._check_azure_proxy_agent_status() ++ assert "azure-proxy-agent status failure" in self.caplog.text ++ assert self.mock_wrapping_report_failure.mock_calls == [ ++ mock.call( ++ errors.ReportableErrorProxyAgentStatusFailure( ++ exception=exception ++ ), ++ ), ++ ] ++ ++ + class TestGetMetadataFromImds: + @pytest.mark.parametrize("report_failure", [False, True]) + @pytest.mark.parametrize( +-- +2.34.1 + diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec index ffe61e76ee..5548b53ade 100644 --- a/SPECS/cloud-init/cloud-init.spec +++ b/SPECS/cloud-init/cloud-init.spec @@ -5,7 +5,7 @@ Summary: Cloud instance init scripts Name: cloud-init Epoch: 1 Version: %{package_version} -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -16,6 +16,9 @@ Source1: 10-azure-kvp.cfg Patch0: overrideDatasourceDetection.patch Patch1: exec_cmd_error_handling.patch Patch2: Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch +Patch3: 0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch +Patch4: 0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch +Patch5: 0003-feat-azure-add-support-for-azure-proxy-agent.patch %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service BuildRequires: automake BuildRequires: dbus @@ -151,6 +154,9 @@ make check %{?_smp_mflags} %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg %changelog +* Mon July 15 2024 Ksenija Stanojevic - 23.3.3-4 +- Add patches to support azure-proxy-agent. + * Wed May 8 2024 Sharath Srikanth Chellappa - 1:23.3-3 - Add patch to add network interface renaming support for CAPM3 Met. From 4308a0c42628dc8d50da60ec5f5bb37396f2b5ff Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 9 Aug 2024 13:46:15 -0700 Subject: [PATCH 07/43] [AUTOPATCHER-kernel] Kernel CVE - branch main - CVE-2023-52340, CVE-2024-26900, CVE-2022-48788, CVE-2022-48841, CVE-2024-39473, CVE-2024-39474, CVE-2024-39483, CVE-2024-39485, CVE-2024-42071, CVE-2024-42072, CVE-2024-42073, CVE-2024-42074, CVE-2024-42075, CVE-2024-42078, CVE-2024-42083, CVE-2024-42237 (#9822) --- SPECS/kernel/CVE-2022-48788.nopatch | 3 +++ SPECS/kernel/CVE-2022-48841.nopatch | 4 ++++ SPECS/kernel/CVE-2023-52340.nopatch | 3 +++ SPECS/kernel/CVE-2024-26900.nopatch | 3 +++ SPECS/kernel/CVE-2024-39473.nopatch | 4 ++++ SPECS/kernel/CVE-2024-39474.nopatch | 4 ++++ SPECS/kernel/CVE-2024-39483.nopatch | 4 ++++ SPECS/kernel/CVE-2024-39485.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42071.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42072.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42073.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42074.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42075.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42078.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42083.nopatch | 4 ++++ SPECS/kernel/CVE-2024-42237.nopatch | 4 ++++ 16 files changed, 61 insertions(+) create mode 100644 SPECS/kernel/CVE-2022-48788.nopatch create mode 100644 SPECS/kernel/CVE-2022-48841.nopatch create mode 100644 SPECS/kernel/CVE-2023-52340.nopatch create mode 100644 SPECS/kernel/CVE-2024-26900.nopatch create mode 100644 SPECS/kernel/CVE-2024-39473.nopatch create mode 100644 SPECS/kernel/CVE-2024-39474.nopatch create mode 100644 SPECS/kernel/CVE-2024-39483.nopatch create mode 100644 SPECS/kernel/CVE-2024-39485.nopatch create mode 100644 SPECS/kernel/CVE-2024-42071.nopatch create mode 100644 SPECS/kernel/CVE-2024-42072.nopatch create mode 100644 SPECS/kernel/CVE-2024-42073.nopatch create mode 100644 SPECS/kernel/CVE-2024-42074.nopatch create mode 100644 SPECS/kernel/CVE-2024-42075.nopatch create mode 100644 SPECS/kernel/CVE-2024-42078.nopatch create mode 100644 SPECS/kernel/CVE-2024-42083.nopatch create mode 100644 SPECS/kernel/CVE-2024-42237.nopatch diff --git a/SPECS/kernel/CVE-2022-48788.nopatch b/SPECS/kernel/CVE-2022-48788.nopatch new file mode 100644 index 0000000000..8e3d31fe5a --- /dev/null +++ b/SPECS/kernel/CVE-2022-48788.nopatch @@ -0,0 +1,3 @@ +CVE-2022-48788 - patched in 5.15.25.1 - (generated by autopatch tool) +upstream b6bb1722f34bbdbabed27acdceaf585d300c5fd2 - stable 646952b2210f19e584d2bf9eb5d092abdca2fcc1 + diff --git a/SPECS/kernel/CVE-2022-48841.nopatch b/SPECS/kernel/CVE-2022-48841.nopatch new file mode 100644 index 0000000000..914acd318d --- /dev/null +++ b/SPECS/kernel/CVE-2022-48841.nopatch @@ -0,0 +1,4 @@ +CVE-2022-48841 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: f153546913bada41a811722f2c6d17c3243a0333 +upstream introducing commit: e72bba21355dbb67512a0d666fec9f4b56dbfc2f + diff --git a/SPECS/kernel/CVE-2023-52340.nopatch b/SPECS/kernel/CVE-2023-52340.nopatch new file mode 100644 index 0000000000..5b3d97f4f1 --- /dev/null +++ b/SPECS/kernel/CVE-2023-52340.nopatch @@ -0,0 +1,3 @@ +CVE-2023-52340 - patched in 5.15.147.1 - (generated by autopatch tool) +upstream af6d10345ca76670c1b7c37799f0d5576ccef277 - stable b8a5308feedda10d4875a912e2e1f6be215a4ead + diff --git a/SPECS/kernel/CVE-2024-26900.nopatch b/SPECS/kernel/CVE-2024-26900.nopatch new file mode 100644 index 0000000000..ce489e69e7 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26900.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26900 - patched in 5.15.159.1 - (generated by autopatch tool) +upstream 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 - stable f3a1787dc48213f6caea5ba7d47e0222e7fa34a9 + diff --git a/SPECS/kernel/CVE-2024-39473.nopatch b/SPECS/kernel/CVE-2024-39473.nopatch new file mode 100644 index 0000000000..1e4c605874 --- /dev/null +++ b/SPECS/kernel/CVE-2024-39473.nopatch @@ -0,0 +1,4 @@ +CVE-2024-39473 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8 +upstream introducing commit: 648fea12847695d60ddeebea86597114885ee76e + diff --git a/SPECS/kernel/CVE-2024-39474.nopatch b/SPECS/kernel/CVE-2024-39474.nopatch new file mode 100644 index 0000000000..056bc49c7d --- /dev/null +++ b/SPECS/kernel/CVE-2024-39474.nopatch @@ -0,0 +1,4 @@ +CVE-2024-39474 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 8e0545c83d672750632f46e3f9ad95c48c91a0fc +upstream introducing commit: 9376130c390a76fac2788a5d6e1a149017b4ab50 + diff --git a/SPECS/kernel/CVE-2024-39483.nopatch b/SPECS/kernel/CVE-2024-39483.nopatch new file mode 100644 index 0000000000..e5a449421a --- /dev/null +++ b/SPECS/kernel/CVE-2024-39483.nopatch @@ -0,0 +1,4 @@ +CVE-2024-39483 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: b4bd556467477420ee3a91fbcba73c579669edc6 +upstream introducing commit: fa4c027a7956f5e07697bfcb580d25eeb8471257 + diff --git a/SPECS/kernel/CVE-2024-39485.nopatch b/SPECS/kernel/CVE-2024-39485.nopatch new file mode 100644 index 0000000000..0f67f11569 --- /dev/null +++ b/SPECS/kernel/CVE-2024-39485.nopatch @@ -0,0 +1,4 @@ +CVE-2024-39485 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 9537a8425a7a0222999d5839a0b394b1e8834b4a +upstream introducing commit: b8ec754ae4c563f6aab8c0cb47aeb2eae67f1da3 + diff --git a/SPECS/kernel/CVE-2024-42071.nopatch b/SPECS/kernel/CVE-2024-42071.nopatch new file mode 100644 index 0000000000..b148200468 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42071.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42071 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 84b767f9e34fdb143c09e66a2a20722fc2921821 +upstream introducing commit: 386e69865311044b576ff536c99c6ee9cc98a228 + diff --git a/SPECS/kernel/CVE-2024-42072.nopatch b/SPECS/kernel/CVE-2024-42072.nopatch new file mode 100644 index 0000000000..a7646fb768 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42072.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42072 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 2b2efe1937ca9f8815884bd4dcd5b32733025103 +upstream introducing commit: 011832b97b311bb9e3c27945bc0d1089a14209c9 + diff --git a/SPECS/kernel/CVE-2024-42073.nopatch b/SPECS/kernel/CVE-2024-42073.nopatch new file mode 100644 index 0000000000..2aa5cc95c6 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42073.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42073 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: c28947de2bed40217cf256c5d0d16880054fcf13 +upstream introducing commit: f8538aec88b46642553a9ba9efa0952f5958dbed + diff --git a/SPECS/kernel/CVE-2024-42074.nopatch b/SPECS/kernel/CVE-2024-42074.nopatch new file mode 100644 index 0000000000..59c1f4bd52 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42074.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42074 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 98d919dfee1cc402ca29d45da642852d7c9a2301 +upstream introducing commit: 088a40980efbc2c449b72f0f2c7ebd82f71d08e2 + diff --git a/SPECS/kernel/CVE-2024-42075.nopatch b/SPECS/kernel/CVE-2024-42075.nopatch new file mode 100644 index 0000000000..e467293ee9 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42075.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42075 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: b90d77e5fd784ada62ddd714d15ee2400c28e1cf +upstream introducing commit: 317460317a02a1af512697e6e964298dedd8a163 + diff --git a/SPECS/kernel/CVE-2024-42078.nopatch b/SPECS/kernel/CVE-2024-42078.nopatch new file mode 100644 index 0000000000..bd52695d26 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42078.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42078 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: e0011bca603c101f2a3c007bdb77f7006fa78fb1 +upstream introducing commit: 7b207ccd983350a5dedd132b57c666186dd02a7c + diff --git a/SPECS/kernel/CVE-2024-42083.nopatch b/SPECS/kernel/CVE-2024-42083.nopatch new file mode 100644 index 0000000000..5142b2d505 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42083.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42083 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: e3f02f32a05009a688a87f5799e049ed6b55bab5 +upstream introducing commit: 5377805dc1c02ad3721a9256f0eef9b4813952e7 + diff --git a/SPECS/kernel/CVE-2024-42237.nopatch b/SPECS/kernel/CVE-2024-42237.nopatch new file mode 100644 index 0000000000..54faf8252f --- /dev/null +++ b/SPECS/kernel/CVE-2024-42237.nopatch @@ -0,0 +1,4 @@ +CVE-2024-42237 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 6598afa9320b6ab13041616950ca5f8f938c0cf1 +upstream introducing commit: f6bc909e7673c30abcbdb329e7d0aa2e83c103d7 + From 06b9340c14bc453f06aabe1baf013570b16adbce Mon Sep 17 00:00:00 2001 From: amritakohli <56371098+amritakohli@users.noreply.github.com> Date: Fri, 9 Aug 2024 16:12:09 -0700 Subject: [PATCH 08/43] js-jquery: Patch CVE-2019-20149 in kind-of (#10086) Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> --- SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch | 27 +++++++++++++++++++ SPECS-EXTENDED/js-jquery/js-jquery.spec | 13 ++++++--- 2 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch diff --git a/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch b/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch new file mode 100644 index 0000000000..b12c6187a8 --- /dev/null +++ b/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch @@ -0,0 +1,27 @@ +From 638d1c5d1c33b4383a4e307f5bcb8b366dd36071 Mon Sep 17 00:00:00 2001 +From: Amrita Kohli +Date: Fri, 9 Aug 2024 16:19:34 +0000 +Subject: [PATCH] Modified upstream patch from PR https://github.com/jonschlinkert/kind-of/pull/31 with commit id + 975c13a7cfaf25d811475823824af3a9c04b0ba8 for CVE-2019-20149. Modified by: + Amrita Kohli + +--- + node_modules/kind-of/index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/node_modules/kind-of/index.js b/node_modules/kind-of/index.js +index dfa799b7..bdcfdc85 100644 +--- a/node_modules/kind-of/index.js ++++ b/node_modules/kind-of/index.js +@@ -66,7 +66,7 @@ module.exports = function kindOf(val) { + }; + + function ctorName(val) { +- return typeof val.constructor === 'function' ? val.constructor.name : null; ++ return val.constructor && typeof val.constructor === 'function' ? val.constructor.name : null; + } + + function isArray(val) { +-- +2.34.1 + diff --git a/SPECS-EXTENDED/js-jquery/js-jquery.spec b/SPECS-EXTENDED/js-jquery/js-jquery.spec index 478f4de422..76fa57a13b 100644 --- a/SPECS-EXTENDED/js-jquery/js-jquery.spec +++ b/SPECS-EXTENDED/js-jquery/js-jquery.spec @@ -2,7 +2,7 @@ Vendor: Microsoft Corporation Distribution: Mariner Name: js-jquery Version: 3.5.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: JavaScript DOM manipulation, event handling, and AJAX library BuildArch: noarch @@ -18,6 +18,8 @@ Source1: jquery_%{version}_node_modules.tar.gz # disable gzip-js during build Patch1: %{name}-disable-gzip-js.patch +# Patch for CVE-2019-20149 in kind-of package https://github.com/jonschlinkert/kind-of/pull/31 +Patch2: CVE-2019-20149.patch BuildRequires: web-assets-devel @@ -45,14 +47,15 @@ browsers. With a combination of versatility and extensibility, jQuery has changed the way that millions of people write JavaScript. %prep -%autosetup -n jquery-%{version} -v -p1 +%setup -n jquery-%{version} +%patch1 -p1 #remove precompiled stuff rm -rf dist/* # Install the cached node modules tar xf %{SOURCE1} - +%patch2 -p1 %build ./node_modules/grunt-cli/bin/grunt -v 'build:*:*' uglify @@ -83,6 +86,10 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y} %changelog +* Fri Aug 9 2024 Amrita Kohli - 3.5.0-4 +- Patch CVE-2019-20149 in kind-of package. +- License verified + * Mon Jun 14 2021 Thomas Crain - 3.5.0-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Add explicit build-time dependency on nodejs-devel From 5512944fc6dde7468eb737af4b65a8c7f18a7c02 Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:08:33 +0530 Subject: [PATCH 09/43] Fix CVE-2024-6104 in Packer by patching vendor gomodule (#9991) --- SPECS/packer/CVE-2024-6104.patch | 81 ++++++++++++++++++++++++++++++++ SPECS/packer/packer.spec | 6 ++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 SPECS/packer/CVE-2024-6104.patch diff --git a/SPECS/packer/CVE-2024-6104.patch b/SPECS/packer/CVE-2024-6104.patch new file mode 100644 index 0000000000..85f2b92268 --- /dev/null +++ b/SPECS/packer/CVE-2024-6104.patch @@ -0,0 +1,81 @@ +From 900f7e0532332e4efbce65a3b35ce28c1fd89369 Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 12:27:25 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index adbdd92..11d146a 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -546,9 +546,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + } + } + +@@ -599,9 +599,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if doErr != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Error("request failed", "error", doErr, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", doErr, "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, doErr) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), doErr) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -636,7 +636,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if code > 0 { + desc = fmt.Sprintf("%s (status: %d)", desc, code) + } +@@ -687,11 +687,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + // communicate why + if err == nil { + return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", +- req.Method, req.URL, attempt) ++ req.Method, redactURL(req.URL), attempt) + } + + return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", +- req.Method, req.URL, attempt, err) ++ req.Method, redactURL(req.URL), attempt, err) + } + + // Try to read the response body so we can reuse this connection. +@@ -772,3 +772,17 @@ func (c *Client) StandardClient() *http.Client { + Transport: &RoundTripper{Client: c}, + } + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index bf1a2a7e35..f7b5512499 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -5,7 +5,7 @@ Summary: Tool for creating identical machine images for multiple platform Name: packer Epoch: 1 Version: 1.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -35,6 +35,7 @@ Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-45288.patch Patch1: CVE-2022-3064.patch Patch2: CVE-2023-49569.patch +Patch3: CVE-2024-6104.patch BuildRequires: golang BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -68,6 +69,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Thu Aug 01 2024 Bala - 1:1.9.5-2 +- Patch for CVE-2024-6104 + * Mon Jul 01 2024 Pawel Winogrodzki - 1:1.9.5-1 - Revert to version 1.9.5. - Added patches for CVE-2022-3064 and CVE-2023-49569. From eb5dffcf4faa684cb817eaea8f019c6abe40b63c Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:09:31 +0530 Subject: [PATCH 10/43] Fix CVE-2024-6104 in Prometheus by patching vendor gomodule (#9992) --- SPECS/prometheus/CVE-2024-6104.patch | 81 ++++++++++++++++++++++++++++ SPECS/prometheus/prometheus.spec | 6 ++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 SPECS/prometheus/CVE-2024-6104.patch diff --git a/SPECS/prometheus/CVE-2024-6104.patch b/SPECS/prometheus/CVE-2024-6104.patch new file mode 100644 index 0000000000..c175c16c85 --- /dev/null +++ b/SPECS/prometheus/CVE-2024-6104.patch @@ -0,0 +1,81 @@ +From 9aa3a166bf8eb6db0419cad5a1b7434de911f43d Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 12:34:56 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index 57116e9..10a5f70 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -577,9 +577,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + } + } + +@@ -634,9 +634,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -672,7 +672,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) + if logger != nil { +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if resp != nil { + desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) + } +@@ -728,11 +728,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + // communicate why + if err == nil { + return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", +- req.Method, req.URL, attempt) ++ req.Method, redactURL(req.URL), attempt) + } + + return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", +- req.Method, req.URL, attempt, err) ++ req.Method, redactURL(req.URL), attempt, err) + } + + // Try to read the response body so we can reuse this connection. +@@ -813,3 +813,17 @@ func (c *Client) StandardClient() *http.Client { + Transport: &RoundTripper{Client: c}, + } + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec index 3d87d8a50a..4a25863381 100644 --- a/SPECS/prometheus/prometheus.spec +++ b/SPECS/prometheus/prometheus.spec @@ -4,7 +4,7 @@ Summary: Prometheus monitoring system and time series database Name: prometheus Version: 2.37.0 -Release: 13%{?dist} +Release: 14%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Source5: prometheus.logrotate Source6: promu-%{promu_version}.tar.gz # Debian patch for default settings Patch0: 02-Default_settings.patch +Patch1: CVE-2024-6104.patch BuildRequires: golang BuildRequires: nodejs BuildRequires: systemd-rpm-macros @@ -131,6 +132,9 @@ fi %doc README.md RELEASE.md documentation %changelog +* Thu Aug 01 2024 Bala - 2.37.0-14 +- Patch for CVE-2024-6104 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 2.37.0-13 - Bump release to rebuild with go 1.21.11 From 9b3f2cc0633dfa75609daf4503a601ab8309e79d Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:09:49 +0530 Subject: [PATCH 11/43] Fix CVE-2024-6104 in rook by patching vendor gomodule (#9993) --- SPECS/rook/CVE-2024-6104.patch | 76 ++++++++++++++++++++++++++++++++++ SPECS/rook/rook.spec | 6 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 SPECS/rook/CVE-2024-6104.patch diff --git a/SPECS/rook/CVE-2024-6104.patch b/SPECS/rook/CVE-2024-6104.patch new file mode 100644 index 0000000000..10e461296c --- /dev/null +++ b/SPECS/rook/CVE-2024-6104.patch @@ -0,0 +1,76 @@ +From 5801fdff931e19a5cc9397b8a0cc7dfb4c8a67c0 Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 12:47:50 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++----- + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index f1ccd3d..25d7ef5 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -499,9 +499,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + } + } + +@@ -548,9 +548,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if code > 0 { + desc = fmt.Sprintf("%s (status: %d)", desc, code) + } +@@ -622,7 +622,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + c.HTTPClient.CloseIdleConnections() + return nil, fmt.Errorf("%s %s giving up after %d attempts", +- req.Method, req.URL, c.RetryMax+1) ++ req.Method, redactURL(req.URL), c.RetryMax+1) + } + + // Try to read the response body so we can reuse this connection. +@@ -703,3 +703,17 @@ func (c *Client) StandardClient() *http.Client { + Transport: &RoundTripper{Client: c}, + } + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/rook/rook.spec b/SPECS/rook/rook.spec index f1b245071a..59e43e6c39 100644 --- a/SPECS/rook/rook.spec +++ b/SPECS/rook/rook.spec @@ -19,7 +19,7 @@ Summary: Orchestrator for distributed storage systems in cloud-native environments Name: rook Version: 1.6.2 -Release: 20%{?dist} +Release: 21%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -57,6 +57,7 @@ Patch0: flexvolume-dir.patch Patch1: CVE-2022-21698.patch Patch2: CVE-2023-44487.patch Patch3: CVE-2021-44716.patch +Patch4: CVE-2024-6104.patch # Ceph version is needed to set correct container tag in manifests BuildRequires: ceph # Rook requirements @@ -255,6 +256,9 @@ sed -i -e "s|\(.*tag: \)VERSION|\1%{helm_appVersion}|" %{values_yaml} # bother adding docs or changelog or anything %changelog +* Thu Aug 01 2024 Bala - 1.6.2-21 +- Patch CVE-2024-6104 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 1.6.2-20 - Bump release to rebuild with go 1.21.11 From 2469e3fe7ffe75296ef30d94f552b2b64f6b2bb2 Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:10:37 +0530 Subject: [PATCH 12/43] Fix CVE-2024-6104 in cri-o by patching vendor package source (#9986) --- SPECS/cri-o/CVE-2024-6104.patch | 76 +++++++++++++++++++++++++++++++++ SPECS/cri-o/cri-o.spec | 6 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 SPECS/cri-o/CVE-2024-6104.patch diff --git a/SPECS/cri-o/CVE-2024-6104.patch b/SPECS/cri-o/CVE-2024-6104.patch new file mode 100644 index 0000000000..dde0f1bfbe --- /dev/null +++ b/SPECS/cri-o/CVE-2024-6104.patch @@ -0,0 +1,76 @@ +From ab64e79170aea240fa050a929b52607d72c62c9e Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 07:01:21 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++----- + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index 7bfa759..aead5e1 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + } + } + +@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if code > 0 { + desc = fmt.Sprintf("%s (status: %d)", desc, code) + } +@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + c.HTTPClient.CloseIdleConnections() + return nil, fmt.Errorf("%s %s giving up after %d attempts", +- req.Method, req.URL, c.RetryMax+1) ++ req.Method, redactURL(req.URL), c.RetryMax+1) + } + + // Try to read the response body so we can reuse this connection. +@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) { + func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) { + return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode())) + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec index d677f572a9..e64bfb2cb6 100644 --- a/SPECS/cri-o/cri-o.spec +++ b/SPECS/cri-o/cri-o.spec @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa # Define macros for further referenced sources Name: cri-o Version: 1.22.3 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -66,6 +66,7 @@ Patch10: CVE-2024-21626.patch Patch11: CVE-2024-3154.patch Patch12: CVE-2024-3727.patch Patch13: CVE-2021-43565.patch +Patch14: CVE-2024-6104.patch BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: fdupes @@ -218,6 +219,9 @@ mkdir -p /opt/cni/bin %{_fillupdir}/sysconfig.kubelet %changelog +* Thu Aug 01 2024 Bala - 1.22.3-6 +- Patch CVE-2024-6104 + * Mon Jul 22 2024 Archana Choudhary - 1.22.3-5 - Patch CVE-2021-43565 From 60d467988528671ddc2a8c286a8d18e5d0fac41f Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:11:12 +0530 Subject: [PATCH 13/43] Fix CVE-2024-6104 in cert-manager by patching vendor package sources (#9981) --- SPECS/cert-manager/CVE-2024-6104.patch | 81 ++++++++++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 6 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 SPECS/cert-manager/CVE-2024-6104.patch diff --git a/SPECS/cert-manager/CVE-2024-6104.patch b/SPECS/cert-manager/CVE-2024-6104.patch new file mode 100644 index 0000000000..974b1e216c --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-6104.patch @@ -0,0 +1,81 @@ +From 3b68627a36a0682f92acb7fc592dee346b18a22c Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Tue, 30 Jul 2024 12:13:03 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index 57116e9..10a5f70 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -577,9 +577,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + } + } + +@@ -634,9 +634,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -672,7 +672,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) + if logger != nil { +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if resp != nil { + desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) + } +@@ -728,11 +728,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + // communicate why + if err == nil { + return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", +- req.Method, req.URL, attempt) ++ req.Method, redactURL(req.URL), attempt) + } + + return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", +- req.Method, req.URL, attempt, err) ++ req.Method, redactURL(req.URL), attempt, err) + } + + // Try to read the response body so we can reuse this connection. +@@ -813,3 +813,17 @@ func (c *Client) StandardClient() *http.Client { + Transport: &RoundTripper{Client: c}, + } + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index dbf3cc7e59..3bc1633ff7 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 11%{?dist} +Release: 12%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -22,6 +22,7 @@ Source1: %{name}-%{version}-govendor.tar.gz Patch0: CVE-2023-48795.patch Patch1: CVE-2023-45288.patch Patch2: CVE-2024-26147.patch +Patch3: CVE-2024-6104.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -114,6 +115,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Wed Jul 31 2023 Bala - 1.11.2-12 +- Patch for CVE-2024-6104 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 1.11.2-11 - Bump release to rebuild with go 1.21.11 From 0dc23ab2f5df064d22f3a6eb40319034722f65be Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:11:38 +0530 Subject: [PATCH 14/43] Fix CVE-2024-6104 in keda by patching vendor gomodule (#9990) --- SPECS/keda/CVE-2024-6104.patch | 76 ++++++++++++++++++++++++++++++++++ SPECS/keda/keda.spec | 6 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 SPECS/keda/CVE-2024-6104.patch diff --git a/SPECS/keda/CVE-2024-6104.patch b/SPECS/keda/CVE-2024-6104.patch new file mode 100644 index 0000000000..dca5da2af9 --- /dev/null +++ b/SPECS/keda/CVE-2024-6104.patch @@ -0,0 +1,76 @@ +From 7314ebdc4e965359fba5cf19fbffb6af5e712d0e Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 12:21:11 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++----- + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index f1ccd3d..25d7ef5 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -499,9 +499,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + } + } + +@@ -548,9 +548,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if code > 0 { + desc = fmt.Sprintf("%s (status: %d)", desc, code) + } +@@ -622,7 +622,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + c.HTTPClient.CloseIdleConnections() + return nil, fmt.Errorf("%s %s giving up after %d attempts", +- req.Method, req.URL, c.RetryMax+1) ++ req.Method, redactURL(req.URL), c.RetryMax+1) + } + + // Try to read the response body so we can reuse this connection. +@@ -703,3 +703,17 @@ func (c *Client) StandardClient() *http.Client { + Transport: &RoundTripper{Client: c}, + } + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index 586ab95af9..9a03bd5bec 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.4.0 -Release: 21%{?dist} +Release: 22%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -31,6 +31,7 @@ Source1: %{name}-%{version}-vendor-v2.tar.gz Patch0: CVE-2022-21698.patch Patch1: CVE-2023-44487.patch Patch2: CVE-2021-44716.patch +Patch3: CVE-2024-6104.patch BuildRequires: golang @@ -66,6 +67,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir} %{_bindir}/%{name}-adapter %changelog +* Thu Aug 01 2024 Bala - 2.4.0-22 +- Patch CVE-2024-6104 + * Wed Jul 17 2024 Muhammad Falak R Wani - 2.4.0-21 - Drop requirement on a specific version of golang From 396b7c71139debd0f04e2c981606c9d338acb85e Mon Sep 17 00:00:00 2001 From: Bala Date: Mon, 12 Aug 2024 16:12:11 +0530 Subject: [PATCH 15/43] Fix CVE-2024-6104 in influxdb by patching vendor package source (#9987) --- SPECS/influxdb/CVE-2024-6104.patch | 76 ++++++++++++++++++++++++++++++ SPECS/influxdb/influxdb.spec | 8 +++- 2 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 SPECS/influxdb/CVE-2024-6104.patch diff --git a/SPECS/influxdb/CVE-2024-6104.patch b/SPECS/influxdb/CVE-2024-6104.patch new file mode 100644 index 0000000000..a5eb2edd9b --- /dev/null +++ b/SPECS/influxdb/CVE-2024-6104.patch @@ -0,0 +1,76 @@ +From 11d1dffc2525be8ec078bfb0af61e02c0abfda0f Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 1 Aug 2024 08:17:06 +0000 +Subject: [PATCH] Patch CVE-2024-6104 + +--- + .../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++----- + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index 7bfa759..aead5e1 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) + } + } + +@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) + if code > 0 { + desc = fmt.Sprintf("%s (status: %d)", desc, code) + } +@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + } + c.HTTPClient.CloseIdleConnections() + return nil, fmt.Errorf("%s %s giving up after %d attempts", +- req.Method, req.URL, c.RetryMax+1) ++ req.Method, redactURL(req.URL), c.RetryMax+1) + } + + // Try to read the response body so we can reuse this connection. +@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) { + func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) { + return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode())) + } ++ ++ ++// Taken from url.URL#Redacted() which was introduced in go 1.15. ++func redactURL(u *url.URL) string { ++ if u == nil { ++ return "" ++ } ++ ++ ru := *u ++ if _, has := ru.User.Password(); has { ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") ++ } ++ return ru.String() ++} +-- +2.33.8 + diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index b8169b9259..eea5104f71 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.6.1 -Release: 14%{?dist} +Release: 15%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -55,6 +55,7 @@ Source3: influxdb.service Source4: influxdb.tmpfiles Source5: config.yaml Source6: influxdb-user.conf +Patch0: CVE-2024-6104.patch BuildRequires: clang BuildRequires: golang <= 1.18.8 BuildRequires: kernel-headers @@ -84,7 +85,7 @@ Conflicts: influxdb Go sources and other development files for InfluxDB %prep -%autosetup -a 1 +%autosetup -p1 -a 1 mkdir -pv static tar -xf %{SOURCE2} -C static/ --no-same-owner @@ -144,6 +145,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Thu Aug 01 2024 Bala - 2.6.1.15 +- Fix CVE 2024-6104 by patching vendor packages + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 2.6.1-14 - Bump release to rebuild with go 1.21.11 From 45be18fd7e6dc890057799c9fefb760953fec261 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Mon, 12 Aug 2024 10:11:02 -0700 Subject: [PATCH 16/43] Disabled PR check debug mode by default. (CP: #9795) (#10096) --- .pipelines/prchecks/PackageBuildPRCheck.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml index 36637cce4e..4ddd05ce43 100644 --- a/.pipelines/prchecks/PackageBuildPRCheck.yml +++ b/.pipelines/prchecks/PackageBuildPRCheck.yml @@ -22,6 +22,10 @@ parameters: maxCPUs: "$(($(nproc) / 3))" rawToolchainCacheURL: "$(rawToolchainCacheURL_ARM64)" rawToolchainExpectedHash: "65de43b3bdcfdaac71df1f11fd1f830a8109b1eb9d7cb6cbc2e2d0e929d0ef76" + - name: debug + type: boolean + default: false + displayName: "Run in debug mode" resources: repositories: @@ -37,7 +41,7 @@ variables: - name: toolchainArtifactNameBase value: Toolchain - name: system.debug - value: 'true' + value: '${{ parameters.debug }}' extends: template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates From 5b1646c8a31f32e76ff6d949366f072edaebe6ac Mon Sep 17 00:00:00 2001 From: Sumynwa Date: Tue, 13 Aug 2024 10:55:54 +0530 Subject: [PATCH 17/43] libtiff: Add patch to resolve CVE-2023-6277 (#10048) --- SPECS/libtiff/CVE-2023-6277.patch | 170 ++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 6 +- 2 files changed, 175 insertions(+), 1 deletion(-) create mode 100755 SPECS/libtiff/CVE-2023-6277.patch diff --git a/SPECS/libtiff/CVE-2023-6277.patch b/SPECS/libtiff/CVE-2023-6277.patch new file mode 100755 index 0000000000..fc95b02b07 --- /dev/null +++ b/SPECS/libtiff/CVE-2023-6277.patch @@ -0,0 +1,170 @@ +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 31 Oct 2023 15:43:29 +0000 +Subject: [PATCH] Prevent some out-of-memory attacks + +Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. + +At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. + +See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 +--- + libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 90 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2c49dc6a..58a42760 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, + datasize = (*count) * typesize; + assert((tmsize_t)datasize > 0); + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. ++ */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExtR(tif, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } ++ + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) + return TIFFReadDirEntryErrIo; + +@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (!_TIFFFillStrilesInternal(tif, 0)) + return -1; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } ++ + if (td->td_stripbytecount_p) + _TIFFfreeExt(tif, td->td_stripbytecount_p); + td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc( +@@ -5276,9 +5305,7 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (td->td_compression != COMPRESSION_NONE) + { + uint64_t space; +- uint64_t filesize; + uint16_t n; +- filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags & TIFF_BIGTIFF)) + space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4; + else +@@ -5807,6 +5834,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + dircount16 = (uint16_t)dircount64; + dirsize = 20; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5921,6 +5962,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + "directories not supported"); + return 0; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5968,6 +6023,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + } + } + } ++ /* No check against filesize needed here because "dir" should have same size ++ * than "origdir" checked above. */ + dir = (TIFFDirEntry *)_TIFFCheckMalloc( + tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory"); + if (dir == 0) +@@ -7164,6 +7221,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, + return (0); + } + ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfreeExt(tif, data); ++ return (0); ++ } + resizeddata = (uint64_t *)_TIFFCheckMalloc( + tif, nstrips, sizeof(uint64_t), "for strip array"); + if (resizeddata == 0) +@@ -7263,6 +7334,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, + } + bytecount = last_offset + last_bytecount - offset; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of StripByteCount and StripOffset tags is not greater than ++ * file size. ++ */ ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } ++ + newcounts = + (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), + "for chopped \"StripByteCounts\" array"); +-- +GitLab + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index eac1551148..1e5a583c60 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: System Environment/Libraries URL: https://gitlab.com/libtiff/libtiff Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz Patch0: CVE-2023-52356.patch +Patch1: CVE-2023-6277.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libjpeg-turbo-devel @@ -61,6 +62,9 @@ make %{?_smp_mflags} -k check %{_docdir}/* %changelog +* Wed Aug 07 2024 Sumedh Sharma - 4.6.0-3 +- Add patch to resolve CVE-2023-6277 + * Thu Mar 7 2024 Xiaohong Deng - 4.6.0-2 - Add patches for CVE-2023-52356 From 9659612d39b9b68b24dbca104c2e6daa12029d95 Mon Sep 17 00:00:00 2001 From: Gary Swalling <31018813+gjswalling@users.noreply.github.com> Date: Tue, 13 Aug 2024 10:48:10 -0700 Subject: [PATCH 18/43] Update kernel-mos to 5.15.164.1 (#10114) --- SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec | 5 ++++- SPECS/kernel-mos/config | 2 +- SPECS/kernel-mos/kernel-mos.signatures.json | 4 ++-- SPECS/kernel-mos/kernel-mos.spec | 5 ++++- cgmanifest.json | 4 ++-- 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec index 474dbbfc26..fceb45f9c6 100644 --- a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec +++ b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for MOS systems Name: kernel-mos-signed-%{buildarch} -Version: 5.15.161.1 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Mon Aug 12 2024 Gary Swalling - 5.15.164.1-1 +- Update to 5.15.164.1 + * Wed Jul 24 2024 Suresh Babu Chalamalasetty - 5.15.161.1-1 - Update to 5.15.161.1 diff --git a/SPECS/kernel-mos/config b/SPECS/kernel-mos/config index 0491106060..0b37323358 100644 --- a/SPECS/kernel-mos/config +++ b/SPECS/kernel-mos/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.161.1 Kernel Configuration +# Linux/x86_64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-mos/kernel-mos.signatures.json b/SPECS/kernel-mos/kernel-mos.signatures.json index 4e83692a31..23a3f95de1 100644 --- a/SPECS/kernel-mos/kernel-mos.signatures.json +++ b/SPECS/kernel-mos/kernel-mos.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "170e9e5b27619d595f627af620da52facf9ad7ca7b717ecd097841766e36cda3", + "config": "bb8f743baac9e1ae181e6de5ad3ea4a085023f7037abbf6ed518ecb6afcf72e3", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-mos-5.15.161.1.tar.gz": "b48578cb4ef0361974c1156fff4041234cf00f9b66876b5c5dca2e536a78220d" + "kernel-mos-5.15.164.1.tar.gz": "cc83103f8d935d59d68b7f6e3d81d078e384b7e7e6cb590ff0146b7f01ef1e6e" } } diff --git a/SPECS/kernel-mos/kernel-mos.spec b/SPECS/kernel-mos/kernel-mos.spec index 9be10120e7..749cc5d24b 100644 --- a/SPECS/kernel-mos/kernel-mos.spec +++ b/SPECS/kernel-mos/kernel-mos.spec @@ -18,7 +18,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for MOS Name: kernel-mos -Version: 5.15.161.1 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon Aug 12 2024 Gary Swalling - 5.15.164.1-1 +- Update to 5.15.164.1 + * Wed Jul 24 2024 Suresh Babu Chalamalasetty - 5.15.161.1-1 - Update to 5.15.161.1 diff --git a/cgmanifest.json b/cgmanifest.json index c96425d0a1..33425385a2 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8161,8 +8161,8 @@ "type": "other", "other": { "name": "kernel-mos", - "version": "5.15.161.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2-mos/5.15.161.1.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2-mos/5.15.164.1.tar.gz" } } }, From 93ca32cc0dcc7cdda064f241fb4e3e8f2ca5307d Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 13 Aug 2024 17:37:39 -0700 Subject: [PATCH 19/43] [AUTOUPGRADE-CORE] Upgrade ca-certificates Msft cert change (#10080) --- .../ca-certificates.signatures.json | 2 +- SPECS/ca-certificates/ca-certificates.spec | 5 +- SPECS/ca-certificates/certdata.microsoft.txt | 1534 +++++++++++++++++ .../prebuilt-ca-certificates-base.spec | 5 +- .../prebuilt-ca-certificates.spec | 5 +- .../manifests/package/pkggen_core_aarch64.txt | 8 +- .../manifests/package/pkggen_core_x86_64.txt | 8 +- .../manifests/package/toolchain_aarch64.txt | 10 +- .../manifests/package/toolchain_x86_64.txt | 10 +- 9 files changed, 1565 insertions(+), 22 deletions(-) diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index c16ab1fba7..8348c78a90 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -11,7 +11,7 @@ "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", - "certdata.microsoft.txt": "89655788a99b61c94aa18ad060b7e032d3e63b9db1417b1496e767662126c75a", + "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd", "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index d16c60559f..02a65aabfd 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -45,7 +45,7 @@ Name: ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well. Epoch: 1 Version: 2.0.0 -Release: 17%{?dist} +Release: 18%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 +- Updating Microsoft trusted root CAs. + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 2.0.0-17 - Updating Microsoft trusted root CAs. diff --git a/SPECS/ca-certificates/certdata.microsoft.txt b/SPECS/ca-certificates/certdata.microsoft.txt index 764941deb8..b216a7d614 100644 --- a/SPECS/ca-certificates/certdata.microsoft.txt +++ b/SPECS/ca-certificates/certdata.microsoft.txt @@ -37618,3 +37618,1537 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "D-TRUST EV Root CA 2 2023" +# +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\151 +\046\011\176\200\113\114\240\247\214\170\142\123\137\132\157\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\105\126\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\071\061\060\063\063\132\027\015\063\070\060\065\060 +\071\060\071\061\060\063\062\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\105\126\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\330\216\243\211\200\013\262\127\122\334\251\123\114 +\067\271\177\143\027\023\357\247\133\043\133\151\165\260\231\012 +\027\301\213\304\333\250\340\314\061\272\302\362\315\135\351\267 +\370\035\257\152\304\225\207\327\107\311\225\330\202\004\120\075 +\201\010\377\344\075\263\261\326\305\262\375\210\011\333\234\204 +\354\045\027\024\207\177\060\170\233\152\130\311\266\163\050\074 +\064\367\231\367\177\323\246\370\034\105\174\255\054\214\224\077 +\330\147\020\123\176\042\315\116\045\121\360\045\044\065\021\136 +\020\306\354\207\146\211\201\150\272\314\053\235\107\163\037\275 +\315\221\244\162\152\234\242\033\030\240\157\354\120\364\175\100 +\302\250\060\317\275\163\310\023\053\020\023\036\213\232\250\072 +\224\163\323\030\151\012\112\377\301\001\003\377\171\177\265\110 +\177\173\356\350\051\157\066\114\225\141\206\330\371\242\163\212 +\356\256\057\226\356\150\315\075\115\050\102\371\105\053\062\033 +\106\125\026\152\246\113\051\371\273\225\126\277\106\035\354\035 +\223\035\300\145\262\037\241\103\256\126\236\240\261\217\153\022 +\267\140\155\170\013\312\212\134\355\036\226\016\203\246\110\225 +\215\073\243\041\304\256\130\306\000\262\204\264\043\244\226\206 +\065\270\330\236\330\254\064\111\230\143\225\305\313\155\110\107 +\342\362\056\030\036\320\061\253\335\164\354\371\334\214\270\034 +\216\150\043\272\320\363\120\334\317\145\217\163\072\062\307\174 +\376\312\202\042\117\276\216\142\107\146\345\315\207\342\350\325 +\017\030\237\345\004\162\113\106\074\020\362\104\302\144\126\161 +\116\165\350\234\311\046\164\305\175\131\321\012\133\017\155\376 +\236\165\034\030\306\032\072\174\330\015\004\314\315\267\105\145 +\172\261\217\270\256\204\110\076\263\172\115\250\003\342\342\176 +\001\026\131\150\030\103\063\260\322\334\260\032\103\065\356\245 +\332\251\106\134\256\206\201\101\001\112\164\046\354\237\006\277 +\302\005\067\144\165\170\051\150\375\305\365\353\376\107\371\344 +\205\260\341\173\061\235\246\177\162\243\271\304\054\056\314\231 +\127\016\041\014\105\001\224\145\353\145\011\306\143\042\013\063 +\111\222\110\074\374\315\316\260\076\216\236\213\370\376\111\305 +\065\162\107\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\252\374\221\020\033\207 +\221\137\026\271\277\117\113\221\136\000\034\261\062\200\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\145\166\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\223\313\245 +\037\231\021\354\232\015\137\054\025\223\306\077\276\020\215\170 +\102\360\156\220\107\107\216\243\222\062\215\160\217\366\133\215 +\276\211\316\107\001\152\033\040\040\211\133\310\202\020\154\340 +\347\231\252\153\306\052\240\143\065\221\152\205\045\255\027\070 +\245\233\176\120\362\166\352\205\005\052\047\101\053\261\201\321 +\242\366\100\165\251\016\313\361\125\110\330\354\321\354\263\350 +\316\024\241\065\354\302\136\065\032\253\246\026\001\006\216\352 +\334\057\243\212\312\054\221\353\122\216\137\014\233\027\317\313 +\163\007\031\304\152\302\163\124\357\174\103\122\143\301\021\312 +\302\105\261\364\073\123\365\151\256\074\343\245\336\254\350\124 +\267\262\221\375\254\251\037\362\207\344\027\306\111\250\174\330 +\012\101\364\362\076\347\167\064\004\122\335\350\201\362\115\057 +\124\105\235\025\341\117\314\345\336\064\127\020\311\043\162\027 +\160\215\120\160\037\126\154\314\271\377\072\132\117\143\172\303 +\156\145\007\035\204\241\377\251\014\143\211\155\262\100\210\071 +\327\037\167\150\265\374\234\325\326\147\151\133\250\164\333\374 +\211\366\033\062\367\244\044\246\166\267\107\123\357\215\111\217 +\251\266\203\132\245\226\220\105\141\365\336\003\117\046\017\250 +\213\360\003\226\260\254\025\320\161\132\152\173\224\346\160\223 +\332\361\151\340\262\142\115\236\217\377\211\235\233\135\315\105 +\351\224\002\042\215\340\065\177\350\361\004\171\161\154\124\203 +\370\063\271\005\062\033\130\125\021\117\320\345\047\107\161\354 +\355\332\147\326\142\246\113\115\017\151\242\311\274\354\042\113 +\224\307\150\224\027\176\342\216\050\076\266\306\352\365\064\154 +\237\067\210\007\070\333\206\161\372\315\225\110\103\156\243\117 +\202\207\327\064\230\156\113\223\171\140\165\151\017\360\032\325 +\123\372\041\014\302\077\351\077\037\030\214\222\135\170\247\166 +\147\031\273\262\352\177\351\160\011\126\126\243\260\014\013\055 +\066\136\305\351\304\325\203\313\206\027\227\054\154\023\157\207 +\132\257\111\246\035\333\315\070\004\056\137\342\112\065\016\055 +\113\370\242\044\004\215\330\341\143\136\002\222\064\332\230\141 +\134\034\157\130\166\144\263\374\002\270\365\235\012 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST EV Root CA 2 2023" +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\245\133\330\107\154\217\031\367\114\364\155\153\266\302\171\202 +\042\337\124\213 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\226\264\170\011\360\011\313\167\353\273\033\115\157\066\274\266 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST BR Root CA 2 2023" +# +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\163 +\073\060\004\110\133\331\115\170\056\163\113\311\241\334\146\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\102\122\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\070\065\066\063\061\132\027\015\063\070\060\065\060 +\071\060\070\065\066\063\060\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\102\122\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\256\377\011\131\221\200\012\112\150\346\044\077\270 +\247\344\310\072\012\072\026\315\311\043\141\240\223\161\362\253 +\213\163\217\240\147\145\140\322\124\153\143\121\157\111\063\340 +\162\007\023\175\070\315\006\222\007\051\122\153\116\167\154\004 +\323\225\372\335\114\214\331\135\301\141\175\113\347\050\263\104 +\201\173\121\257\335\063\261\150\174\326\116\114\376\053\150\271 +\312\146\151\304\354\136\127\177\367\015\307\234\066\066\345\007 +\140\254\300\114\352\010\154\357\006\174\117\133\050\172\010\374 +\223\135\233\366\234\264\213\206\272\041\271\364\360\350\131\132 +\050\241\064\204\032\045\221\266\265\217\357\262\371\200\372\371 +\075\074\021\162\330\343\057\206\166\305\171\054\301\251\220\223 +\106\230\147\313\203\152\240\120\043\247\073\366\201\071\340\355 +\360\271\277\145\361\330\313\172\373\357\163\003\316\000\364\175 +\327\340\135\073\146\270\334\216\272\203\313\207\166\003\374\045 +\331\347\043\157\006\375\147\363\340\377\204\274\107\277\265\026 +\030\106\151\024\314\005\367\333\323\111\254\153\314\253\344\265 +\013\103\044\136\113\153\115\147\337\326\265\076\117\170\037\224 +\161\044\352\336\160\374\361\223\376\236\223\132\344\224\132\227 +\124\014\065\173\137\154\356\000\037\044\354\003\272\002\365\166 +\364\237\324\232\355\205\054\070\042\057\307\330\057\166\021\117 +\375\154\134\350\365\216\047\207\177\031\112\041\107\220\035\171 +\215\034\133\370\317\112\205\344\355\263\133\215\276\304\144\050 +\135\101\304\156\254\070\132\117\043\164\164\251\022\303\366\322 +\271\021\025\063\007\221\330\073\067\072\143\060\006\321\305\042 +\066\050\142\043\020\340\106\314\227\254\326\053\135\144\044\325 +\356\034\016\336\373\010\132\165\052\366\143\155\316\013\102\276 +\321\272\160\034\234\041\345\017\061\151\027\327\374\012\264\336 +\355\200\234\313\222\264\213\365\336\131\242\130\011\245\143\107 +\013\341\101\062\064\101\331\232\261\331\250\260\033\132\336\015 +\015\364\342\262\135\065\200\271\201\324\204\151\221\002\313\165 +\320\215\305\265\075\011\221\011\217\024\241\024\164\171\076\326 +\311\025\035\244\131\131\042\334\366\212\105\075\074\022\326\076 +\135\062\057\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\147\220\360\326\336\265 +\030\325\106\051\176\134\253\370\236\010\274\144\225\020\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\142\162\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\064\367\263 +\167\123\333\060\026\271\055\245\041\361\100\041\165\353\353\110 +\026\201\075\163\340\236\047\052\353\167\251\023\244\152\012\132 +\132\024\063\075\150\037\201\256\151\375\214\237\145\154\064\102 +\331\055\320\177\170\026\261\072\254\043\061\255\136\177\256\347 +\256\053\372\272\374\074\227\225\100\223\137\303\055\003\243\355 +\244\157\123\327\372\100\016\060\365\000\040\054\000\114\214\073 +\264\243\037\266\277\221\062\253\257\222\230\323\026\346\324\321 +\124\134\103\133\056\256\357\127\052\250\264\157\244\357\015\126 +\024\332\041\253\040\166\236\003\374\046\270\236\077\076\003\046 +\346\114\333\235\137\102\204\075\105\003\003\034\131\210\312\334 +\056\141\044\132\244\352\047\013\163\022\276\122\263\012\317\062 +\027\342\036\207\032\026\225\110\155\132\340\320\317\011\222\046 +\146\221\330\243\141\016\252\201\201\177\350\122\202\321\102\347 +\340\035\030\372\244\205\066\347\206\340\015\353\274\324\311\326 +\074\103\361\135\111\156\176\201\233\151\265\211\142\217\210\122 +\330\327\376\047\301\043\305\313\053\002\273\261\137\376\373\103 +\205\003\106\276\135\306\312\041\046\377\327\002\236\164\112\334 +\370\023\025\261\201\127\066\313\145\134\321\035\061\167\351\045 +\303\303\262\062\067\325\361\230\011\344\155\143\200\010\253\006 +\222\201\324\351\160\217\247\077\262\355\206\214\202\152\065\310 +\102\132\202\321\122\032\105\017\025\245\000\360\224\173\145\047 +\127\071\103\317\174\177\346\275\065\263\173\361\031\114\336\072 +\226\317\351\166\356\003\347\302\103\122\074\152\201\350\301\132 +\200\275\021\135\223\153\373\307\346\144\077\273\151\034\351\335 +\045\213\257\164\311\124\100\312\313\223\023\012\355\373\146\222 +\021\312\365\300\372\330\203\125\003\174\323\305\042\106\165\160 +\153\171\110\006\052\202\232\277\346\353\026\016\042\105\001\274 +\335\066\224\064\251\065\046\212\327\227\271\356\010\162\277\064 +\222\160\203\200\253\070\252\131\150\335\100\244\030\220\262\363 +\325\003\312\046\312\357\325\307\340\217\123\216\360\000\343\250 +\355\237\371\255\167\340\053\143\117\236\303\356\067\273\170\011 +\204\236\271\156\373\051\231\220\350\200\323\237\044 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST BR Root CA 2 2023" +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\055\260\160\356\161\224\257\151\150\027\333\171\316\130\237\240 +\153\226\367\207 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\341\011\355\323\140\324\126\033\107\037\267\014\137\033\137\205 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST EV Root CA 1 2020" +# +# Issuer: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:5f:02:41:d7:7a:87:7c:4c:03:a3:ac:96:8d:fb:ff:d0 +# Subject: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 10:00:00 2020 +# Not Valid After : Sun Feb 11 09:59:59 2035 +# Fingerprint (SHA-256): 08:17:0D:1A:A3:64:53:90:1A:2F:95:92:45:E3:47:DB:0C:8D:37:AB:AA:BC:56:B8:1A:A1:00:DC:95:89:70:DB +# Fingerprint (SHA1): 61:DB:8C:21:59:69:03:90:D8:7C:9C:12:86:54:CF:9D:3D:F4:DD:07 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 1 2020" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\137\002\101\327\172\207\174\114\003\243\254\226\215\373 +\377\320 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\333\060\202\002\140\240\003\002\001\002\002\020\137 +\002\101\327\172\207\174\114\003\243\254\226\215\373\377\320\060 +\012\006\010\052\206\110\316\075\004\003\003\060\110\061\013\060 +\011\006\003\125\004\006\023\002\104\105\061\025\060\023\006\003 +\125\004\012\023\014\104\055\124\162\165\163\164\040\107\155\142 +\110\061\042\060\040\006\003\125\004\003\023\031\104\055\124\122 +\125\123\124\040\105\126\040\122\157\157\164\040\103\101\040\061 +\040\062\060\062\060\060\036\027\015\062\060\060\062\061\061\061 +\060\060\060\060\060\132\027\015\063\065\060\062\061\061\060\071 +\065\071\065\071\132\060\110\061\013\060\011\006\003\125\004\006 +\023\002\104\105\061\025\060\023\006\003\125\004\012\023\014\104 +\055\124\162\165\163\164\040\107\155\142\110\061\042\060\040\006 +\003\125\004\003\023\031\104\055\124\122\125\123\124\040\105\126 +\040\122\157\157\164\040\103\101\040\061\040\062\060\062\060\060 +\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201 +\004\000\042\003\142\000\004\361\013\335\206\103\040\031\337\227 +\205\350\042\112\233\317\235\230\277\264\005\046\311\313\343\246 +\322\217\305\236\170\173\061\211\251\211\255\047\074\145\020\202 +\374\337\303\235\116\360\063\043\304\322\062\365\034\260\337\063 +\027\135\305\360\261\212\371\357\271\267\024\312\051\112\302\017 +\251\177\165\145\111\052\060\147\364\144\367\326\032\167\332\303 +\302\227\141\102\173\111\255\243\202\001\015\060\202\001\011\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\035\006\003\125\035\016\004\026\004\024\177\020\001\026\067 +\072\244\050\344\120\370\244\367\354\153\062\266\376\351\213\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060 +\201\306\006\003\125\035\037\004\201\276\060\201\273\060\076\240 +\074\240\072\206\070\150\164\164\160\072\057\057\143\162\154\056 +\144\055\164\162\165\163\164\056\156\145\164\057\143\162\154\057 +\144\055\164\162\165\163\164\137\145\166\137\162\157\157\164\137 +\143\141\137\061\137\062\060\062\060\056\143\162\154\060\171\240 +\167\240\165\206\163\154\144\141\160\072\057\057\144\151\162\145 +\143\164\157\162\171\056\144\055\164\162\165\163\164\056\156\145 +\164\057\103\116\075\104\055\124\122\125\123\124\045\062\060\105 +\126\045\062\060\122\157\157\164\045\062\060\103\101\045\062\060 +\061\045\062\060\062\060\062\060\054\117\075\104\055\124\162\165 +\163\164\045\062\060\107\155\142\110\054\103\075\104\105\077\143 +\145\162\164\151\146\151\143\141\164\145\162\145\166\157\143\141 +\164\151\157\156\154\151\163\164\060\012\006\010\052\206\110\316 +\075\004\003\003\003\151\000\060\146\002\061\000\312\074\306\052 +\165\302\136\165\142\071\066\000\140\132\213\301\223\231\314\331 +\333\101\073\073\207\231\027\073\325\314\117\312\042\367\240\200 +\313\371\264\261\033\126\365\162\322\374\031\321\002\061\000\221 +\367\060\223\077\020\106\053\161\244\320\073\104\233\300\051\002 +\005\262\101\167\121\363\171\132\236\216\024\240\116\102\322\133 +\201\363\064\152\003\347\042\070\120\133\355\031\117\103\026 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST EV Root CA 1 2020" +# Issuer: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:5f:02:41:d7:7a:87:7c:4c:03:a3:ac:96:8d:fb:ff:d0 +# Subject: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 10:00:00 2020 +# Not Valid After : Sun Feb 11 09:59:59 2035 +# Fingerprint (SHA-256): 08:17:0D:1A:A3:64:53:90:1A:2F:95:92:45:E3:47:DB:0C:8D:37:AB:AA:BC:56:B8:1A:A1:00:DC:95:89:70:DB +# Fingerprint (SHA1): 61:DB:8C:21:59:69:03:90:D8:7C:9C:12:86:54:CF:9D:3D:F4:DD:07 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 1 2020" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\141\333\214\041\131\151\003\220\330\174\234\022\206\124\317\235 +\075\364\335\007 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\214\055\235\160\237\110\231\021\006\021\373\351\313\060\300\156 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\137\002\101\327\172\207\174\114\003\243\254\226\215\373 +\377\320 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R2" +# +# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:ae:c5:8d:04:25:1a:ab:11:25:aa +# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8 +# Fingerprint (SHA1): 9A:44:49:76:32:DB:DE:FA:D0:BC:FB:5A:7B:17:BD:9E:56:09:24:94 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R2" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\256\305\215\004\045\032\253\021\045\252 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\127\060\202\003\077\240\003\002\001\002\002\015\002 +\003\345\256\305\215\004\045\032\253\021\045\252\060\015\006\011 +\052\206\110\206\367\015\001\001\014\005\000\060\107\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003 +\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163 +\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024 +\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157 +\164\040\122\062\060\036\027\015\061\066\060\066\062\062\060\060 +\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060 +\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157 +\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003 +\023\013\107\124\123\040\122\157\157\164\040\122\062\060\202\002 +\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 +\003\202\002\017\000\060\202\002\012\002\202\002\001\000\316\336 +\375\246\373\354\354\024\064\074\007\006\132\154\131\367\031\065 +\335\367\301\235\125\252\323\315\073\244\223\162\357\012\372\155 +\235\366\360\205\200\133\241\110\122\237\071\305\267\356\050\254 +\357\313\166\150\024\271\337\255\001\154\231\037\304\042\035\237 +\376\162\167\340\054\133\257\344\004\277\117\162\240\032\064\230 +\350\071\150\354\225\045\173\166\241\346\151\271\205\031\275\211 +\214\376\255\355\066\352\163\274\377\203\342\313\175\301\322\316 +\112\263\215\005\236\213\111\223\337\301\133\320\156\136\360\056 +\060\056\202\374\372\274\264\027\012\110\345\210\233\305\233\153 +\336\260\312\264\003\360\332\364\220\270\145\144\367\134\114\255 +\350\176\146\136\231\327\270\302\076\310\320\023\235\255\356\344 +\105\173\211\125\367\212\037\142\122\204\022\263\302\100\227\343 +\212\037\107\221\246\164\132\322\370\261\143\050\020\270\263\011 +\270\126\167\100\242\046\230\171\306\376\337\045\356\076\345\240 +\177\324\141\017\121\113\074\077\214\332\341\160\164\330\302\150 +\241\371\301\014\351\241\342\177\273\125\074\166\006\356\152\116 +\314\222\210\060\115\232\275\117\013\110\232\204\265\230\243\325 +\373\163\301\127\141\335\050\126\165\023\256\207\216\347\014\121 +\011\020\165\210\114\274\215\371\173\074\324\042\110\037\052\334 +\353\153\273\104\261\313\063\161\062\106\257\255\112\361\214\350 +\164\072\254\347\032\042\163\200\322\060\367\045\102\307\042\073 +\073\022\255\226\056\306\303\166\007\252\040\267\065\111\127\351 +\222\111\350\166\026\162\061\147\053\226\176\212\243\307\224\126 +\042\277\152\113\176\001\041\262\043\062\337\344\232\104\155\131 +\133\135\365\000\240\034\233\306\170\227\215\220\377\233\310\252 +\264\257\021\121\071\136\331\373\147\255\325\133\021\235\062\232 +\033\275\325\272\133\245\311\313\045\151\123\125\047\134\340\312 +\066\313\210\141\373\036\267\320\313\356\026\373\323\246\114\336 +\222\245\324\342\337\365\006\124\336\056\235\113\264\223\060\252 +\201\316\335\032\334\121\163\015\117\160\351\345\266\026\041\031 +\171\262\346\211\013\165\144\312\325\253\274\011\301\030\241\377 +\324\124\241\205\074\375\024\044\003\262\207\323\244\267\002\003 +\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001 +\377\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 +\026\004\024\273\377\312\216\043\237\117\231\312\333\342\150\246 +\245\025\047\027\036\331\016\060\015\006\011\052\206\110\206\367 +\015\001\001\014\005\000\003\202\002\001\000\037\312\316\335\307 +\276\241\237\331\047\114\013\334\027\230\021\152\210\336\075\346 +\161\126\162\262\236\032\116\234\325\053\230\044\135\233\153\173 +\260\063\202\011\275\337\045\106\352\230\236\266\033\376\203\074 +\322\142\141\301\004\355\316\340\305\311\310\023\023\125\347\250 +\143\255\214\173\001\376\167\060\341\316\150\233\005\370\022\356 +\171\061\240\101\105\065\050\012\161\244\044\117\214\334\074\202 +\007\137\146\334\175\020\376\014\141\263\005\225\356\341\256\201 +\017\250\370\307\217\115\250\043\002\046\153\035\203\122\125\316 +\265\057\000\312\200\100\340\341\164\254\140\365\207\200\235\256 +\066\144\221\135\260\150\030\352\212\141\311\167\250\227\304\311 +\307\245\374\125\113\363\360\177\271\145\075\047\150\320\314\153 +\372\123\235\341\221\032\311\135\032\226\155\062\207\355\003\040 +\310\002\316\132\276\331\352\375\262\115\304\057\033\337\137\172 +\365\370\213\306\356\061\072\045\121\125\147\215\144\062\173\351 +\236\303\202\272\052\055\351\036\264\340\110\006\242\374\147\257 +\037\042\002\163\373\040\012\257\235\124\113\241\315\377\140\107 +\260\077\135\357\033\126\275\227\041\226\055\012\321\136\235\070 +\002\107\154\271\364\366\043\045\270\240\152\232\053\167\010\372 +\304\261\050\220\046\130\010\074\342\176\252\327\075\157\272\061 +\210\012\005\353\047\265\241\111\356\240\105\124\173\346\047\145 +\231\040\041\250\243\274\373\030\226\273\122\157\014\355\203\121 +\114\351\131\342\040\140\305\302\145\222\202\214\363\020\037\016 +\212\227\276\167\202\155\077\217\035\135\274\111\047\275\314\117 +\017\341\316\166\206\004\043\305\300\214\022\133\375\333\204\240 +\044\361\110\377\144\174\320\276\134\026\321\357\231\255\300\037 +\373\313\256\274\070\042\006\046\144\332\332\227\016\077\050\025 +\104\250\117\000\312\360\232\314\317\164\152\264\076\074\353\225 +\354\265\323\132\330\201\231\351\103\030\067\353\263\273\321\130 +\142\101\363\146\322\217\252\170\225\124\040\303\132\056\164\053 +\325\321\276\030\151\300\254\325\244\317\071\272\121\204\003\145 +\351\142\300\142\376\330\115\125\226\342\320\021\372\110\064\021 +\354\236\355\005\035\344\310\326\035\206\313 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R2" +# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:ae:c5:8d:04:25:1a:ab:11:25:aa +# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8 +# Fingerprint (SHA1): 9A:44:49:76:32:DB:DE:FA:D0:BC:FB:5A:7B:17:BD:9E:56:09:24:94 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R2" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\232\104\111\166\062\333\336\372\320\274\373\132\173\027\275\236 +\126\011\044\224 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\036\071\300\123\346\036\051\202\013\312\122\125\066\135\127\334 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\256\305\215\004\045\032\253\021\045\252 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R3" +# +# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:b8:82:eb:20:f8:25:27:6d:3d:66 +# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48 +# Fingerprint (SHA1): ED:E5:71:80:2B:C8:92:B9:5B:83:3C:D2:32:68:3F:09:CD:A0:1E:46 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R3" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\270\202\353\040\370\045\047\155\075\146 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\011\060\202\001\216\240\003\002\001\002\002\015\002 +\003\345\270\202\353\040\370\045\047\155\075\146\060\012\006\010 +\052\206\110\316\075\004\003\003\060\107\061\013\060\011\006\003 +\125\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012 +\023\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123 +\145\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006 +\003\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122 +\063\060\036\027\015\061\066\060\066\062\062\060\060\060\060\060 +\060\132\027\015\063\066\060\066\062\062\060\060\060\060\060\060 +\132\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154 +\145\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163 +\040\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107 +\124\123\040\122\157\157\164\040\122\063\060\166\060\020\006\007 +\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142 +\000\004\037\117\063\207\063\051\212\241\204\336\313\307\041\130 +\101\211\352\126\235\053\113\205\306\035\114\047\274\177\046\121 +\162\157\342\237\326\243\312\314\105\024\106\213\255\357\176\206 +\214\354\261\176\057\377\251\161\235\030\204\105\004\101\125\156 +\053\352\046\177\273\220\001\343\113\031\272\344\124\226\105\011 +\261\325\154\221\104\255\204\023\216\232\214\015\200\014\062\366 +\340\047\243\102\060\100\060\016\006\003\125\035\017\001\001\377 +\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 +\004\024\301\361\046\272\240\055\256\205\201\317\323\361\052\022 +\275\270\012\147\375\274\060\012\006\010\052\206\110\316\075\004 +\003\003\003\151\000\060\146\002\061\000\366\341\040\225\024\173 +\124\243\220\026\021\277\204\310\352\157\153\027\236\036\106\230 +\040\233\237\323\015\331\254\323\057\315\174\370\133\056\125\273 +\277\335\222\367\244\014\334\061\341\242\002\061\000\374\227\146 +\146\345\103\026\023\203\335\307\337\057\276\024\070\355\001\316 +\261\027\032\021\165\351\275\003\217\046\176\204\345\311\140\246 +\225\327\124\131\267\347\021\054\211\324\271\356\027 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R3" +# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:b8:82:eb:20:f8:25:27:6d:3d:66 +# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48 +# Fingerprint (SHA1): ED:E5:71:80:2B:C8:92:B9:5B:83:3C:D2:32:68:3F:09:CD:A0:1E:46 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R3" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\355\345\161\200\053\310\222\271\133\203\074\322\062\150\077\011 +\315\240\036\106 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\076\347\235\130\002\224\106\121\224\345\340\042\112\213\347\163 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\270\202\353\040\370\045\047\155\075\146 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R4" +# +# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:c0:68:ef:63:1a:9c:72:90:50:52 +# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D +# Fingerprint (SHA1): 77:D3:03:67:B5:E0:0C:15:F6:0C:38:61:DF:7C:E1:3B:92:46:4D:47 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R4" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\300\150\357\143\032\234\162\220\120\122 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\011\060\202\001\216\240\003\002\001\002\002\015\002 +\003\345\300\150\357\143\032\234\162\220\120\122\060\012\006\010 +\052\206\110\316\075\004\003\003\060\107\061\013\060\011\006\003 +\125\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012 +\023\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123 +\145\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006 +\003\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122 +\064\060\036\027\015\061\066\060\066\062\062\060\060\060\060\060 +\060\132\027\015\063\066\060\066\062\062\060\060\060\060\060\060 +\132\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154 +\145\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163 +\040\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107 +\124\123\040\122\157\157\164\040\122\064\060\166\060\020\006\007 +\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142 +\000\004\363\164\163\247\150\213\140\256\103\270\065\305\201\060 +\173\113\111\235\373\301\141\316\346\336\106\275\153\325\141\030 +\065\256\100\335\163\367\211\221\060\132\353\074\356\205\174\242 +\100\166\073\251\306\270\107\330\052\347\222\221\152\163\351\261 +\162\071\237\051\237\242\230\323\137\136\130\206\145\017\241\204 +\145\006\321\334\213\311\307\163\310\214\152\057\345\304\253\321 +\035\212\243\102\060\100\060\016\006\003\125\035\017\001\001\377 +\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 +\004\024\200\114\326\353\164\377\111\066\243\325\330\374\265\076 +\305\152\360\224\035\214\060\012\006\010\052\206\110\316\075\004 +\003\003\003\151\000\060\146\002\061\000\350\100\377\203\336\003 +\364\237\256\035\172\247\056\271\257\117\366\203\035\016\055\205 +\001\035\321\331\152\354\017\302\257\307\136\126\136\134\325\034 +\130\042\050\013\367\060\266\057\261\174\002\061\000\360\141\074 +\247\364\240\202\343\041\325\204\035\163\206\234\055\257\312\064 +\233\361\237\271\043\066\342\274\140\003\235\200\263\232\126\310 +\341\342\273\024\171\312\315\041\324\224\265\111\103 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R4" +# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:c0:68:ef:63:1a:9c:72:90:50:52 +# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D +# Fingerprint (SHA1): 77:D3:03:67:B5:E0:0C:15:F6:0C:38:61:DF:7C:E1:3B:92:46:4D:47 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R4" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\167\323\003\147\265\340\014\025\366\014\070\141\337\174\341\073 +\222\106\115\107 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\103\226\203\167\031\115\166\263\235\145\122\344\035\042\245\350 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\300\150\357\143\032\234\162\220\120\122 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R1" +# +# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17 +# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): D9:47:43:2A:BD:E7:B7:FA:90:FC:2E:6B:59:10:1B:12:80:E0:E1:C7:E4:E4:0F:A3:C6:88:7F:FF:57:A7:F4:CF +# Fingerprint (SHA1): E5:8C:1C:C4:91:3B:38:63:4B:E9:10:6E:E3:AD:8E:6B:9D:D9:81:4A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\223\157\061\260\023\111\210\153\242\027 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\127\060\202\003\077\240\003\002\001\002\002\015\002 +\003\345\223\157\061\260\023\111\210\153\242\027\060\015\006\011 +\052\206\110\206\367\015\001\001\014\005\000\060\107\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003 +\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163 +\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024 +\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157 +\164\040\122\061\060\036\027\015\061\066\060\066\062\062\060\060 +\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060 +\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157 +\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003 +\023\013\107\124\123\040\122\157\157\164\040\122\061\060\202\002 +\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 +\003\202\002\017\000\060\202\002\012\002\202\002\001\000\266\021 +\002\213\036\343\241\167\233\073\334\277\224\076\267\225\247\100 +\074\241\375\202\371\175\062\006\202\161\366\366\214\177\373\350 +\333\274\152\056\227\227\243\214\113\371\053\366\261\371\316\204 +\035\261\371\305\227\336\357\271\362\243\351\274\022\211\136\247 +\252\122\253\370\043\047\313\244\261\234\143\333\327\231\176\360 +\012\136\353\150\246\364\306\132\107\015\115\020\063\343\116\261 +\023\243\310\030\154\113\354\374\011\220\337\235\144\051\045\043 +\007\241\264\322\075\056\140\340\317\322\011\207\273\315\110\360 +\115\302\302\172\210\212\273\272\317\131\031\326\257\217\260\007 +\260\236\061\361\202\301\300\337\056\246\155\154\031\016\265\330 +\176\046\032\105\003\075\260\171\244\224\050\255\017\177\046\345 +\250\010\376\226\350\074\150\224\123\356\203\072\210\053\025\226 +\011\262\340\172\214\056\165\326\234\353\247\126\144\217\226\117 +\150\256\075\227\302\204\217\300\274\100\300\013\134\275\366\207 +\263\065\154\254\030\120\177\204\340\114\315\222\323\040\351\063 +\274\122\231\257\062\265\051\263\045\052\264\110\371\162\341\312 +\144\367\346\202\020\215\350\235\302\212\210\372\070\146\212\374 +\143\371\001\371\170\375\173\134\167\372\166\207\372\354\337\261 +\016\171\225\127\264\275\046\357\326\001\321\353\026\012\273\216 +\013\265\305\305\212\125\253\323\254\352\221\113\051\314\031\244 +\062\045\116\052\361\145\104\320\002\316\252\316\111\264\352\237 +\174\203\260\100\173\347\103\253\247\154\243\217\175\211\201\372 +\114\245\377\325\216\303\316\113\340\265\330\263\216\105\317\166 +\300\355\100\053\375\123\017\260\247\325\073\015\261\212\242\003 +\336\061\255\314\167\352\157\173\076\326\337\221\042\022\346\276 +\372\330\062\374\020\143\024\121\162\336\135\326\026\223\275\051 +\150\063\357\072\146\354\007\212\046\337\023\327\127\145\170\047 +\336\136\111\024\000\242\000\177\232\250\041\266\251\261\225\260 +\245\271\015\026\021\332\307\154\110\074\100\340\176\015\132\315 +\126\074\321\227\005\271\313\113\355\071\113\234\304\077\322\125 +\023\156\044\260\326\161\372\364\301\272\314\355\033\365\376\201 +\101\330\000\230\075\072\310\256\172\230\067\030\005\225\002\003 +\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001 +\377\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 +\026\004\024\344\257\053\046\161\032\053\110\047\205\057\122\146 +\054\357\360\211\023\161\076\060\015\006\011\052\206\110\206\367 +\015\001\001\014\005\000\003\202\002\001\000\237\252\102\046\333 +\013\233\276\377\036\226\222\056\076\242\145\112\152\230\272\042 +\313\175\301\072\330\202\012\006\306\366\245\336\300\116\207\146 +\171\241\371\246\130\234\252\371\265\346\140\347\340\350\261\036 +\102\101\063\013\067\075\316\211\160\025\312\265\044\250\317\153 +\265\322\100\041\230\317\042\064\317\073\305\042\204\340\305\016 +\212\174\135\210\344\065\044\316\233\076\032\124\036\156\333\262 +\207\247\374\363\372\201\125\024\142\012\131\251\042\005\061\076 +\202\326\356\333\127\064\274\063\225\323\027\033\350\047\242\213 +\173\116\046\032\172\132\144\266\321\254\067\361\375\240\363\070 +\354\162\360\021\165\235\313\064\122\215\346\166\153\027\306\337 +\206\253\047\216\111\053\165\146\201\020\041\246\352\076\364\256 +\045\377\174\025\336\316\214\045\077\312\142\160\012\367\057\011 +\146\007\310\077\034\374\360\333\105\060\337\142\210\301\265\017 +\235\303\237\112\336\131\131\107\305\207\042\066\346\202\247\355 +\012\271\342\007\240\215\173\172\112\074\161\322\342\003\241\037 +\062\007\335\033\344\102\316\014\000\105\141\200\265\013\040\131 +\051\170\275\371\125\313\143\305\074\114\364\266\377\333\152\137 +\061\153\231\236\054\301\153\120\244\327\346\030\024\275\205\077 +\147\253\106\237\240\377\102\247\072\177\134\313\135\260\160\035 +\053\064\365\324\166\011\014\353\170\114\131\005\363\063\102\303 +\141\025\020\033\167\115\316\042\214\324\205\362\105\175\267\123 +\352\357\100\132\224\012\134\040\137\116\100\135\142\042\166\337 +\377\316\141\275\214\043\170\322\067\002\340\216\336\321\021\067 +\211\366\277\355\111\007\142\256\222\354\100\032\257\024\011\331 +\320\116\262\242\367\276\356\356\330\377\334\032\055\336\270\066 +\161\342\374\171\267\224\045\321\110\163\133\241\065\347\263\231 +\147\165\301\031\072\053\107\116\323\102\216\375\061\310\026\146 +\332\322\014\074\333\263\216\311\241\015\200\017\173\026\167\024 +\277\377\333\011\224\262\223\274\040\130\025\351\333\161\103\363 +\336\020\303\000\334\250\052\225\266\302\326\077\220\153\166\333 +\154\376\214\274\362\160\065\014\334\231\031\065\334\327\310\106 +\143\325\066\161\256\127\373\267\202\155\334 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R1" +# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17 +# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): D9:47:43:2A:BD:E7:B7:FA:90:FC:2E:6B:59:10:1B:12:80:E0:E1:C7:E4:E4:0F:A3:C6:88:7F:FF:57:A7:F4:CF +# Fingerprint (SHA1): E5:8C:1C:C4:91:3B:38:63:4B:E9:10:6E:E3:AD:8E:6B:9D:D9:81:4A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\345\214\034\304\221\073\070\143\113\351\020\156\343\255\216\153 +\235\331\201\112 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\005\376\320\277\161\250\243\166\143\332\001\340\330\122\334\100 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\223\157\061\260\023\111\210\153\242\027 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GlobalSign" +# +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Serial Number:02:03:e5:7e:f5:3f:93:fd:a5:09:21:b2:a6 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Not Valid Before: Tue Nov 13 00:00:00 2012 +# Not Valid After : Tue Jan 19 03:14:07 2038 +# Fingerprint (SHA-256): B0:85:D7:0B:96:4F:19:1A:73:E4:AF:0D:54:AE:7A:0E:07:AA:FD:AF:9B:71:DD:08:62:13:8A:B7:32:5A:24:A2 +# Fingerprint (SHA1): 6B:A0:B0:98:E1:71:EF:5A:AD:FE:48:15:80:77:10:F4:BD:6F:0B:28 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\176\365\077\223\375\245\011\041\262\246 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\001\334\060\202\001\203\240\003\002\001\002\002\015\002 +\003\345\176\365\077\223\375\245\011\041\262\246\060\012\006\010 +\052\206\110\316\075\004\003\002\060\120\061\044\060\042\006\003 +\125\004\013\023\033\107\154\157\142\141\154\123\151\147\156\040 +\105\103\103\040\122\157\157\164\040\103\101\040\055\040\122\064 +\061\023\060\021\006\003\125\004\012\023\012\107\154\157\142\141 +\154\123\151\147\156\061\023\060\021\006\003\125\004\003\023\012 +\107\154\157\142\141\154\123\151\147\156\060\036\027\015\061\062 +\061\061\061\063\060\060\060\060\060\060\132\027\015\063\070\060 +\061\061\071\060\063\061\064\060\067\132\060\120\061\044\060\042 +\006\003\125\004\013\023\033\107\154\157\142\141\154\123\151\147 +\156\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040 +\122\064\061\023\060\021\006\003\125\004\012\023\012\107\154\157 +\142\141\154\123\151\147\156\061\023\060\021\006\003\125\004\003 +\023\012\107\154\157\142\141\154\123\151\147\156\060\131\060\023 +\006\007\052\206\110\316\075\002\001\006\010\052\206\110\316\075 +\003\001\007\003\102\000\004\270\306\171\323\217\154\045\016\237 +\056\071\031\034\003\244\256\232\345\071\007\011\026\312\143\261 +\271\206\370\212\127\301\127\316\102\372\163\241\367\145\102\377 +\036\301\000\262\156\163\016\377\307\041\345\030\244\252\331\161 +\077\250\324\271\316\214\035\243\102\060\100\060\016\006\003\125 +\035\017\001\001\377\004\004\003\002\001\206\060\017\006\003\125 +\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003 +\125\035\016\004\026\004\024\124\260\173\255\105\270\342\100\177 +\373\012\156\373\276\063\311\074\243\204\325\060\012\006\010\052 +\206\110\316\075\004\003\002\003\107\000\060\104\002\040\042\117 +\164\162\271\140\257\361\346\234\240\026\005\120\137\303\136\073 +\156\141\164\357\276\001\304\276\030\110\131\141\202\062\002\040 +\046\235\124\143\100\336\067\140\120\317\310\330\355\235\202\256 +\067\230\274\243\217\114\114\251\064\053\154\357\373\225\233\046 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GlobalSign" +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Serial Number:02:03:e5:7e:f5:3f:93:fd:a5:09:21:b2:a6 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Not Valid Before: Tue Nov 13 00:00:00 2012 +# Not Valid After : Tue Jan 19 03:14:07 2038 +# Fingerprint (SHA-256): B0:85:D7:0B:96:4F:19:1A:73:E4:AF:0D:54:AE:7A:0E:07:AA:FD:AF:9B:71:DD:08:62:13:8A:B7:32:5A:24:A2 +# Fingerprint (SHA1): 6B:A0:B0:98:E1:71:EF:5A:AD:FE:48:15:80:77:10:F4:BD:6F:0B:28 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\153\240\260\230\341\161\357\132\255\376\110\025\200\167\020\364 +\275\157\013\050 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\046\051\370\155\341\210\277\242\145\177\252\304\315\017\177\374 +END +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\176\365\077\223\375\245\011\041\262\246 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "NAVER Cloud Trust Services ECC Root G1" +# +# Issuer: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:7f:20:23:7e:e5:82:11:34:66:c8:37:e4:78:15:e5:be:12:ba:15 +# Subject: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 13:20:29 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): A7:C8:68:10:42:F3:67:5A:A8:50:5D:3B:A3:13:D8:0F:8A:C3:25:0F:DF:87:4A:D2:9B:83:46:89:C0:87:FB:11 +# Fingerprint (SHA1): 87:E7:3E:14:92:46:AA:63:43:08:E3:A3:14:2B:14:17:F0:0F:E2:5D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services ECC Root G1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\177\040\043\176\345\202\021\064\146\310\067\344\170 +\025\345\276\022\272\025 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\123\060\202\001\331\240\003\002\001\002\002\024\001 +\177\040\043\176\345\202\021\064\146\310\067\344\170\025\345\276 +\022\272\025\060\012\006\010\052\206\110\316\075\004\003\003\060 +\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061\051 +\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040\103 +\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003\125 +\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144\040 +\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040\105 +\103\103\040\122\157\157\164\040\107\061\060\036\027\015\062\063 +\060\066\060\067\061\063\062\060\062\071\132\027\015\064\063\060 +\066\060\066\062\063\065\071\065\071\132\060\151\061\013\060\011 +\006\003\125\004\006\023\002\113\122\061\051\060\047\006\003\125 +\004\012\014\040\116\101\126\105\122\040\103\154\157\165\144\040 +\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040\103 +\157\162\160\056\061\057\060\055\006\003\125\004\003\014\046\116 +\101\126\105\122\040\103\154\157\165\144\040\124\162\165\163\164 +\040\123\145\162\166\151\143\145\163\040\105\103\103\040\122\157 +\157\164\040\107\061\060\166\060\020\006\007\052\206\110\316\075 +\002\001\006\005\053\201\004\000\042\003\142\000\004\205\015\213 +\257\263\117\217\363\007\022\306\003\352\022\126\240\000\115\051 +\345\041\335\120\247\034\143\202\260\231\371\356\140\006\071\161 +\251\264\033\311\015\241\335\316\361\170\011\052\041\007\345\232 +\267\211\122\104\333\004\215\334\102\320\312\134\177\353\260\374 +\064\370\332\350\202\323\046\352\111\010\365\072\330\226\266\141 +\373\005\003\070\320\254\300\002\203\137\101\376\124\243\102\060 +\100\060\035\006\003\125\035\016\004\026\004\024\072\012\077\255 +\175\216\062\275\362\154\373\211\122\343\320\366\052\301\217\171 +\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006 +\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 +\377\060\012\006\010\052\206\110\316\075\004\003\003\003\150\000 +\060\145\002\061\000\273\234\216\341\332\353\366\122\321\355\304 +\223\173\222\221\317\327\135\245\303\046\376\172\054\272\313\175 +\176\372\252\320\115\246\377\221\272\375\332\172\001\122\334\232 +\171\161\312\137\323\002\060\016\043\312\204\310\050\200\034\345 +\372\056\232\344\202\035\371\031\055\036\217\126\324\206\252\206 +\173\154\226\044\134\151\173\231\013\155\173\124\171\010\044\077 +\315\351\215\272\127\252\313 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "NAVER Cloud Trust Services ECC Root G1" +# Issuer: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:7f:20:23:7e:e5:82:11:34:66:c8:37:e4:78:15:e5:be:12:ba:15 +# Subject: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 13:20:29 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): A7:C8:68:10:42:F3:67:5A:A8:50:5D:3B:A3:13:D8:0F:8A:C3:25:0F:DF:87:4A:D2:9B:83:46:89:C0:87:FB:11 +# Fingerprint (SHA1): 87:E7:3E:14:92:46:AA:63:43:08:E3:A3:14:2B:14:17:F0:0F:E2:5D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services ECC Root G1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\207\347\076\024\222\106\252\143\103\010\343\243\024\053\024\027 +\360\017\342\135 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\022\202\014\366\155\236\342\365\227\353\273\232\257\247\154\000 +END +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\177\040\043\176\345\202\021\064\146\310\067\344\170 +\025\345\276\022\272\025 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "NAVER Cloud Trust Services RSA Root G1" +# +# Issuer: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:93:20:5e:a3:37:c2:a7:bb:27:56:b1:6e:35:c2:71:19:20:3e:f1 +# Subject: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 06:30:54 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): 49:A2:76:29:87:78:8D:48:34:B3:23:05:D7:67:76:0F:24:4D:50:77:42:E8:C2:53:9F:D4:CA:3A:D5:2C:16:EE +# Fingerprint (SHA1): C4:DA:90:EE:32:4D:7E:4D:04:1C:B1:F2:86:FB:B4:53:88:20:7C:A1 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services RSA Root G1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\223\040\136\243\067\302\247\273\047\126\261\156\065 +\302\161\031\040\076\361 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\242\060\202\003\212\240\003\002\001\002\002\024\001 +\223\040\136\243\067\302\247\273\047\126\261\156\065\302\161\031 +\040\076\361\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\060\151\061\013\060\011\006\003\125\004\006\023\002\113 +\122\061\051\060\047\006\003\125\004\012\014\040\116\101\126\105 +\122\040\103\154\157\165\144\040\124\162\165\163\164\040\123\145 +\162\166\151\143\145\163\040\103\157\162\160\056\061\057\060\055 +\006\003\125\004\003\014\046\116\101\126\105\122\040\103\154\157 +\165\144\040\124\162\165\163\164\040\123\145\162\166\151\143\145 +\163\040\122\123\101\040\122\157\157\164\040\107\061\060\036\027 +\015\062\063\060\066\060\067\060\066\063\060\065\064\132\027\015 +\064\063\060\066\060\066\062\063\065\071\065\071\132\060\151\061 +\013\060\011\006\003\125\004\006\023\002\113\122\061\051\060\047 +\006\003\125\004\012\014\040\116\101\126\105\122\040\103\154\157 +\165\144\040\124\162\165\163\164\040\123\145\162\166\151\143\145 +\163\040\103\157\162\160\056\061\057\060\055\006\003\125\004\003 +\014\046\116\101\126\105\122\040\103\154\157\165\144\040\124\162 +\165\163\164\040\123\145\162\166\151\143\145\163\040\122\123\101 +\040\122\157\157\164\040\107\061\060\202\002\042\060\015\006\011 +\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 +\060\202\002\012\002\202\002\001\000\305\122\320\304\171\311\305 +\003\145\070\147\100\242\322\045\144\057\227\023\062\206\041\157 +\036\342\241\165\142\262\041\070\147\071\274\274\337\346\127\133 +\161\337\312\205\276\237\261\314\350\131\004\334\334\066\031\032 +\276\352\217\374\030\347\126\014\330\161\166\163\150\272\370\042 +\313\320\250\115\354\000\311\311\064\352\354\004\107\242\202\370 +\247\234\166\272\167\045\271\371\060\206\326\165\047\210\211\113 +\334\271\240\043\342\205\360\172\137\176\121\217\160\026\201\124 +\212\152\226\162\174\106\015\344\056\102\374\255\241\300\146\002 +\223\213\351\022\316\124\241\031\201\170\267\175\011\005\051\347 +\266\326\371\376\174\311\050\147\361\043\310\161\010\205\206\151 +\006\222\164\351\042\327\063\132\273\145\123\131\375\235\356\235 +\245\333\160\215\254\376\254\110\046\242\331\013\331\370\124\231 +\200\222\331\001\211\336\171\164\365\356\254\052\060\171\202\312 +\142\147\256\346\041\020\307\252\362\126\122\234\107\167\212\230 +\270\123\251\050\374\044\220\166\210\276\113\047\247\367\043\226 +\256\037\120\070\212\351\175\154\355\257\170\373\231\021\161\256 +\273\265\225\331\207\342\214\060\132\072\147\160\230\167\303\061 +\344\265\066\212\001\204\336\332\273\022\330\142\107\332\045\174 +\136\133\353\077\111\162\200\125\343\020\333\344\036\172\037\373 +\215\271\335\222\126\266\145\046\217\115\017\126\252\112\341\340 +\120\162\367\366\264\115\044\015\033\236\176\177\125\026\074\234 +\174\217\354\203\017\021\357\306\316\364\041\341\114\145\103\100 +\072\104\222\312\224\330\100\203\261\021\133\074\334\144\365\141 +\323\126\112\326\177\267\043\160\163\105\165\337\202\271\255\321 +\327\143\230\331\174\211\212\361\351\052\056\207\075\370\147\267 +\035\323\242\162\026\024\257\157\055\336\136\061\117\265\106\057 +\226\055\103\006\166\003\120\306\063\261\103\055\025\307\072\223 +\205\220\054\342\127\355\037\226\205\072\345\141\334\352\377\226 +\265\176\366\015\210\306\261\071\223\216\314\235\214\125\157\165 +\175\250\300\336\170\013\021\334\126\061\270\125\144\325\003\341 +\301\360\217\053\171\353\103\001\306\032\016\272\000\112\100\202 +\210\201\370\336\362\252\226\016\255\002\003\001\000\001\243\102 +\060\100\060\035\006\003\125\035\016\004\026\004\024\357\010\015 +\155\202\150\056\032\332\132\355\363\376\342\242\006\363\233\347 +\370\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 +\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001 +\001\377\060\015\006\011\052\206\110\206\367\015\001\001\014\005 +\000\003\202\002\001\000\050\025\222\133\176\305\117\375\227\064 +\230\227\373\130\301\254\026\166\221\145\337\000\026\113\027\314 +\011\164\253\341\173\152\056\074\321\107\267\142\145\312\336\000 +\330\166\211\061\134\247\106\363\004\122\133\272\070\342\227\065 +\016\000\213\243\341\224\315\064\324\005\174\033\172\057\171\363 +\320\301\322\270\160\245\203\201\041\234\307\242\346\234\253\047 +\101\157\103\041\317\150\106\247\143\046\323\152\367\154\002\040 +\006\340\070\252\133\264\133\275\351\360\323\157\031\357\272\000 +\000\121\160\047\311\032\142\331\020\077\330\164\177\230\121\126 +\346\306\270\045\321\114\133\212\274\132\160\004\340\116\126\166 +\360\337\010\357\021\232\061\005\163\007\200\012\374\076\373\267 +\117\344\045\125\275\005\036\164\004\006\077\036\332\220\127\116 +\160\032\363\065\146\006\305\314\053\033\037\104\140\375\054\066 +\210\265\355\273\036\120\067\320\375\310\103\133\133\235\314\272 +\261\346\017\107\327\157\202\155\275\220\253\023\217\136\253\133 +\357\340\365\276\113\314\370\077\257\260\254\226\106\215\011\207 +\370\177\062\115\066\374\126\122\306\213\266\124\331\304\041\336 +\022\153\020\131\126\075\274\100\273\146\234\253\132\065\163\241 +\353\023\062\207\110\152\210\041\073\162\127\375\057\003\170\040 +\071\001\304\242\275\061\232\137\303\064\117\371\341\213\042\023 +\021\127\021\012\137\010\316\376\206\010\275\033\335\367\246\064 +\252\266\124\217\112\373\327\147\337\333\360\156\206\317\321\012 +\037\351\022\244\045\327\221\157\002\273\031\006\124\020\054\231 +\335\304\252\266\037\353\273\016\177\155\371\145\307\311\217\044 +\226\276\150\026\232\032\364\116\007\344\354\076\052\352\176\145 +\056\053\162\364\275\213\324\040\217\066\227\215\052\036\065\115 +\304\207\365\142\132\351\046\334\332\165\334\076\110\176\277\016 +\307\006\251\014\357\047\336\231\304\014\173\337\373\343\134\337 +\210\201\235\243\242\303\000\202\013\303\057\361\266\202\115\000 +\336\141\104\163\062\210\021\003\065\050\232\056\334\116\370\231 +\216\340\330\065\277\127\067\161\300\103\364\271\012\160\270\013 +\130\033\030\034\104\215\377\341\327\336\150\162\302\054\155\334 +\077\160\312\330\025\315 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "NAVER Cloud Trust Services RSA Root G1" +# Issuer: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:93:20:5e:a3:37:c2:a7:bb:27:56:b1:6e:35:c2:71:19:20:3e:f1 +# Subject: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 06:30:54 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): 49:A2:76:29:87:78:8D:48:34:B3:23:05:D7:67:76:0F:24:4D:50:77:42:E8:C2:53:9F:D4:CA:3A:D5:2C:16:EE +# Fingerprint (SHA1): C4:DA:90:EE:32:4D:7E:4D:04:1C:B1:F2:86:FB:B4:53:88:20:7C:A1 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services RSA Root G1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\304\332\220\356\062\115\176\115\004\034\261\362\206\373\264\123 +\210\040\174\241 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\205\234\104\072\176\047\237\011\225\233\117\121\312\351\312\141 +END +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\223\040\136\243\067\302\247\273\047\126\261\156\065 +\302\161\031\040\076\361 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST BR Root CA 1 2020" +# +# Issuer: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:7c:c9:8f:2b:84:d7:df:ea:0f:c9:65:9a:d3:4b:4d:96 +# Subject: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 09:45:00 2020 +# Not Valid After : Sun Feb 11 09:44:59 2035 +# Fingerprint (SHA-256): E5:9A:AA:81:60:09:C2:2B:FF:5B:25:BA:D3:7D:F3:06:F0:49:79:7C:1F:81:D8:5A:B0:89:E6:57:BD:8F:00:44 +# Fingerprint (SHA1): 1F:5B:98:F0:E3:B5:F7:74:3C:ED:E6:B0:36:7D:32:CD:F4:09:41:67 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 1 2020" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\174\311\217\053\204\327\337\352\017\311\145\232\323\113 +\115\226 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\333\060\202\002\140\240\003\002\001\002\002\020\174 +\311\217\053\204\327\337\352\017\311\145\232\323\113\115\226\060 +\012\006\010\052\206\110\316\075\004\003\003\060\110\061\013\060 +\011\006\003\125\004\006\023\002\104\105\061\025\060\023\006\003 +\125\004\012\023\014\104\055\124\162\165\163\164\040\107\155\142 +\110\061\042\060\040\006\003\125\004\003\023\031\104\055\124\122 +\125\123\124\040\102\122\040\122\157\157\164\040\103\101\040\061 +\040\062\060\062\060\060\036\027\015\062\060\060\062\061\061\060 +\071\064\065\060\060\132\027\015\063\065\060\062\061\061\060\071 +\064\064\065\071\132\060\110\061\013\060\011\006\003\125\004\006 +\023\002\104\105\061\025\060\023\006\003\125\004\012\023\014\104 +\055\124\162\165\163\164\040\107\155\142\110\061\042\060\040\006 +\003\125\004\003\023\031\104\055\124\122\125\123\124\040\102\122 +\040\122\157\157\164\040\103\101\040\061\040\062\060\062\060\060 +\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201 +\004\000\042\003\142\000\004\306\313\307\050\321\373\204\365\232 +\357\102\024\040\341\103\153\156\165\255\374\053\003\204\324\166 +\223\045\327\131\073\101\145\153\036\346\064\052\273\164\366\022 +\316\350\155\347\253\344\074\116\077\104\010\213\315\026\161\313 +\277\222\231\364\244\327\074\120\124\122\220\205\203\170\224\147 +\147\243\034\011\031\075\165\064\205\336\355\140\175\307\014\264 +\101\122\271\156\345\356\102\243\202\001\015\060\202\001\011\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\035\006\003\125\035\016\004\026\004\024\163\221\020\253\377 +\125\263\132\174\011\045\325\262\272\010\240\153\253\037\155\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060 +\201\306\006\003\125\035\037\004\201\276\060\201\273\060\076\240 +\074\240\072\206\070\150\164\164\160\072\057\057\143\162\154\056 +\144\055\164\162\165\163\164\056\156\145\164\057\143\162\154\057 +\144\055\164\162\165\163\164\137\142\162\137\162\157\157\164\137 +\143\141\137\061\137\062\060\062\060\056\143\162\154\060\171\240 +\167\240\165\206\163\154\144\141\160\072\057\057\144\151\162\145 +\143\164\157\162\171\056\144\055\164\162\165\163\164\056\156\145 +\164\057\103\116\075\104\055\124\122\125\123\124\045\062\060\102 +\122\045\062\060\122\157\157\164\045\062\060\103\101\045\062\060 +\061\045\062\060\062\060\062\060\054\117\075\104\055\124\162\165 +\163\164\045\062\060\107\155\142\110\054\103\075\104\105\077\143 +\145\162\164\151\146\151\143\141\164\145\162\145\166\157\143\141 +\164\151\157\156\154\151\163\164\060\012\006\010\052\206\110\316 +\075\004\003\003\003\151\000\060\146\002\061\000\224\220\055\023 +\372\341\143\370\141\143\350\255\205\170\124\221\234\270\223\070 +\076\032\101\332\100\026\123\102\010\312\057\216\361\076\201\126 +\300\252\330\355\030\304\260\256\364\076\372\046\002\061\000\363 +\050\342\306\333\053\231\373\267\121\270\044\243\244\224\172\032 +\077\346\066\342\003\127\063\212\060\313\202\307\326\024\021\325 +\165\143\133\024\225\234\037\001\317\330\325\162\247\017\073 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST BR Root CA 1 2020" +# Issuer: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:7c:c9:8f:2b:84:d7:df:ea:0f:c9:65:9a:d3:4b:4d:96 +# Subject: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 09:45:00 2020 +# Not Valid After : Sun Feb 11 09:44:59 2035 +# Fingerprint (SHA-256): E5:9A:AA:81:60:09:C2:2B:FF:5B:25:BA:D3:7D:F3:06:F0:49:79:7C:1F:81:D8:5A:B0:89:E6:57:BD:8F:00:44 +# Fingerprint (SHA1): 1F:5B:98:F0:E3:B5:F7:74:3C:ED:E6:B0:36:7D:32:CD:F4:09:41:67 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 1 2020" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\037\133\230\360\343\265\367\164\074\355\346\260\066\175\062\315 +\364\011\101\147 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\265\252\113\325\355\367\343\125\056\217\162\012\363\165\270\355 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\174\311\217\053\204\327\337\352\017\311\145\232\323\113 +\115\226 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index 08c2eea498..2568cedf98 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 17%{?dist} +Release: 18%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -46,6 +46,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 +- Making 'Release' match with 'ca-certificates' + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 2.0.0-17 - Making 'Release' match with 'ca-certificates' diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec index 932a7b2e7f..95902457b1 100644 --- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec +++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 17%{?dist} +Release: 18%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -49,6 +49,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 +- Making 'Release' match with 'ca-certificates' + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 2.0.0-17 - Making 'Release' match with 'ca-certificates' diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 8ea33172c6..5886e0b7b2 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.aarch64.rpm libtasn1-4.19.0-1.cm2.aarch64.rpm p11-kit-0.24.1-1.cm2.aarch64.rpm p11-kit-trust-0.24.1-1.cm2.aarch64.rpm -ca-certificates-shared-2.0.0-17.cm2.noarch.rpm -ca-certificates-tools-2.0.0-17.cm2.noarch.rpm -ca-certificates-base-2.0.0-17.cm2.noarch.rpm -ca-certificates-2.0.0-17.cm2.noarch.rpm +ca-certificates-shared-2.0.0-18.cm2.noarch.rpm +ca-certificates-tools-2.0.0-18.cm2.noarch.rpm +ca-certificates-base-2.0.0-18.cm2.noarch.rpm +ca-certificates-2.0.0-18.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-20.cm2.aarch64.rpm python3-3.9.19-3.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 1180336b24..d7aef162fb 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.x86_64.rpm libtasn1-4.19.0-1.cm2.x86_64.rpm p11-kit-0.24.1-1.cm2.x86_64.rpm p11-kit-trust-0.24.1-1.cm2.x86_64.rpm -ca-certificates-shared-2.0.0-17.cm2.noarch.rpm -ca-certificates-tools-2.0.0-17.cm2.noarch.rpm -ca-certificates-base-2.0.0-17.cm2.noarch.rpm -ca-certificates-2.0.0-17.cm2.noarch.rpm +ca-certificates-shared-2.0.0-18.cm2.noarch.rpm +ca-certificates-tools-2.0.0-18.cm2.noarch.rpm +ca-certificates-base-2.0.0-18.cm2.noarch.rpm +ca-certificates-2.0.0-18.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-20.cm2.x86_64.rpm python3-3.9.19-3.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 4317ae0d25..26be210e6b 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -18,11 +18,11 @@ bzip2-1.0.8-1.cm2.aarch64.rpm bzip2-debuginfo-1.0.8-1.cm2.aarch64.rpm bzip2-devel-1.0.8-1.cm2.aarch64.rpm bzip2-libs-1.0.8-1.cm2.aarch64.rpm -ca-certificates-2.0.0-17.cm2.noarch.rpm -ca-certificates-base-2.0.0-17.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-17.cm2.noarch.rpm -ca-certificates-shared-2.0.0-17.cm2.noarch.rpm -ca-certificates-tools-2.0.0-17.cm2.noarch.rpm +ca-certificates-2.0.0-18.cm2.noarch.rpm +ca-certificates-base-2.0.0-18.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-18.cm2.noarch.rpm +ca-certificates-shared-2.0.0-18.cm2.noarch.rpm +ca-certificates-tools-2.0.0-18.cm2.noarch.rpm ccache-4.8-1.cm2.aarch64.rpm ccache-debuginfo-4.8-1.cm2.aarch64.rpm check-0.15.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 89ed3b11a4..43024dc9c1 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -19,11 +19,11 @@ bzip2-1.0.8-1.cm2.x86_64.rpm bzip2-debuginfo-1.0.8-1.cm2.x86_64.rpm bzip2-devel-1.0.8-1.cm2.x86_64.rpm bzip2-libs-1.0.8-1.cm2.x86_64.rpm -ca-certificates-2.0.0-17.cm2.noarch.rpm -ca-certificates-base-2.0.0-17.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-17.cm2.noarch.rpm -ca-certificates-shared-2.0.0-17.cm2.noarch.rpm -ca-certificates-tools-2.0.0-17.cm2.noarch.rpm +ca-certificates-2.0.0-18.cm2.noarch.rpm +ca-certificates-base-2.0.0-18.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-18.cm2.noarch.rpm +ca-certificates-shared-2.0.0-18.cm2.noarch.rpm +ca-certificates-tools-2.0.0-18.cm2.noarch.rpm ccache-4.8-1.cm2.x86_64.rpm ccache-debuginfo-4.8-1.cm2.x86_64.rpm check-0.15.2-1.cm2.x86_64.rpm From 4c9a672bf4de5dc8426b797dc27075f902de8259 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 16 Aug 2024 08:00:49 -0700 Subject: [PATCH 20/43] [AUTOPATCHER-CORE] Upgrade postgresql to 14.13 CVE-2024-7348 (#10112) --- SPECS/postgresql/postgresql.signatures.json | 2 +- SPECS/postgresql/postgresql.spec | 5 ++++- cgmanifest.json | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json index 64afabb175..7a3a0a6a8c 100644 --- a/SPECS/postgresql/postgresql.signatures.json +++ b/SPECS/postgresql/postgresql.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "postgresql-14.12.tar.bz2": "6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923" + "postgresql-14.13.tar.bz2": "59aa3c4b495ab26a9ec69f3ad0a0228c51f0fe6facf3634dfad4d1197d613a56" } } diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec index 73cc9a07ee..d18d1de371 100644 --- a/SPECS/postgresql/postgresql.spec +++ b/SPECS/postgresql/postgresql.spec @@ -1,6 +1,6 @@ Summary: PostgreSQL database engine Name: postgresql -Version: 14.12 +Version: 14.13 Release: 1%{?dist} License: PostgreSQL Vendor: Microsoft Corporation @@ -191,6 +191,9 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check" %{_libdir}/libpgtypes.a %changelog +* Mon Aug 12 2024 CBL-Mariner Servicing Account - 14.13-1 +- Auto-upgrade to 14.13 - CVE-2024-7348 + * Thu May 16 2024 CBL-Mariner Servicing Account - 14.12-1 - Auto-upgrade to 14.12 - CVE-2024-4317 diff --git a/cgmanifest.json b/cgmanifest.json index 33425385a2..37b5890f9c 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -21454,8 +21454,8 @@ "type": "other", "other": { "name": "postgresql", - "version": "14.12", - "downloadUrl": "https://ftp.postgresql.org/pub/source/v14.12/postgresql-14.12.tar.bz2" + "version": "14.13", + "downloadUrl": "https://ftp.postgresql.org/pub/source/v14.13/postgresql-14.13.tar.bz2" } } }, From 76613af222a8cfb97c5abef59f7d956675b3ee07 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:17:49 -0700 Subject: [PATCH 21/43] [AUTO-CHERRYPICK] [AUTOPATCHER-kernel] Kernel upgrade to version 5.15.164.1 - branch fasttrack/2.0 - branch main (#10170) --- .../kernel-azure-signed.spec | 5 ++++- .../kernel-hci-signed/kernel-hci-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- SPECS/kernel-azure/config | 2 +- SPECS/kernel-azure/config_aarch64 | 2 +- .../kernel-azure/kernel-azure.signatures.json | 6 +++--- SPECS/kernel-azure/kernel-azure.spec | 5 ++++- SPECS/kernel-hci/config | 2 +- SPECS/kernel-hci/kernel-hci.signatures.json | 4 ++-- SPECS/kernel-hci/kernel-hci.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 5 ++++- cgmanifest.json | 20 +++++++++---------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 4 ++-- 23 files changed, 62 insertions(+), 38 deletions(-) diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index 84382153c9..756a698c52 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index d83efa5913..b5c387d614 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 67084bce39..11d372c72b 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index f725c45970..333870a9de 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5" + "kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 795ab440cc..b98ba69434 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index 1729011277..618e594f24 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.162.2 Kernel Configuration +# Linux/x86_64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index 4f5c21c0a3..86e48b414e 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.162.2 Kernel Configuration +# Linux/arm64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index 0ae6a6604c..991a9088e9 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "0033f60dcfa13616a26c58a7fddc486a31e0f5be80b9290b4f911f678aff9796", - "config_aarch64": "bfda2d51bf24db34edabfeb9bb6d20dc777c6c991b861a39961fde3999f2bfdc", + "config": "a84f20c07e5f2a8a76db3a5bc7c7da29cb8b5bccb457a75ac52cfef847b7e743", + "config_aarch64": "2e737ff36bf79ea1cebaffc145e6e24c6a292992cb3191a4a5bf7e7b51aafb6b", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5" + "kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index 84d5a1c42d..14be7cdf30 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index 35172f57b6..3547b750d8 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.162.2 Kernel Configuration +# Linux/x86_64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index e0e42afe22..32247f3f36 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "ad11508bb6ca2133c14bfa56a05883f2feb85d27986f0fc4541666a21f4bbb72", - "kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5" + "config": "a2580de76388be81d6c393c90b1d0e01befa4cc1b668e3f68d4f2e7337a473ea", + "kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8" } } diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index c4fdcf7b7a..415ec5cdb6 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index b2c2f399d7..b2885a5f6e 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5" + "kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index d5797a2fe3..f41fc61643 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -11,7 +11,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -73,6 +73,9 @@ done %endif %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 22cef22a3e..dd55c0d1e0 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.162.2 Kernel Configuration +# Linux/x86_64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index f8e1bd7e3c..f9bf261712 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.162.2 Kernel Configuration +# Linux/arm64 5.15.164.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 5c70a811c1..172e049381 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "bb53efa19adae0989ed54ce53570f19afd344a6407627d276f61db16096649b7", - "config_aarch64": "92c091653a7b3228f87cae851d476c0de12634945bd2cd88d8f14bab98971cbf", + "config": "a4e1b93311b05b42f33414d155c9f238f176ea32a699387e3cbeaf8dada0d567", + "config_aarch64": "42131349224a7e6b890637a816eb688e46251e4ed2a0f60363cd2d882b2b9e8c", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5" + "kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index cffbdd4f28..77cfbbcca2 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.162.2 +Version: 5.15.164.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Aug 09 2024 CBL-Mariner Servicing Account - 5.15.164.1-1 +- Auto-upgrade to 5.15.164.1 + * Wed Jul 17 2024 CBL-Mariner Servicing Account - 5.15.162.2-1 - Auto-upgrade to 5.15.162.2 diff --git a/cgmanifest.json b/cgmanifest.json index 37b5890f9c..e3227dca11 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -6540,8 +6540,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.15.162.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.162.2.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.164.1.tar.gz" } } }, @@ -8121,8 +8121,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.15.162.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.162.2.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.164.1.tar.gz" } } }, @@ -8131,8 +8131,8 @@ "type": "other", "other": { "name": "kernel-azure", - "version": "5.15.162.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.162.2.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.164.1.tar.gz" } } }, @@ -8141,8 +8141,8 @@ "type": "other", "other": { "name": "kernel-hci", - "version": "5.15.162.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.162.2.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.164.1.tar.gz" } } }, @@ -8151,8 +8151,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.15.162.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.162.2.tar.gz" + "version": "5.15.164.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.164.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 5886e0b7b2..e6ae32c3d0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.aarch64.rpm -kernel-headers-5.15.162.2-1.cm2.noarch.rpm +kernel-headers-5.15.164.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.aarch64.rpm glibc-devel-2.35-7.cm2.aarch64.rpm glibc-i18n-2.35-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index d7aef162fb..6d15aaa1fb 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.x86_64.rpm -kernel-headers-5.15.162.2-1.cm2.noarch.rpm +kernel-headers-5.15.164.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.x86_64.rpm glibc-devel-2.35-7.cm2.x86_64.rpm glibc-i18n-2.35-7.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 26be210e6b..fc18f7e990 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.162.2-1.cm2.noarch.rpm +kernel-headers-5.15.164.1-1.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 43024dc9c1..4ae297ceb7 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -141,8 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-cross-headers-5.15.162.2-1.cm2.noarch.rpm -kernel-headers-5.15.162.2-1.cm2.noarch.rpm +kernel-cross-headers-5.15.164.1-1.cm2.noarch.rpm +kernel-headers-5.15.164.1-1.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm From a8025baebf2425194a003630925cc7ccc8532f31 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:37:15 -0700 Subject: [PATCH 22/43] [AUTO-CHERRYPICK] protobuf: patch CVE-2022-1941 - branch main (#10018) Co-authored-by: Archana Choudhary <36061892+arc9693@users.noreply.github.com> --- SPECS/protobuf/CVE-2022-1941.patch | 365 +++++++++++++++++++++++++++++ SPECS/protobuf/protobuf.spec | 8 +- 2 files changed, 371 insertions(+), 2 deletions(-) create mode 100644 SPECS/protobuf/CVE-2022-1941.patch diff --git a/SPECS/protobuf/CVE-2022-1941.patch b/SPECS/protobuf/CVE-2022-1941.patch new file mode 100644 index 0000000000..3a1f5b4a9f --- /dev/null +++ b/SPECS/protobuf/CVE-2022-1941.patch @@ -0,0 +1,365 @@ +From 55815e423bb82cc828836bbd60c79c1f9a195763 Mon Sep 17 00:00:00 2001 +From: Deanna Garcia +Date: Tue, 13 Sep 2022 17:20:00 +0000 +Subject: [PATCH] Apply patch + +--- + src/google/protobuf/extension_set_inl.h | 27 +++-- + src/google/protobuf/wire_format.cc | 26 +++-- + src/google/protobuf/wire_format_lite.h | 27 +++-- + src/google/protobuf/wire_format_unittest.cc | 109 ++++++++++++++++++-- + 4 files changed, 152 insertions(+), 37 deletions(-) + +diff --git a/src/google/protobuf/extension_set_inl.h b/src/google/protobuf/extension_set_inl.h +index 074784b96d50..77f95f62fd58 100644 +--- a/src/google/protobuf/extension_set_inl.h ++++ b/src/google/protobuf/extension_set_inl.h +@@ -206,16 +206,21 @@ const char* ExtensionSet::ParseMessageSetItemTmpl( + const char* ptr, const Msg* containing_type, + internal::InternalMetadata* metadata, internal::ParseContext* ctx) { + std::string payload; +- uint32 type_id = 0; +- bool payload_read = false; ++ uint32 type_id; ++ enum class State { kNoTag, kHasType, kHasPayload, kDone }; ++ State state = State::kNoTag; ++ + while (!ctx->Done(&ptr)) { + uint32 tag = static_cast(*ptr++); + if (tag == WireFormatLite::kMessageSetTypeIdTag) { + uint64 tmp; + ptr = ParseBigVarint(ptr, &tmp); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); +- type_id = tmp; +- if (payload_read) { ++ if (state == State::kNoTag) { ++ type_id = tmp; ++ state = State::kHasType; ++ } else if (state == State::kHasPayload) { ++ type_id = tmp; + ExtensionInfo extension; + bool was_packed_on_wire; + if (!FindExtension(2, type_id, containing_type, ctx, &extension, +@@ -241,20 +246,24 @@ const char* ExtensionSet::ParseMessageSetItemTmpl( + GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) && + tmp_ctx.EndedAtLimit()); + } +- type_id = 0; ++ state = State::kDone; + } + } else if (tag == WireFormatLite::kMessageSetMessageTag) { +- if (type_id != 0) { ++ if (state == State::kHasType) { + ptr = ParseFieldMaybeLazily(static_cast(type_id) * 8 + 2, ptr, + containing_type, metadata, ctx); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr != nullptr); +- type_id = 0; ++ state = State::kDone; + } else { ++ std::string tmp; + int32 size = ReadSize(&ptr); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); +- ptr = ctx->ReadString(ptr, size, &payload); ++ ptr = ctx->ReadString(ptr, size, &tmp); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); +- payload_read = true; ++ if (state == State::kNoTag) { ++ payload = std::move(tmp); ++ state = State::kHasPayload; ++ } + } + } else { + ptr = ReadTag(ptr - 1, &tag); +diff --git a/src/google/protobuf/wire_format.cc b/src/google/protobuf/wire_format.cc +index c30b7abff634..382d01ea0cfb 100644 +--- a/src/google/protobuf/wire_format.cc ++++ b/src/google/protobuf/wire_format.cc +@@ -657,9 +657,11 @@ struct WireFormat::MessageSetParser { + const char* _InternalParse(const char* ptr, internal::ParseContext* ctx) { + // Parse a MessageSetItem + auto metadata = reflection->MutableInternalMetadata(msg); ++ enum class State { kNoTag, kHasType, kHasPayload, kDone }; ++ State state = State::kNoTag; ++ + std::string payload; + uint32 type_id = 0; +- bool payload_read = false; + while (!ctx->Done(&ptr)) { + // We use 64 bit tags in order to allow typeid's that span the whole + // range of 32 bit numbers. +@@ -668,8 +670,11 @@ struct WireFormat::MessageSetParser { + uint64 tmp; + ptr = ParseBigVarint(ptr, &tmp); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); +- type_id = tmp; +- if (payload_read) { ++ if (state == State::kNoTag) { ++ type_id = tmp; ++ state = State::kHasType; ++ } else if (state == State::kHasPayload) { ++ type_id = tmp; + const FieldDescriptor* field; + if (ctx->data().pool == nullptr) { + field = reflection->FindKnownExtensionByNumber(type_id); +@@ -696,17 +701,17 @@ struct WireFormat::MessageSetParser { + GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) && + tmp_ctx.EndedAtLimit()); + } +- type_id = 0; ++ state = State::kDone; + } + continue; + } else if (tag == WireFormatLite::kMessageSetMessageTag) { +- if (type_id == 0) { ++ if (state == State::kNoTag) { + int32 size = ReadSize(&ptr); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); + ptr = ctx->ReadString(ptr, size, &payload); + GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); +- payload_read = true; +- } else { ++ state = State::kHasPayload; ++ } else if (state == State::kHasType) { + // We're now parsing the payload + const FieldDescriptor* field = nullptr; + if (descriptor->IsExtensionNumber(type_id)) { +@@ -720,7 +725,12 @@ struct WireFormat::MessageSetParser { + ptr = WireFormat::_InternalParseAndMergeField( + msg, ptr, ctx, static_cast(type_id) * 8 + 2, reflection, + field); +- type_id = 0; ++ state = State::kDone; ++ } else { ++ int32 size = ReadSize(&ptr); ++ GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); ++ ptr = ctx->Skip(ptr, size); ++ GOOGLE_PROTOBUF_PARSER_ASSERT(ptr); + } + } else { + // An unknown field in MessageSetItem. +diff --git a/src/google/protobuf/wire_format_lite.h b/src/google/protobuf/wire_format_lite.h +index f2a3cad82816..0b13096ccbf7 100644 +--- a/src/google/protobuf/wire_format_lite.h ++++ b/src/google/protobuf/wire_format_lite.h +@@ -1798,6 +1798,9 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) { + // we can parse it later. + std::string message_data; + ++ enum class State { kNoTag, kHasType, kHasPayload, kDone }; ++ State state = State::kNoTag; ++ + while (true) { + const uint32 tag = input->ReadTagNoLastTag(); + if (tag == 0) return false; +@@ -1806,26 +1809,34 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) { + case WireFormatLite::kMessageSetTypeIdTag: { + uint32 type_id; + if (!input->ReadVarint32(&type_id)) return false; +- last_type_id = type_id; +- +- if (!message_data.empty()) { ++ if (state == State::kNoTag) { ++ last_type_id = type_id; ++ state = State::kHasType; ++ } else if (state == State::kHasPayload) { + // We saw some message data before the type_id. Have to parse it + // now. + io::CodedInputStream sub_input( + reinterpret_cast(message_data.data()), + static_cast(message_data.size())); + sub_input.SetRecursionLimit(input->RecursionBudget()); +- if (!ms.ParseField(last_type_id, &sub_input)) { ++ if (!ms.ParseField(type_id, &sub_input)) { + return false; + } + message_data.clear(); ++ state = State::kDone; + } + + break; + } + + case WireFormatLite::kMessageSetMessageTag: { +- if (last_type_id == 0) { ++ if (state == State::kHasType) { ++ // Already saw type_id, so we can parse this directly. ++ if (!ms.ParseField(last_type_id, input)) { ++ return false; ++ } ++ state = State::kDone; ++ } else if (state == State::kNoTag) { + // We haven't seen a type_id yet. Append this data to message_data. + uint32 length; + if (!input->ReadVarint32(&length)) return false; +@@ -1836,11 +1847,9 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) { + auto ptr = reinterpret_cast(&message_data[0]); + ptr = io::CodedOutputStream::WriteVarint32ToArray(length, ptr); + if (!input->ReadRaw(ptr, length)) return false; ++ state = State::kHasPayload; + } else { +- // Already saw type_id, so we can parse this directly. +- if (!ms.ParseField(last_type_id, input)) { +- return false; +- } ++ if (!ms.SkipField(tag, input)) return false; + } + + break; +diff --git a/src/google/protobuf/wire_format_unittest.cc b/src/google/protobuf/wire_format_unittest.cc +index e75fc316f875..8d767b2833eb 100644 +--- a/src/google/protobuf/wire_format_unittest.cc ++++ b/src/google/protobuf/wire_format_unittest.cc +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -585,30 +586,56 @@ TEST(WireFormatTest, ParseMessageSet) { + EXPECT_EQ(message_set.DebugString(), dynamic_message_set.DebugString()); + } + +-TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) { ++namespace { ++std::string BuildMessageSetItemStart() { + std::string data; + { +- unittest::TestMessageSetExtension1 message; +- message.set_i(123); +- // Build a MessageSet manually with its message content put before its +- // type_id. + io::StringOutputStream output_stream(&data); + io::CodedOutputStream coded_output(&output_stream); + coded_output.WriteTag(WireFormatLite::kMessageSetItemStartTag); ++ } ++ return data; ++} ++std::string BuildMessageSetItemEnd() { ++ std::string data; ++ { ++ io::StringOutputStream output_stream(&data); ++ io::CodedOutputStream coded_output(&output_stream); ++ coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag); ++ } ++ return data; ++} ++std::string BuildMessageSetTestExtension1(int value = 123) { ++ std::string data; ++ { ++ unittest::TestMessageSetExtension1 message; ++ message.set_i(value); ++ io::StringOutputStream output_stream(&data); ++ io::CodedOutputStream coded_output(&output_stream); + // Write the message content first. + WireFormatLite::WriteTag(WireFormatLite::kMessageSetMessageNumber, + WireFormatLite::WIRETYPE_LENGTH_DELIMITED, + &coded_output); + coded_output.WriteVarint32(message.ByteSizeLong()); + message.SerializeWithCachedSizes(&coded_output); +- // Write the type id. +- uint32 type_id = message.GetDescriptor()->extension(0)->number(); ++ } ++ return data; ++} ++std::string BuildMessageSetItemTypeId(int extension_number) { ++ std::string data; ++ { ++ io::StringOutputStream output_stream(&data); ++ io::CodedOutputStream coded_output(&output_stream); + WireFormatLite::WriteUInt32(WireFormatLite::kMessageSetTypeIdNumber, +- type_id, &coded_output); +- coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag); ++ extension_number, &coded_output); + } ++ return data; ++} ++void ValidateTestMessageSet(const std::string& test_case, ++ const std::string& data) { ++ SCOPED_TRACE(test_case); + { +- proto2_wireformat_unittest::TestMessageSet message_set; ++ ::proto2_wireformat_unittest::TestMessageSet message_set; + ASSERT_TRUE(message_set.ParseFromString(data)); + + EXPECT_EQ(123, +@@ -616,10 +643,15 @@ TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) { + .GetExtension( + unittest::TestMessageSetExtension1::message_set_extension) + .i()); ++ ++ // Make sure it does not contain anything else. ++ message_set.ClearExtension( ++ unittest::TestMessageSetExtension1::message_set_extension); ++ EXPECT_EQ(message_set.SerializeAsString(), ""); + } + { + // Test parse the message via Reflection. +- proto2_wireformat_unittest::TestMessageSet message_set; ++ ::proto2_wireformat_unittest::TestMessageSet message_set; + io::CodedInputStream input(reinterpret_cast(data.data()), + data.size()); + EXPECT_TRUE(WireFormat::ParseAndMergePartial(&input, &message_set)); +@@ -631,6 +663,61 @@ TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) { + unittest::TestMessageSetExtension1::message_set_extension) + .i()); + } ++ { ++ // Test parse the message via DynamicMessage. ++ DynamicMessageFactory factory; ++ std::unique_ptr msg( ++ factory ++ .GetPrototype( ++ ::proto2_wireformat_unittest::TestMessageSet::descriptor()) ++ ->New()); ++ msg->ParseFromString(data); ++ auto* reflection = msg->GetReflection(); ++ std::vector fields; ++ reflection->ListFields(*msg, &fields); ++ ASSERT_EQ(fields.size(), 1); ++ const auto& sub = reflection->GetMessage(*msg, fields[0]); ++ reflection = sub.GetReflection(); ++ EXPECT_EQ(123, reflection->GetInt32( ++ sub, sub.GetDescriptor()->FindFieldByName("i"))); ++ } ++} ++} // namespace ++ ++TEST(WireFormatTest, ParseMessageSetWithAnyTagOrder) { ++ std::string start = BuildMessageSetItemStart(); ++ std::string end = BuildMessageSetItemEnd(); ++ std::string id = BuildMessageSetItemTypeId( ++ unittest::TestMessageSetExtension1::descriptor()->extension(0)->number()); ++ std::string message = BuildMessageSetTestExtension1(); ++ ++ ValidateTestMessageSet("id + message", start + id + message + end); ++ ValidateTestMessageSet("message + id", start + message + id + end); ++} ++ ++TEST(WireFormatTest, ParseMessageSetWithDuplicateTags) { ++ std::string start = BuildMessageSetItemStart(); ++ std::string end = BuildMessageSetItemEnd(); ++ std::string id = BuildMessageSetItemTypeId( ++ unittest::TestMessageSetExtension1::descriptor()->extension(0)->number()); ++ std::string other_id = BuildMessageSetItemTypeId(123456); ++ std::string message = BuildMessageSetTestExtension1(); ++ std::string other_message = BuildMessageSetTestExtension1(321); ++ ++ // Double id ++ ValidateTestMessageSet("id + other_id + message", ++ start + id + other_id + message + end); ++ ValidateTestMessageSet("id + message + other_id", ++ start + id + message + other_id + end); ++ ValidateTestMessageSet("message + id + other_id", ++ start + message + id + other_id + end); ++ // Double message ++ ValidateTestMessageSet("id + message + other_message", ++ start + id + message + other_message + end); ++ ValidateTestMessageSet("message + id + other_message", ++ start + message + id + other_message + end); ++ ValidateTestMessageSet("message + other_message + id", ++ start + message + other_message + id + end); + } + + void SerializeReverseOrder( diff --git a/SPECS/protobuf/protobuf.spec b/SPECS/protobuf/protobuf.spec index ef34992ef6..75a8ba04b0 100644 --- a/SPECS/protobuf/protobuf.spec +++ b/SPECS/protobuf/protobuf.spec @@ -1,13 +1,14 @@ Summary: Google's data interchange format Name: protobuf Version: 3.17.3 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Libraries URL: https://developers.google.com/protocol-buffers/ Source0: https://github.com/protocolbuffers/protobuf/releases/download/v%{version}/%{name}-all-%{version}.tar.gz +Patch0: CVE-2022-1941.patch BuildRequires: curl BuildRequires: libstdc++ BuildRequires: make @@ -54,7 +55,7 @@ Provides: %{name}-python3 = %{version}-%{release} This contains protobuf python3 libraries. %prep -%autosetup +%autosetup -p1 %build %configure --disable-silent-rules @@ -108,6 +109,9 @@ popd %{python3_sitelib}/* %changelog +* Tue Jul 16 2024 Archana Choudhary - 3.17.3-3 +- Add patch for CVE-2022-1941 + * Mon Mar 20 2023 Mykhailo Bykhovtsev - 3.17.3-2 - Added check section for running tests From 368eaf2803ceb223d9546e62bba7b27caa40ff39 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:38:12 -0700 Subject: [PATCH 23/43] [AUTO-CHERRYPICK] dhcp: Patch bundled bind for CVE-2024-1737 & CVE-2024-1975. - branch main (#10121) Co-authored-by: Sumynwa --- SPECS/dhcp/CVE-2024-1737.patch | 431 +++++++++++++++++++++++++++++++++ SPECS/dhcp/CVE-2024-1975.patch | 251 +++++++++++++++++++ SPECS/dhcp/dhcp.spec | 21 +- 3 files changed, 701 insertions(+), 2 deletions(-) create mode 100644 SPECS/dhcp/CVE-2024-1737.patch create mode 100644 SPECS/dhcp/CVE-2024-1975.patch diff --git a/SPECS/dhcp/CVE-2024-1737.patch b/SPECS/dhcp/CVE-2024-1737.patch new file mode 100644 index 0000000000..ba79d7e995 --- /dev/null +++ b/SPECS/dhcp/CVE-2024-1737.patch @@ -0,0 +1,431 @@ +From 23a4652346fb2877d6246b1eebaa967969dbde16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Mon, 29 Jan 2024 16:36:30 +0100 +Subject: [PATCH] Optimize the slabheader placement for certain RRTypes + +Mark the infrastructure RRTypes as "priority" types and place them at +the beginning of the rdataslab header data graph. The non-priority +types either go right after the priority types (if any). + +(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615) +--- + bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c +index 3ee1876..3d76ca1 100644 +--- a/bind/bind-9.11.36/lib/dns/rbtdb.c ++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c +@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) { + isc_heap_decreased(heap, header->heap_index); + } + ++static bool ++prio_type(rbtdb_rdatatype_t type) { ++ switch (type) { ++ case dns_rdatatype_soa: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa): ++ case dns_rdatatype_a: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a): ++ case dns_rdatatype_aaaa: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa): ++ case dns_rdatatype_nsec: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec): ++ case dns_rdatatype_nsec3: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3): ++ case dns_rdatatype_ns: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns): ++ case dns_rdatatype_ds: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds): ++ case dns_rdatatype_cname: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname): ++ return (true); ++ } ++ return (false); ++} ++ + /*% + * These functions allow the heap code to rank the priority of each + * element. It returns true if v1 happens "sooner" than v2. +@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + { + rbtdb_changed_t *changed = NULL; + rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader; ++ rdatasetheader_t *prioheader = NULL; + unsigned char *merged; + isc_result_t result; + bool header_nx; +@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { ++ if (prio_type(topheader->type)) { ++ prioheader = topheader; ++ } + if (topheader->type == newheader->type || + topheader->type == negtype) + break; +@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + /* + * No rdatasets of the given type exist at the node. + */ +- newheader->next = rbtnode->data; + newheader->down = NULL; +- rbtnode->data = newheader; ++ ++ if (prio_type(newheader->type)) { ++ /* This is a priority type, prepend it */ ++ newheader->next = rbtnode->data; ++ rbtnode->data = newheader; ++ } else if (prioheader != NULL) { ++ /* Append after the priority headers */ ++ newheader->next = prioheader->next; ++ prioheader->next = newheader; ++ } else { ++ /* There were no priority headers */ ++ newheader->next = rbtnode->data; ++ rbtnode->data = newheader; ++ } + } + } + +--- + +From b9b5485b22c364fb88c27aa04bad4c8f616da3fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Fri, 1 Mar 2024 08:26:07 +0100 +Subject: [PATCH 1/2] Add a limit to the number of RRs in RRSets + +Previously, the number of RRs in the RRSets were internally unlimited. +As the data structure that holds the RRs is just a linked list, and +there are places where we just walk through all of the RRs, adding an +RRSet with huge number of RRs inside would slow down processing of said +RRSets. + +The fix for end-of-life branches make the limit compile-time only for +simplicity and the limit can be changed at the compile time by adding +following define to CFLAGS: + + -DDNS_RDATASET_MAX_RECORDS= + +(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e) +(cherry picked from commit 7f705778af729ada7fec36ac4b456c73329bd996) +--- + bind/bind-9.11.36/configure | 2 +- + bind/bind-9.11.36/configure.ac | 2 +- + bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++ + bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++ + 4 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure +index 368112f..8e881e3 100755 +--- a/bind/bind-9.11.36/configure ++++ b/bind/bind-9.11.36/configure +@@ -12185,7 +12185,7 @@ fi + XTARGETS= + case "$enable_developer" in + yes) +- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1" ++ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes +diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac +index 030c4d7..0eab441 100644 +--- a/bind/bind-9.11.36/configure.ac ++++ b/bind/bind-9.11.36/configure.ac +@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer, + XTARGETS= + case "$enable_developer" in + yes) +- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1" ++ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes +diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c +index 3d76ca1..0cfef36 100644 +--- a/bind/bind-9.11.36/lib/dns/rbtdb.c ++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c +@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion, + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); + } + ++#ifndef DNS_RBTDB_MAX_RTYPES ++#define DNS_RBTDB_MAX_RTYPES 100 ++#endif /* DNS_RBTDB_MAX_RTYPES */ ++ + /* + * write lock on rbtnode must be held. + */ +@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + rbtdb_rdatatype_t negtype, sigtype; + dns_trust_t trust; + int idx; ++ uint32_t ntypes; + + /* + * Add an rdatasetheader_t to a node. +@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + set_ttl(rbtdb, topheader, 0); + mark_stale_header(rbtdb, topheader); + } ++ ntypes = 0; + goto find_header; + } + /* +@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + * check for an extant non-stale NODATA ncache + * entry which covers the same type as the RRSIG. + */ ++ ntypes = 0; + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { ++ ntypes++; + if ((topheader->type == + RBTDB_RDATATYPE_NCACHEANY) || + (newheader->type == sigtype && +@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + } + } + ++ ntypes = 0; + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { ++ ntypes++; + if (prio_type(topheader->type)) { + prioheader = topheader; + } +@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + /* + * No rdatasets of the given type exist at the node. + */ ++ ++ if (ntypes > DNS_RBTDB_MAX_RTYPES) { ++ free_rdataset(rbtdb, rbtdb->common.mctx, ++ newheader); ++ return (ISC_R_QUOTA); ++ } ++ + newheader->down = NULL; + + if (prio_type(newheader->type)) { +diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c +index b0f77b1..347b7d2 100644 +--- a/bind/bind-9.11.36/lib/dns/rdataslab.c ++++ b/bind/bind-9.11.36/lib/dns/rdataslab.c +@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable, + } + #endif + ++#ifndef DNS_RDATASET_MAX_RECORDS ++#define DNS_RDATASET_MAX_RECORDS 100 ++#endif /* DNS_RDATASET_MAX_RECORDS */ ++ + isc_result_t + dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + isc_region_t *region, unsigned int reservelen) +@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + return (ISC_R_SUCCESS); + } + ++ if (nitems > DNS_RDATASET_MAX_RECORDS) { ++ return (DNS_R_TOOMANYRECORDS); ++ } ++ + if (nitems > 0xffff) + return (ISC_R_NOSPACE); + +@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, + #endif + INSIST(ocount > 0 && ncount > 0); + ++ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) { ++ return (DNS_R_TOOMANYRECORDS); ++ } ++ + #if DNS_RDATASET_FIXED + oncount = ncount; + #endif +-- + +From 3e0a67e4bdb253dae3a03a45c1aa117239a3313d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Mon, 17 Jun 2024 11:40:40 +0200 +Subject: [PATCH 1/2] Expand the list of the priority types + +Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of +the priority types that are put at the beginning of the slabheader list +for faster access and to avoid eviction when there are more types than +the max-types-per-name limit. + +(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb) +--- + bind/bind-9.11.36/lib/dns/rbtdb.c | 75 ++++++++++++++++++++++++++----- + 1 file changed, 64 insertions(+), 11 deletions(-) + +diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c +index 0cfef36..7ab4869 100644 +--- a/bind/bind-9.11.36/lib/dns/rbtdb.c ++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c +@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) { + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa): + case dns_rdatatype_a: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a): ++ case dns_rdatatype_mx: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx): + case dns_rdatatype_aaaa: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa): + case dns_rdatatype_nsec: +@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) { + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds): + case dns_rdatatype_cname: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname): ++ case dns_rdatatype_dname: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname): ++ case dns_rdatatype_dnskey: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey): ++ case dns_rdatatype_srv: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv): ++ case dns_rdatatype_txt: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt): ++ case dns_rdatatype_ptr: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr): ++ case dns_rdatatype_naptr: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr): + return (true); + } + return (false); +@@ -6194,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion, + #define DNS_RBTDB_MAX_RTYPES 100 + #endif /* DNS_RBTDB_MAX_RTYPES */ + ++static bool ++overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) { ++ UNUSED(rbtdb); ++ ++ if (DNS_RBTDB_MAX_RTYPES == 0) { ++ return (false); ++ } ++ ++ return (ntypes >= DNS_RBTDB_MAX_RTYPES); ++} ++ ++static bool ++prio_header(rdatasetheader_t *header) { ++ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) { ++ return (true); ++ } ++ ++ return (prio_type(header->type)); ++} ++ + /* + * write lock on rbtnode must be held. + */ +@@ -6204,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + { + rbtdb_changed_t *changed = NULL; + rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader; +- rdatasetheader_t *prioheader = NULL; ++ rdatasetheader_t *prioheader = NULL, *expireheader = NULL; + unsigned char *merged; + isc_result_t result; + bool header_nx; +@@ -6214,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + rbtdb_rdatatype_t negtype, sigtype; + dns_trust_t trust; + int idx; +- uint32_t ntypes; ++ uint32_t ntypes = 0; + + /* + * Add an rdatasetheader_t to a node. +@@ -6277,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + set_ttl(rbtdb, topheader, 0); + mark_stale_header(rbtdb, topheader); + } +- ntypes = 0; + goto find_header; + } + /* +@@ -6299,11 +6332,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + * check for an extant non-stale NODATA ncache + * entry which covers the same type as the RRSIG. + */ +- ntypes = 0; + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { +- ntypes++; + if ((topheader->type == + RBTDB_RDATATYPE_NCACHEANY) || + (newheader->type == sigtype && +@@ -6347,12 +6378,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + } + } + +- ntypes = 0; + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { +- ntypes++; +- if (prio_type(topheader->type)) { ++ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) { ++ ++ntypes; ++ expireheader = topheader; ++ } else if (!IS_CACHE(rbtdb)) { ++ ++ntypes; ++ } ++ if (prio_header(topheader)) { + prioheader = topheader; + } + if (topheader->type == newheader->type || +@@ -6710,8 +6745,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + /* + * No rdatasets of the given type exist at the node. + */ +- +- if (ntypes > DNS_RBTDB_MAX_RTYPES) { ++ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) { + free_rdataset(rbtdb, rbtdb->common.mctx, + newheader); + return (ISC_R_QUOTA); +@@ -6719,7 +6753,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + + newheader->down = NULL; + +- if (prio_type(newheader->type)) { ++ if (prio_header(newheader)) { + /* This is a priority type, prepend it */ + newheader->next = rbtnode->data; + rbtnode->data = newheader; +@@ -6732,6 +6766,25 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + newheader->next = rbtnode->data; + rbtnode->data = newheader; + } ++ ++ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) { ++ if (expireheader == NULL) { ++ expireheader = newheader; ++ } ++ if (NEGATIVE(newheader) && ++ !prio_header(newheader)) ++ { ++ /* ++ * Add the new non-priority negative ++ * header to the database only ++ * temporarily. ++ */ ++ expireheader = newheader; ++ } ++ ++ set_ttl(rbtdb, expireheader, 0); ++ mark_stale_header(rbtdb, expireheader); ++ } + } + } + +-- diff --git a/SPECS/dhcp/CVE-2024-1975.patch b/SPECS/dhcp/CVE-2024-1975.patch new file mode 100644 index 0000000000..49910ef2e2 --- /dev/null +++ b/SPECS/dhcp/CVE-2024-1975.patch @@ -0,0 +1,251 @@ +From 9dc5c3709ffcfa3b9c8ba81fd28baebafe097f44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= +Date: Thu, 16 May 2024 12:10:41 +0200 +Subject: Remove support for SIG(0) message verification + +(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13) +--- + bind/bind-9.11.36/bin/named/client.c | 6 ++ + .../bin/tests/system/tsiggss/authsock.pl | 5 + + .../bin/tests/system/tsiggss/clean.sh | 2 +- + .../bin/tests/system/tsiggss/tests.sh | 12 ++- + .../bin/tests/system/upforwd/tests.sh | 8 +- + bind/bind-9.11.36/lib/dns/message.c | 94 ++----------------- + 6 files changed, 32 insertions(+), 95 deletions(-) + +diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c +index 15fcfcd..761d72a 100644 +--- a/bind/bind-9.11.36/bin/named/client.c ++++ b/bind/bind-9.11.36/bin/named/client.c +@@ -3012,6 +3012,12 @@ client_request(isc_task_t *task, isc_event_t *event) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request is signed by a nonauthoritative key"); ++ } else if (result == DNS_R_NOTVERIFIEDYET && ++ client->message->sig0 != NULL) { ++ ns_client_log(client, DNS_LOGCATEGORY_SECURITY, ++ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), ++ "request has a SIG(0) signature but its support " ++ "was removed (CVE-2024-1975)"); + } else { + char tsigrcode[64]; + isc_buffer_t b; +diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl +index ab3833d..0b231ee 100644 +--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl ++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl +@@ -31,6 +31,10 @@ if (!defined($path)) { + exit(1); + } + ++# Enable output autoflush so that it's not lost when the parent sends TERM. ++select STDOUT; ++$| = 1; ++ + unlink($path); + my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +@@ -53,6 +57,7 @@ if ($timeout != 0) { + } + + while (my $client = $server->accept()) { ++ printf("accept()\n"); + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + +diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh +index d9fae68..67b8c3e 100644 +--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh ++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh +@@ -19,7 +19,7 @@ rm -f ns1/_default.tsigkeys + rm -f */named.memstats + rm -f */named.conf + rm -f */named.run +-rm -f authsock.pid ++rm -f authsock.log authsock.pid + rm -f ns1/core + rm -f nsupdate.out* + rm -f ns*/named.lock +diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh +index 456ce61..9b55e82 100644 +--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh ++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh +@@ -116,7 +116,7 @@ status=$((status+ret)) + + echo_i "testing external update policy (CNAME) with auth sock ($n)" + ret=0 +-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & ++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 & + sleep 1 + test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 + n=$((n+1)) +@@ -130,17 +130,19 @@ n=$((n+1)) + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +-echo_i "testing external policy with SIG(0) key ($n)" ++echo_i "testing external policy with unsupported SIG(0) key ($n)" + ret=0 +-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private < /dev/null 2>&1 || ret=1 ++$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <nsupdate.out${n} 2>&1 || true ++debug + server 10.53.0.1 ${PORT} + zone example.nil + update add fred.example.nil 120 cname foo.bar. + send + END + output=`$DIG $DIGOPTS +short cname fred.example.nil.` +-[ -n "$output" ] || ret=1 +-[ $ret -eq 0 ] || echo_i "failed" ++# update must have failed - SIG(0) signer is not supported ++[ -n "$output" ] && ret=1 ++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1 + n=$((n+1)) + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh +index 1cf8d3b..7110ea5 100644 +--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh ++++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh +@@ -177,9 +177,10 @@ n=`expr $n + 1` + + if test -f keyname + then +- echo_i "checking update forwarding to with sig0 ($n)" ++ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)" + ret=0 + keyname=`cat keyname` ++ # SIG(0) is removed, update is expected to fail. + $NSUPDATE -k $keyname.private -- - < dig.out.ns1.test$n +- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 ++ >nsupdate.out.$n 2>&1 && ret=1 ++ $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n || ret=1 ++ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c +index 2812ab5..48814ce 100644 +--- a/bind/bind-9.11.36/lib/dns/message.c ++++ b/bind/bind-9.11.36/lib/dns/message.c +@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) { + + isc_result_t + dns_message_checksig(dns_message_t *msg, dns_view_t *view) { +- isc_buffer_t b, msgb; ++ isc_buffer_t msgb; + + REQUIRE(DNS_MESSAGE_VALID(msg)); + +- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) ++ if (msg->tsigkey == NULL && msg->tsig == NULL) { + return (ISC_R_SUCCESS); ++ } + + INSIST(msg->saved.base != NULL); + isc_buffer_init(&msgb, msg->saved.base, msg->saved.length); + isc_buffer_add(&msgb, msg->saved.length); +- if (msg->tsigkey != NULL || msg->tsig != NULL) { + #ifdef SKAN_MSG_DEBUG +- dns_message_dumpsig(msg, "dns_message_checksig#1"); +-#endif +- if (view != NULL) +- return (dns_view_checksig(view, &msgb, msg)); +- else +- return (dns_tsig_verify(&msgb, msg, NULL, NULL)); ++ dns_message_dumpsig(msg, "dns_message_checksig#1"); ++#endif /* ifdef SKAN_MSG_DEBUG */ ++ if (view != NULL) { ++ return (dns_view_checksig(view, &msgb, msg)); + } else { +- dns_rdata_t rdata = DNS_RDATA_INIT; +- dns_rdata_sig_t sig; +- dns_rdataset_t keyset; +- isc_result_t result; +- +- result = dns_rdataset_first(msg->sig0); +- INSIST(result == ISC_R_SUCCESS); +- dns_rdataset_current(msg->sig0, &rdata); +- +- /* +- * This can occur when the message is a dynamic update, since +- * the rdata length checking is relaxed. This should not +- * happen in a well-formed message, since the SIG(0) is only +- * looked for in the additional section, and the dynamic update +- * meta-records are in the prerequisite and update sections. +- */ +- if (rdata.length == 0) +- return (ISC_R_UNEXPECTEDEND); +- +- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx); +- if (result != ISC_R_SUCCESS) +- return (result); +- +- dns_rdataset_init(&keyset); +- if (view == NULL) +- return (DNS_R_KEYUNAUTHORIZED); +- result = dns_view_simplefind(view, &sig.signer, +- dns_rdatatype_key /* SIG(0) */, +- 0, 0, false, &keyset, NULL); +- +- if (result != ISC_R_SUCCESS) { +- /* XXXBEW Should possibly create a fetch here */ +- result = DNS_R_KEYUNAUTHORIZED; +- goto freesig; +- } else if (keyset.trust < dns_trust_secure) { +- /* XXXBEW Should call a validator here */ +- result = DNS_R_KEYUNAUTHORIZED; +- goto freesig; +- } +- result = dns_rdataset_first(&keyset); +- INSIST(result == ISC_R_SUCCESS); +- for (; +- result == ISC_R_SUCCESS; +- result = dns_rdataset_next(&keyset)) +- { +- dst_key_t *key = NULL; +- +- dns_rdata_reset(&rdata); +- dns_rdataset_current(&keyset, &rdata); +- isc_buffer_init(&b, rdata.data, rdata.length); +- isc_buffer_add(&b, rdata.length); +- +- result = dst_key_fromdns(&sig.signer, rdata.rdclass, +- &b, view->mctx, &key); +- if (result != ISC_R_SUCCESS) +- continue; +- if (dst_key_alg(key) != sig.algorithm || +- dst_key_id(key) != sig.keyid || +- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC || +- dst_key_proto(key) == DNS_KEYPROTO_ANY)) +- { +- dst_key_free(&key); +- continue; +- } +- result = dns_dnssec_verifymessage(&msgb, msg, key); +- dst_key_free(&key); +- if (result == ISC_R_SUCCESS) +- break; +- } +- if (result == ISC_R_NOMORE) +- result = DNS_R_KEYUNAUTHORIZED; +- +- freesig: +- if (dns_rdataset_isassociated(&keyset)) +- dns_rdataset_disassociate(&keyset); +- dns_rdata_freestruct(&sig); +- return (result); ++ return (dns_tsig_verify(&msgb, msg, NULL, NULL)); + } + } + +-- +2.25.1 + diff --git a/SPECS/dhcp/dhcp.spec b/SPECS/dhcp/dhcp.spec index faf9b5d7c9..04607e9a64 100644 --- a/SPECS/dhcp/dhcp.spec +++ b/SPECS/dhcp/dhcp.spec @@ -1,7 +1,7 @@ Summary: Dynamic host configuration protocol Name: dhcp Version: 4.4.3.P1 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 Url: https://www.isc.org/dhcp/ Source0: https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1.tar.gz @@ -9,6 +9,13 @@ Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Azure Linux BuildRequires: systemd +Patch0: CVE-2022-38177.patch +Patch1: CVE-2022-38178.patch +Patch2: CVE-2022-2795.patch +Patch3: CVE-2023-2828.patch +Patch4: CVE-2024-1737.patch +Patch5: CVE-2024-1975.patch + %description The ISC DHCP package contains both the client and server programs for DHCP. dhclient (the client) is used for connecting to a network which uses DHCP to assign network addresses. dhcpd (the server) is used for assigning network addresses on private networks @@ -38,7 +45,13 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw %prep -%autosetup -p1 -n dhcp-4.4.3-P1 +%setup -q -n dhcp-4.4.3-P1 + +# Extracting bundled 'bind' to allow some of the patches to modify it. +tar -C bind -xf bind/bind.tar.gz +ln -s bind/bind-9* bind_ln + +%autopatch -p1 %build -n dhcp-4.4.3-P1 CFLAGS="$CFLAGS \ @@ -169,6 +182,10 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ %{_mandir}/man8/dhclient.8.gz %changelog +* Mon Jul 29 2024 Sumedh Sharma - 4.4.3-P1-2 +- Add patch for CVE-2024-1737 & CVE-2024-1975 in bundled bind-9 +- Apply old patches meant for bundled bind-9 + * Wed Jun 19 2024 CBL-Mariner Servicing Account - 4.4.3-P1-1 - Auto-upgrade to 4.4.3-P1 - CVE-2022-2928, CVE-2022-2929 - Updating spec to match 3.0 From c595d61a5e368735b5147cac066f1d5c2b97d64d Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:38:22 -0700 Subject: [PATCH 24/43] [AUTO-CHERRYPICK] Patch rust for CVE-2024-31852 and CVE-2024-32884 - branch main (#10126) Co-authored-by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> --- SPECS/rust/CVE-2024-31852.patch | 204 +++++++++++++ SPECS/rust/CVE-2024-32884.patch | 504 ++++++++++++++++++++++++++++++++ SPECS/rust/rust.spec | 8 +- 3 files changed, 715 insertions(+), 1 deletion(-) create mode 100644 SPECS/rust/CVE-2024-31852.patch create mode 100644 SPECS/rust/CVE-2024-32884.patch diff --git a/SPECS/rust/CVE-2024-31852.patch b/SPECS/rust/CVE-2024-31852.patch new file mode 100644 index 0000000000..5d810ff974 --- /dev/null +++ b/SPECS/rust/CVE-2024-31852.patch @@ -0,0 +1,204 @@ +Modified for Mariner by corvus-callidus: + Removed changes to non-vendored files + Fixed paths to match vendored code + Backported patch to apply to version shipped with rust package + Adjusted checksums to account for applied patches + +From b1a5ee1febd8a903cec3dfdad61d57900dc3823e Mon Sep 17 00:00:00 2001 +From: Florian Hahn +Date: Wed, 20 Dec 2023 16:56:15 +0100 +Subject: [PATCH] [ARM] Check all terms in emitPopInst when clearing Restored + for LR. (#75527) + +emitPopInst checks a single function exit MBB. If other paths also exit +the function and any of there terminators uses LR implicitly, it is not +save to clear the Restored bit. + +Check all terminators for the function before clearing Restored. + +This fixes a mis-compile in outlined-fn-may-clobber-lr-in-caller.ll +where the machine-outliner previously introduced BLs that clobbered LR +which in turn is used by the tail call return. + +Alternative to #73553 +--- + src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp | 30 +++++++++++++++++-- + src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h | 3 ++ + .../outlined-fn-may-clobber-lr-in-caller.ll | 14 ++++++--- + 3 files changed, 40 insertions(+), 7 deletions(-) + +diff --git a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp +index a3a71a8ec09a4..10d9c7f275beb 100644 +--- a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp ++++ b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp +@@ -1645,9 +1645,6 @@ void ARMFrameLowering::emitPopInst(MachineBasicBlock &MBB, + // Fold the return instruction into the LDM. + DeleteRet = true; + LdmOpc = AFI->isThumbFunction() ? ARM::t2LDMIA_RET : ARM::LDMIA_RET; +- // We 'restore' LR into PC so it is not live out of the return block: +- // Clear Restored bit. +- Info.setRestored(false); + } + + // If NoGap is true, pop consecutive registers and then leave the rest +@@ -2785,6 +2782,33 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF, + AFI->setLRIsSpilled(SavedRegs.test(ARM::LR)); + } + ++void ARMFrameLowering::processFunctionBeforeFrameFinalized( ++ MachineFunction &MF, RegScavenger *RS) const { ++ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); ++ ++ MachineFrameInfo &MFI = MF.getFrameInfo(); ++ if (!MFI.isCalleeSavedInfoValid()) ++ return; ++ ++ // Check if all terminators do not implicitly use LR. Then we can 'restore' LR ++ // into PC so it is not live out of the return block: Clear the Restored bit ++ // in that case. ++ for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) { ++ if (Info.getReg() != ARM::LR) ++ continue; ++ if (all_of(MF, [](const MachineBasicBlock &MBB) { ++ return all_of(MBB.terminators(), [](const MachineInstr &Term) { ++ return !Term.isReturn() || Term.getOpcode() == ARM::LDMIA_RET || ++ Term.getOpcode() == ARM::t2LDMIA_RET || ++ Term.getOpcode() == ARM::tPOP_RET; ++ }); ++ })) { ++ Info.setRestored(false); ++ break; ++ } ++ } ++} ++ + void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF, + BitVector &SavedRegs) const { + TargetFrameLowering::getCalleeSaves(MF, SavedRegs); +diff --git a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h +index 16f2ce6bea6f1..8d2b8beb9a58f 100644 +--- a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h ++++ b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h +@@ -59,6 +59,9 @@ class ARMFrameLowering : public TargetFrameLowering { + void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs, + RegScavenger *RS) const override; + ++ void processFunctionBeforeFrameFinalized( ++ MachineFunction &MF, RegScavenger *RS = nullptr) const override; ++ + void adjustForSegmentedStacks(MachineFunction &MF, + MachineBasicBlock &MBB) const override; + + +From 749384c08e042739342c88b521c8ba5dac1b9276 Mon Sep 17 00:00:00 2001 +From: ostannard +Date: Mon, 26 Feb 2024 12:23:25 +0000 +Subject: [PATCH] [ARM] Update IsRestored for LR based on all returns (#82745) + +PR #75527 fixed ARMFrameLowering to set the IsRestored flag for LR based +on all of the return instructions in the function, not just one. +However, there is also code in ARMLoadStoreOptimizer which changes +return instructions, but it set IsRestored based on the one instruction +it changed, not the whole function. + +The fix is to factor out the code added in #75527, and also call it from +ARMLoadStoreOptimizer if it made a change to return instructions. + +Fixes #80287. +--- + src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp | 11 +++++---- + src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h | 4 ++++ + src/llvm-project/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp | 23 ++++++++----------- + 4 files changed, 27 insertions(+), 22 deletions(-) + +diff --git a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp +index eeb7f64aa5810..9b54dd4e4e618 100644 +--- a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp ++++ b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp +@@ -2781,10 +2781,7 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF, + AFI->setLRIsSpilled(SavedRegs.test(ARM::LR)); + } + +-void ARMFrameLowering::processFunctionBeforeFrameFinalized( +- MachineFunction &MF, RegScavenger *RS) const { +- TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); +- ++void ARMFrameLowering::updateLRRestored(MachineFunction &MF) { + MachineFrameInfo &MFI = MF.getFrameInfo(); + if (!MFI.isCalleeSavedInfoValid()) + return; +@@ -2808,6 +2805,12 @@ void ARMFrameLowering::processFunctionBeforeFrameFinalized( + } + } + ++void ARMFrameLowering::processFunctionBeforeFrameFinalized( ++ MachineFunction &MF, RegScavenger *RS) const { ++ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); ++ updateLRRestored(MF); ++} ++ + void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF, + BitVector &SavedRegs) const { + TargetFrameLowering::getCalleeSaves(MF, SavedRegs); +diff --git a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h +index 8d2b8beb9a58f..3c7358d8cd53e 100644 +--- a/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h ++++ b/src/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.h +@@ -59,6 +59,10 @@ class ARMFrameLowering : public TargetFrameLowering { + void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs, + RegScavenger *RS) const override; + ++ /// Update the IsRestored flag on LR if it is spilled, based on the return ++ /// instructions. ++ static void updateLRRestored(MachineFunction &MF); ++ + void processFunctionBeforeFrameFinalized( + MachineFunction &MF, RegScavenger *RS = nullptr) const override; + +diff --git a/src/llvm-project/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp b/src/llvm-project/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp +index ed9d30c3c3ab9..6121055eb0217 100644 +--- a/src/llvm-project/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp ++++ b/src/llvm-project/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp +@@ -2062,17 +2062,6 @@ bool ARMLoadStoreOpt::MergeReturnIntoLDM(MachineBasicBlock &MBB) { + MO.setReg(ARM::PC); + PrevMI.copyImplicitOps(*MBB.getParent(), *MBBI); + MBB.erase(MBBI); +- // We now restore LR into PC so it is not live-out of the return block +- // anymore: Clear the CSI Restored bit. +- MachineFrameInfo &MFI = MBB.getParent()->getFrameInfo(); +- // CSI should be fixed after PrologEpilog Insertion +- assert(MFI.isCalleeSavedInfoValid() && "CSI should be valid"); +- for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) { +- if (Info.getReg() == ARM::LR) { +- Info.setRestored(false); +- break; +- } +- } + return true; + } + } +@@ -2120,14 +2109,22 @@ bool ARMLoadStoreOpt::runOnMachineFunction(MachineFunction &Fn) { + isThumb2 = AFI->isThumb2Function(); + isThumb1 = AFI->isThumbFunction() && !isThumb2; + +- bool Modified = false; ++ bool Modified = false, ModifiedLDMReturn = false; + for (MachineBasicBlock &MBB : Fn) { + Modified |= LoadStoreMultipleOpti(MBB); + if (STI->hasV5TOps() && !AFI->shouldSignReturnAddress()) +- Modified |= MergeReturnIntoLDM(MBB); ++ ModifiedLDMReturn |= MergeReturnIntoLDM(MBB); + if (isThumb1) + Modified |= CombineMovBx(MBB); + } ++ Modified |= ModifiedLDMReturn; ++ ++ // If we merged a BX instruction into an LDM, we need to re-calculate whether ++ // LR is restored. This check needs to consider the whole function, not just ++ // the instruction(s) we changed, because there may be other BX returns which ++ // still need LR to be restored. ++ if (ModifiedLDMReturn) ++ ARMFrameLowering::updateLRRestored(Fn); + + Allocator.DestroyAll(); + return Modified; diff --git a/SPECS/rust/CVE-2024-32884.patch b/SPECS/rust/CVE-2024-32884.patch new file mode 100644 index 0000000000..3323df6c66 --- /dev/null +++ b/SPECS/rust/CVE-2024-32884.patch @@ -0,0 +1,504 @@ +Modified for Mariner by corvus-callidus: + Removed changes to non-vendored files + Fixed paths to match vendored code + Backported patch to apply to version shipped with rust package + Adjusted checksums to account for applied patches + +From d80b5f69772a6e36b0131d3a538e896a8a6a29b1 Mon Sep 17 00:00:00 2001 +From: Sebastian Thiel +Date: Sun, 24 Sep 2023 16:00:34 +0200 +Subject: [PATCH] feat: add `Url::host_argument_safe()` and + `Url::path_argument_safe()` + +This will not provide values if they could be confused for an argument +to to a commaneline application. +--- + gix-url/src/lib.rs | 36 ++++++++++++++++++++++++++++++++++++ + 1 files changed, 36 insertions(+) + +diff --git a/vendor/gix-url/src/lib.rs b/vendor/gix-url/src/lib.rs +index a5f1ba15443..add7b176b2b 100644 +--- a/vendor/gix-url/src/lib.rs ++++ b/vendor/gix-url/src/lib.rs +@@ -47,6 +47,13 @@ pub struct Url { + /// The port to use when connecting to a host. If `None`, standard ports depending on `scheme` will be used. + pub port: Option, + /// The path portion of the URL, usually the location of the git repository. ++ /// ++ /// # Security-Warning ++ /// ++ /// URLs allow paths to start with `-` which makes it possible to mask command-line arguments as path which then leads to ++ /// the invocation of programs from an attacker controlled URL. See https://secure.phabricator.com/T12961 for details. ++ /// ++ /// If this value is going to be used in a command-line application, call [Self::path_argument_safe()] instead. + pub path: bstr::BString, + } + +@@ -123,9 +128,34 @@ impl Url { + self.password.as_deref() + } + /// Returns the host mentioned in the url, if present. ++ /// ++ /// # Security-Warning ++ /// ++ /// URLs allow hosts to start with `-` which makes it possible to mask command-line arguments as host which then leads to ++ /// the invocation of programs from an attacker controlled URL. See https://secure.phabricator.com/T12961 for details. ++ /// ++ /// If this value is going to be used in a command-line application, call [Self::host_argument_safe()] instead. + pub fn host(&self) -> Option<&str> { + self.host.as_deref() + } ++ ++ /// Return the host of this URL if present *and* if it can't be mistaken for a command-line argument. ++ /// ++ /// Use this method if the host is going to be passed to a command-line application. ++ pub fn host_argument_safe(&self) -> Option<&str> { ++ self.host().filter(|host| !looks_like_argument(host.as_bytes())) ++ } ++ ++ /// Return the path of this URL *and* if it can't be mistaken for a command-line argument. ++ /// Note that it always begins with a slash, which is ignored for this comparison. ++ /// ++ /// Use this method if the path is going to be passed to a command-line application. ++ pub fn path_argument_safe(&self) -> Option<&BStr> { ++ self.path ++ .get(1..) ++ .and_then(|truncated| (!looks_like_argument(truncated)).then_some(self.path.as_ref())) ++ } ++ + /// Returns true if the path portion of the url is `/`. + pub fn path_is_root(&self) -> bool { + self.path == "/" +@@ -144,6 +176,10 @@ impl Url { + } + } + ++fn looks_like_argument(b: &[u8]) -> bool { ++ b.get(0) == Some(&b'-') ++} ++ + /// Transformation + impl Url { + /// Turn a file url like `file://relative` into `file:///root/relative`, hence it assures the url's path component is absolute. +From b06a0dd781accad317fdec5f86f069df4c21875c Mon Sep 17 00:00:00 2001 +From: Sebastian Thiel +Date: Sun, 24 Sep 2023 11:07:18 +0200 +Subject: [PATCH] fix: prevent hosts or paths that look like arguments to be + passed to invoked commands. + +See https://secure.phabricator.com/T12961 for more details. +--- + gix-transport/src/client/blocking_io/file.rs | 6 +++++ + .../src/client/blocking_io/ssh/mod.rs | 23 +++++++++++++------ + .../client/blocking_io/ssh/program_kind.rs | 17 ++++++++++---- + .../src/client/blocking_io/ssh/tests.rs | 23 +++++++++++++++---- + gix-transport/src/client/git/mod.rs | 15 ++++++++++++ + gix-transport/src/client/non_io_types.rs | 2 ++ + gix-transport/src/lib.rs | 1 - + gix-url/src/lib.rs | 6 ++--- + 8 files changed, 74 insertions(+), 19 deletions(-) + +diff --git a/vendor/gix-transport/src/client/blocking_io/file.rs b/vendor/gix-transport/src/client/blocking_io/file.rs +index 599f56c23e8..613fd23578b 100644 +--- a/vendor/gix-transport/src/client/blocking_io/file.rs ++++ b/vendor/gix-transport/src/client/blocking_io/file.rs +@@ -211,6 +211,11 @@ impl client::Transport for SpawnProcessOnDemand { + }; + cmd.stdin = Stdio::piped(); + cmd.stdout = Stdio::piped(); ++ if self.path.first() == Some(&b'-') { ++ return Err(client::Error::AmbiguousPath { ++ path: self.path.clone(), ++ }); ++ } + let repo_path = if self.ssh_cmd.is_some() { + cmd.args.push(service.as_str().into()); + gix_quote::single(self.path.as_ref()).to_os_str_lossy().into_owned() + +diff --git a/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs b/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs +index 7c042dc28b3..642aab9fd4d 100644 +--- a/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs ++++ b/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs +@@ -8,6 +8,8 @@ use crate::{client::blocking_io, Protocol}; + pub enum Error { + #[error("The scheme in \"{}\" is not usable for an ssh connection", .0.to_bstring())] + UnsupportedScheme(gix_url::Url), ++ #[error("Host name '{host}' could be mistaken for a command-line argument")] ++ AmbiguousHostName { host: String }, + } + + impl crate::IsSpuriousError for Error {} +@@ -37,12 +39,17 @@ pub mod invocation { + + /// The error returned when producing ssh invocation arguments based on a selected invocation kind. + #[derive(Debug, thiserror::Error)] +- #[error("The 'Simple' ssh variant doesn't support {function}")] +- pub struct Error { +- /// The simple command that should have been invoked. +- pub command: OsString, +- /// The function that was unsupported +- pub function: &'static str, ++ #[allow(missing_docs)] ++ pub enum Error { ++ #[error("Host name '{host}' could be mistaken for a command-line argument")] ++ AmbiguousHostName { host: String }, ++ #[error("The 'Simple' ssh variant doesn't support {function}")] ++ Unsupported { ++ /// The simple command that should have been invoked. ++ command: OsString, ++ /// The function that was unsupported ++ function: &'static str, ++ }, + } + } + +@@ -105,7 +112,9 @@ pub fn connect( + .stdin(Stdio::null()) + .with_shell() + .arg("-G") +- .arg(url.host().expect("always set for ssh urls")), ++ .arg(url.host_argument_safe().ok_or_else(|| Error::AmbiguousHostName { ++ host: url.host().expect("set in ssh urls").into(), ++ })?), + ) + .status() + .ok() +diff --git a/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs b/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs +index f02d4444444..70905829f64 100644 +--- a/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs ++++ b/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs +@@ -31,7 +31,6 @@ impl ProgramKind { + if disallow_shell { + prepare.use_shell = false; + } +- let host = url.host().expect("present in ssh urls"); + match self { + ProgramKind::Ssh => { + if desired_version != Protocol::V1 { +@@ -54,7 +53,7 @@ impl ProgramKind { + } + ProgramKind::Simple => { + if url.port.is_some() { +- return Err(ssh::invocation::Error { ++ return Err(ssh::invocation::Error::Unsupported { + command: ssh_cmd.into(), + function: "setting the port", + }); +@@ -62,8 +61,18 @@ impl ProgramKind { + } + }; + let host_as_ssh_arg = match url.user() { +- Some(user) => format!("{user}@{host}"), +- None => host.into(), ++ Some(user) => { ++ let host = url.host().expect("present in ssh urls"); ++ format!("{user}@{host}") ++ } ++ None => { ++ let host = url ++ .host_argument_safe() ++ .ok_or_else(|| ssh::invocation::Error::AmbiguousHostName { ++ host: url.host().expect("ssh host always set").into(), ++ })?; ++ host.into() ++ } + }; + + // Try to force ssh to yield english messages (for parsing later) +diff --git a/vendor/gix-transport/src/client/blocking_io/ssh/tests.rs b/vendor/gix-transport/src/client/blocking_io/ssh/tests.rs +index f0820d14ed7..4e4da780703 100644 +--- a/vendor/gix-transport/src/client/blocking_io/ssh/tests.rs ++++ b/vendor/gix-transport/src/client/blocking_io/ssh/tests.rs +@@ -144,13 +144,28 @@ mod program_kind { + assert!(call_args(kind, "ssh://user@host:43/p", Protocol::V2).ends_with("-P 43 user@host")); + } + } ++ #[test] ++ fn ambiguous_host_is_allowed_with_user() { ++ assert_eq!( ++ call_args(ProgramKind::Ssh, "ssh://user@-arg/p", Protocol::V2), ++ joined(&["ssh", "-o", "SendEnv=GIT_PROTOCOL", "user@-arg"]) ++ ); ++ } ++ ++ #[test] ++ fn ambiguous_host_is_disallowed() { ++ assert!(matches!( ++ try_call(ProgramKind::Ssh, "ssh://-arg/p", Protocol::V2), ++ Err(ssh::invocation::Error::AmbiguousHostName { host }) if host == "-arg" ++ )); ++ } + + #[test] + fn simple_cannot_handle_any_arguments() { +- match try_call(ProgramKind::Simple, "ssh://user@host:42/p", Protocol::V2) { +- Err(ssh::invocation::Error { .. }) => {} +- _ => panic!("BUG: unexpected outcome"), +- } ++ assert!(matches!( ++ try_call(ProgramKind::Simple, "ssh://user@host:42/p", Protocol::V2), ++ Err(ssh::invocation::Error::Unsupported { .. }) ++ )); + assert_eq!( + call_args(ProgramKind::Simple, "ssh://user@host/p", Protocol::V2), + joined(&["simple", "user@host"]), +diff --git a/vendor/gix-transport/src/client/git/mod.rs b/vendor/gix-transport/src/client/git/mod.rs +index 2b950b44a40..d27f468ff8f 100644 +--- a/vendor/gix-transport/src/client/git/mod.rs ++++ b/vendor/gix-transport/src/client/git/mod.rs +@@ -165,6 +165,21 @@ mod message { + "git-upload-pack hello\\world\0host=host:404\0" + ) + } ++ ++ #[test] ++ fn with_strange_host_and_port() { ++ assert_eq!( ++ git::message::connect( ++ Service::UploadPack, ++ Protocol::V1, ++ b"--upload-pack=attack", ++ Some(&("--proxy=other-attack".into(), Some(404))), ++ &[] ++ ), ++ "git-upload-pack --upload-pack=attack\0host=--proxy=other-attack:404\0", ++ "we explicitly allow possible `-arg` arguments to be passed to the git daemon - the remote must protect against exploitation, we don't want to prevent legitimate cases" ++ ) ++ } + } + } + +diff --git a/vendor/gix-transport/src/client/non_io_types.rs b/vendor/gix-transport/src/client/non_io_types.rs +index 807b22a8f5f..a1dbb247c71 100644 +--- a/vendor/gix-transport/src/client/non_io_types.rs ++++ b/vendor/gix-transport/src/client/non_io_types.rs +@@ -138,6 +138,8 @@ mod error { + Http(#[from] HttpError), + #[error(transparent)] + SshInvocation(SshInvocationError), ++ #[error("The repository path '{path}' could be mistaken for a command-line argument")] ++ AmbiguousPath { path: BString }, + } + + impl crate::IsSpuriousError for Error { +diff --git a/vendor/gix-transport/src/lib.rs b/vendor/gix-transport/src/lib.rs +index 5176125ec95..4ec2ea61557 100644 +--- a/vendor/gix-transport/src/lib.rs ++++ b/vendor/gix-transport/src/lib.rs +@@ -21,7 +21,6 @@ pub use gix_packetline as packetline; + /// The version of the way client and server communicate. + #[derive(Default, PartialEq, Eq, Debug, Hash, Ord, PartialOrd, Clone, Copy)] + #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))] +-#[allow(missing_docs)] + pub enum Protocol { + /// Version 0 is like V1, but doesn't show capabilities at all, at least when hosted without `git-daemon`. + V0 = 0, +diff --git a/vendor/gix-url/src/lib.rs b/vendor/gix-url/src/lib.rs +index add7b176b2b..1d90689ae61 100644 +--- a/vendor/gix-url/src/lib.rs ++++ b/vendor/gix-url/src/lib.rs +@@ -51,7 +51,7 @@ pub struct Url { + /// # Security-Warning + /// + /// URLs allow paths to start with `-` which makes it possible to mask command-line arguments as path which then leads to +- /// the invocation of programs from an attacker controlled URL. See https://secure.phabricator.com/T12961 for details. ++ /// the invocation of programs from an attacker controlled URL. See for details. + /// + /// If this value is going to be used in a command-line application, call [Self::path_argument_safe()] instead. + pub path: bstr::BString, +@@ -132,7 +132,7 @@ impl Url { + /// # Security-Warning + /// + /// URLs allow hosts to start with `-` which makes it possible to mask command-line arguments as host which then leads to +- /// the invocation of programs from an attacker controlled URL. See https://secure.phabricator.com/T12961 for details. ++ /// the invocation of programs from an attacker controlled URL. See for details. + /// + /// If this value is going to be used in a command-line application, call [Self::host_argument_safe()] instead. + pub fn host(&self) -> Option<&str> { +@@ -177,7 +177,7 @@ impl Url { + } + + fn looks_like_argument(b: &[u8]) -> bool { +- b.get(0) == Some(&b'-') ++ b.first() == Some(&b'-') + } + + /// Transformation +From db40382328c373258aa3bd5f9551511a42af6be5 Mon Sep 17 00:00:00 2001 +From: Eliah Kagan +Date: Thu, 11 Apr 2024 22:38:59 +0000 +Subject: [PATCH] feat: Add `Url::user_argument_safe()` + +This returns `None` if the username begins with a `-`, which would +confuse command-line applications. + +It is analogous to the `Url::host_argument_safe()` and +`Url::path_argument_safe()` methods (introduced in d80b5f6), but +for usernames rather than hosts or paths. +--- + gix-url/src/lib.rs | 14 ++++++++++++++ + gix-url/tests/access/mod.rs | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/vendor/gix-url/src/lib.rs b/vendor/gix-url/src/lib.rs +index fba3ffe6d7..f0373c521b 100644 +--- a/vendor/gix-url/src/lib.rs ++++ b/vendor/gix-url/src/lib.rs +@@ -120,9 +120,23 @@ impl Url { + /// Access + impl Url { + /// Returns the user mentioned in the url, if present. ++ /// ++ /// # Security-Warning ++ /// ++ /// URLs allow usernames to start with `-` which makes it possible to mask command-line arguments as username which then leads to ++ /// the invocation of programs from an attacker controlled URL. See for details. ++ /// ++ /// If this value is going to be used in a command-line application, call [Self::user_argument_safe()] instead. + pub fn user(&self) -> Option<&str> { + self.user.as_deref() + } ++ /// Return the user from this URL if present *and* if it can't be mistaken for a command-line argument. ++ /// ++ /// Use this method if the user or a portion of the URL that begins with it will be passed to a command-line application. ++ pub fn user_argument_safe(&self) -> Option<&str> { ++ self.user().filter(|user| !looks_like_argument(user.as_bytes())) ++ } ++ + /// Returns the password mentioned in the url, if present. + pub fn password(&self) -> Option<&str> { + self.password.as_deref() + } +From 54286091ebc6e13a8f27f730fa88127e6334cf13 Mon Sep 17 00:00:00 2001 +From: Eliah Kagan +Date: Fri, 12 Apr 2024 04:13:34 +0000 +Subject: [PATCH] Add ambiguous user unit tests, and more for hostname + +Not all of these tests can pass yet, since gix-transport does not +yet detect and refuse to proceed with leading-hypnen usernames. +Some pass; those that do not are, as expected: + +- ambiguous_user_is_disallowed_explicit_ssh +- ambiguous_user_is_disallowed_implicit_ssh +- ambiguous_user_and_host_remain_disallowed_together_explicit_ssh +- ambiguous_user_and_host_remain_disallowed_together_implicit_ssh + +This also adds AmbiguousUserName in one of the enums that will need +to have it, but nothing fails with this error yet; it is introduced +now only to facilitate writing unit tests that assert it. +--- + .../src/client/blocking_io/ssh/mod.rs | 2 + + 1 files changed, 2 insertions(+) + +diff --git a/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs b/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs +index 16f47bd25f4..00e06582d74 100644 +--- a/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs ++++ b/vendor/gix-transport/src/client/blocking_io/ssh/mod.rs +@@ -41,6 +41,8 @@ pub mod invocation { + #[derive(Debug, thiserror::Error)] + #[allow(missing_docs)] + pub enum Error { ++ #[error("Username '{user}' could be mistaken for a command-line argument")] ++ AmbiguousUserName { user: String }, + #[error("Host name '{host}' could be mistaken for a command-line argument")] + AmbiguousHostName { host: String }, + #[error("The 'Simple' ssh variant doesn't support {function}")] + +From f56ad390a5569d0129b7b16632991d18b9ddb4f7 Mon Sep 17 00:00:00 2001 +From: Eliah Kagan +Date: Fri, 12 Apr 2024 06:38:19 +0000 +Subject: [PATCH] fix: Prevent usernames with leading `-` from being passed to + SSH + +This detects ambiguous usernames in dangerous cases where they +would be passed to external commands to form SSH connections, if +they would be misinterpreted as option arguments. + +This change is analogous to b06a0dd, hardening `gix-transport` and +applications that use it against options smuggled in URLs, but for +the non-mandatory username portion of a URL, rather than the host +and path portions that were covered there. + +For example, commands like these no longer pass `-F...` options to +`ssh`: + + gix clone 'ssh://-Fconfigfile@example.com/abc' + gix clone -- '-Fconfigfile@example.com:abc/def' + +Instead, they refuse to run `ssh`, producing the error: + + Error: Username '-Fconfigfile' could be mistaken for a command-line argument +--- + .../src/client/blocking_io/ssh/program_kind.rs | 13 ++++++++++--- + gix-url/src/lib.rs | 7 +++++++ + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs b/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs +index 70905829f64..d046db772c1 100644 +--- a/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs ++++ b/vendor/gix-transport/src/client/blocking_io/ssh/program_kind.rs +@@ -60,8 +60,12 @@ impl ProgramKind { + } + } + }; +- let host_as_ssh_arg = match url.user() { ++ let host_maybe_with_user_as_ssh_arg = match url.user() { + Some(user) => { ++ // FIXME: See the fixme comment on Url::user_argument_safe() about its return type. ++ if url.user_argument_safe() != Some(user) { ++ return Err(ssh::invocation::Error::AmbiguousUserName { user: user.into() }); ++ } + let host = url.host().expect("present in ssh urls"); + format!("{user}@{host}") + } +@@ -75,8 +79,11 @@ impl ProgramKind { + } + }; + +- // Try to force ssh to yield english messages (for parsing later) +- Ok(prepare.arg(host_as_ssh_arg).env("LANG", "C").env("LC_ALL", "C")) ++ // Try to force ssh to yield English messages (for parsing later). ++ Ok(prepare ++ .arg(host_maybe_with_user_as_ssh_arg) ++ .env("LANG", "C") ++ .env("LC_ALL", "C")) + } + + /// Note that the caller has to assure that the ssh program is launched in English by setting the locale. +diff --git a/vendor/gix-url/src/lib.rs b/vendor/gix-url/src/lib.rs +index 23b7cf59fbd..ff6d5a12f59 100644 +--- a/vendor/gix-url/src/lib.rs ++++ b/vendor/gix-url/src/lib.rs +@@ -134,6 +134,13 @@ impl Url { + /// + /// Use this method if the user or a portion of the URL that begins with it will be passed to a command-line application. + pub fn user_argument_safe(&self) -> Option<&str> { ++ // FIXME: A return value of None from this method, or host_argument_safe(), is ambiguous: the user (or host) is ++ // either present but unsafe, or absent. Furthermore, in practice the value is usually needed even if unsafe, ++ // in order to report it in an error message. In gix-transport, the ambiguity makes it easy to write a new bug ++ // while using this interface for user_argument_safe(). In contrast, in host_argument_safe(), the ambiguity is ++ // much less of a problem, because the host is expected to be present. Yet the host() method must still be ++ // called when handling the None case, to include it in the error. If possible, both methods should be replaced ++ // by methods with a richer return type (a new enum). If not, the ambiguity should be prominently documented. + self.user().filter(|user| !looks_like_argument(user.as_bytes())) + } + +diff --git a/vendor/gix-url/.cargo-checksum.json b/vendor/gix-url/.cargo-checksum.json +index f0b09303d..37c2df0fb 100644 +--- a/vendor/gix-url/.cargo-checksum.json ++++ b/vendor/gix-url/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"5d9b8377ce6e6d41c00ddad06da5530e9c42f29c625dc598ed90b109a757288a","Cargo.toml":"f55ec09a9dbf19c990124d4a8232f13cf179943af5de337e31cf7565ecf80c47","LICENSE-APACHE":"cb4780590812826851ba250f90bed0ed19506ec98f6865a0e2e20bbf62391ff9","LICENSE-MIT":"49df47913ab2beafe8dc45607877ae64198bf0eee64aaad3e82ed9e4d27424e8","src/expand_path.rs":"b0d2fe688c170dfa1381b3cb7add373a618a8ac2520ebdeb2ea721318bb88566","src/impls.rs":"3e47180ec440b42bbd0ba2bdbcbfc247fbfd4020066ce5ca0f4c137b36807323","src/lib.rs":"fc219a768c3c96a5b649bdba11d03e8f168ed347391208bcf48c40eb49e91c5c","src/parse.rs":"0dd96b53e86df347388c9d05be66e49cc2aa4bdec439304c53d4e28664644a14","src/scheme.rs":"02a6a230eea7459b05959ff4e8ce30f4d45526e1f1a47ff88b260bb1943d2433"},"package":"f1663df25ac42047a2547618d2a6979a26f478073f6306997429235d2cd4c863"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"5d9b8377ce6e6d41c00ddad06da5530e9c42f29c625dc598ed90b109a757288a","Cargo.toml":"f55ec09a9dbf19c990124d4a8232f13cf179943af5de337e31cf7565ecf80c47","LICENSE-APACHE":"cb4780590812826851ba250f90bed0ed19506ec98f6865a0e2e20bbf62391ff9","LICENSE-MIT":"49df47913ab2beafe8dc45607877ae64198bf0eee64aaad3e82ed9e4d27424e8","src/expand_path.rs":"b0d2fe688c170dfa1381b3cb7add373a618a8ac2520ebdeb2ea721318bb88566","src/impls.rs":"3e47180ec440b42bbd0ba2bdbcbfc247fbfd4020066ce5ca0f4c137b36807323","src/lib.rs":"4afc16f5c79826ed9fe96b438266b39d982aba69c459fc010ac0a2ee3f5a8236","src/parse.rs":"0dd96b53e86df347388c9d05be66e49cc2aa4bdec439304c53d4e28664644a14","src/scheme.rs":"02a6a230eea7459b05959ff4e8ce30f4d45526e1f1a47ff88b260bb1943d2433"},"package":"f1663df25ac42047a2547618d2a6979a26f478073f6306997429235d2cd4c863"} +\ No newline at end of file + +diff --git a/vendor/gix-transport/.cargo-checksum.json b/vendor/gix-transport/.cargo-checksum.json +index 24fcaaab0..3d7642bc4 100644 +--- a/vendor/gix-transport/.cargo-checksum.json ++++ b/vendor/gix-transport/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"f62eee0a65c00e91dcf1765ad19ae166a17234fa97d21a6c848bd65fa7158df7","Cargo.toml":"97027a5e91451a0eb68225d5a03f123d5fe52c1c446de4d9474c47a7de397d03","LICENSE-APACHE":"cb4780590812826851ba250f90bed0ed19506ec98f6865a0e2e20bbf62391ff9","LICENSE-MIT":"49df47913ab2beafe8dc45607877ae64198bf0eee64aaad3e82ed9e4d27424e8","src/client/async_io/bufread_ext.rs":"d9ef051c5bd1abd62ab43db6a50b4bdf163e1d50e8b25624e12aaed1bd8ece52","src/client/async_io/connect.rs":"d2f64a865612cdf2aefebc8c58c28b0d303e697819ae467b0145d18ab87fd359","src/client/async_io/mod.rs":"dbc880330eea5ab38d2ac7aa8d295352cac1011aa4f6c9d9216ccfb7fa79789d","src/client/async_io/request.rs":"6844d8804f1b99836994fdc2faa636542336b988b7ab15d118ea1aa24315cd65","src/client/async_io/traits.rs":"f0ec02bce105d138e438daa1397ff92b82230c19171039b12e995eb2011b8f1e","src/client/blocking_io/bufread_ext.rs":"ffb691bac5e4c7e35506f01aaee3560c80de8143e9eb5755cab2a3da545ed113","src/client/blocking_io/connect.rs":"e146594221beae80385b08094a128066a8772127b989bb63e8bb0b5d7dc7f82d","src/client/blocking_io/file.rs":"663e3a4b62c3860068c0c3fbc16adbb0d1535ee028c23d084f68a853a5bb2641","src/client/blocking_io/http/curl/mod.rs":"4fa0027b0aabdb71676c5267d8dab446ccd81863dd80dc9ac8f43e7710099ca4","src/client/blocking_io/http/curl/remote.rs":"957c511ed64d7c3fee886ef7d16f56e04bfd8ac266680f9c88907dd150c1b6da","src/client/blocking_io/http/mod.rs":"3a58753707f5ee2d7a59123d3a749bb17864ed70fe6c5b197174bc9b4861e691","src/client/blocking_io/http/redirect.rs":"1f6d57c8a87a9cb4c3699c53f5e05468d99b89d49532c1f805931dcdcff36c0b","src/client/blocking_io/http/reqwest/mod.rs":"08d09aefaddbd0049676bdbe403fca2282c9da4484a6d7cd8e84ec8a46060184","src/client/blocking_io/http/reqwest/remote.rs":"dfcebff86bbf77401e1f22152b570a125dc38c8e983df51e14f8bb1e2459586c","src/client/blocking_io/http/traits.rs":"520d9789ee9e5cee861a068f8ca0bd5309c853f288a065d3cfb86d8e0145942f","src/client/blocking_io/mod.rs":"b3b09948dcad91f5e9060875e5096c3d4155e3fdf33af0415b04f9c6246adec2","src/client/blocking_io/request.rs":"1602b053538b864557729fa6b3f74aa91020ead2bdcd55c86dd10c13c9168b94","src/client/blocking_io/ssh/mod.rs":"a2eb446804b7d377db8a0bae5d74936271dc7cdd71f12629eaf21a0c821453c8","src/client/blocking_io/ssh/program_kind.rs":"e573e45103ac3978da65cb87be3aac476fc40781a953d2c464f754fa79398cee","src/client/blocking_io/ssh/tests.rs":"309e795036635782a005cba1ddf0e8dcf7b1e1fea49429f644996c942cf7ccbe","src/client/blocking_io/traits.rs":"7e1ef1d6cd6c03f493fe55dd3ba6ad2a5059db16a22b9b75bbda8b055c207813","src/client/capabilities.rs":"fd74e87fd6b405de1613d9f5bec9fd6c0705e1ba1f2d2afdc349586af0190381","src/client/git/async_io.rs":"97b8dccc93bf5a62349aec7dc967acb59212ca66a49347564da50e4fc64864ec","src/client/git/blocking_io.rs":"42e3ee0f597cc31bd87027e21573ccfd4270b835795526f65ef193cff0da077c","src/client/git/mod.rs":"46d990e403f5f825fb0f9332d2ee1a3d8b33209d5a74fe8b473840bcf8e873c4","src/client/mod.rs":"563bb655c93af9dde121a6c8ddb94055aac862da5ac3e9d0420ca5eb21892387","src/client/non_io_types.rs":"ec10e9d7cf6270caf087643484dc4935b014124cf5b914f28eaa476a6869349a","src/client/traits.rs":"5c7b1f9d4b35ae049e81aa7aea09c0b142df023005d876765581b6b267a015d6","src/lib.rs":"c96d2ade712012d7babb19673c2097139036d6290b010828365da743700b65e2"},"package":"64a39ffed9a9078ed700605e064b15d7c6ae50aa65e7faa36ca6919e8081df15"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"f62eee0a65c00e91dcf1765ad19ae166a17234fa97d21a6c848bd65fa7158df7","Cargo.toml":"97027a5e91451a0eb68225d5a03f123d5fe52c1c446de4d9474c47a7de397d03","LICENSE-APACHE":"cb4780590812826851ba250f90bed0ed19506ec98f6865a0e2e20bbf62391ff9","LICENSE-MIT":"49df47913ab2beafe8dc45607877ae64198bf0eee64aaad3e82ed9e4d27424e8","src/client/async_io/bufread_ext.rs":"d9ef051c5bd1abd62ab43db6a50b4bdf163e1d50e8b25624e12aaed1bd8ece52","src/client/async_io/connect.rs":"d2f64a865612cdf2aefebc8c58c28b0d303e697819ae467b0145d18ab87fd359","src/client/async_io/mod.rs":"dbc880330eea5ab38d2ac7aa8d295352cac1011aa4f6c9d9216ccfb7fa79789d","src/client/async_io/request.rs":"6844d8804f1b99836994fdc2faa636542336b988b7ab15d118ea1aa24315cd65","src/client/async_io/traits.rs":"f0ec02bce105d138e438daa1397ff92b82230c19171039b12e995eb2011b8f1e","src/client/blocking_io/bufread_ext.rs":"ffb691bac5e4c7e35506f01aaee3560c80de8143e9eb5755cab2a3da545ed113","src/client/blocking_io/connect.rs":"e146594221beae80385b08094a128066a8772127b989bb63e8bb0b5d7dc7f82d","src/client/blocking_io/file.rs":"acc9357a505a80a24b37794159a4f15b88baff714a351f0e80e201a87d400e34","src/client/blocking_io/http/curl/mod.rs":"4fa0027b0aabdb71676c5267d8dab446ccd81863dd80dc9ac8f43e7710099ca4","src/client/blocking_io/http/curl/remote.rs":"957c511ed64d7c3fee886ef7d16f56e04bfd8ac266680f9c88907dd150c1b6da","src/client/blocking_io/http/mod.rs":"3a58753707f5ee2d7a59123d3a749bb17864ed70fe6c5b197174bc9b4861e691","src/client/blocking_io/http/redirect.rs":"1f6d57c8a87a9cb4c3699c53f5e05468d99b89d49532c1f805931dcdcff36c0b","src/client/blocking_io/http/reqwest/mod.rs":"08d09aefaddbd0049676bdbe403fca2282c9da4484a6d7cd8e84ec8a46060184","src/client/blocking_io/http/reqwest/remote.rs":"dfcebff86bbf77401e1f22152b570a125dc38c8e983df51e14f8bb1e2459586c","src/client/blocking_io/http/traits.rs":"520d9789ee9e5cee861a068f8ca0bd5309c853f288a065d3cfb86d8e0145942f","src/client/blocking_io/mod.rs":"b3b09948dcad91f5e9060875e5096c3d4155e3fdf33af0415b04f9c6246adec2","src/client/blocking_io/request.rs":"1602b053538b864557729fa6b3f74aa91020ead2bdcd55c86dd10c13c9168b94","src/client/blocking_io/ssh/mod.rs":"121a661bb41f49573ee6017bc5a73e68efdf22e687cdd8d358bd14489cdcb4fe","src/client/blocking_io/ssh/program_kind.rs":"1941fda57add6c99413607f9139a49554fa15b1af6da3f6dbcddd63e3a451da2","src/client/blocking_io/ssh/tests.rs":"21836e0188548ea148775861771a7105091f5b0c432f5d84eeb1343b50ad20bd","src/client/blocking_io/traits.rs":"7e1ef1d6cd6c03f493fe55dd3ba6ad2a5059db16a22b9b75bbda8b055c207813","src/client/capabilities.rs":"fd74e87fd6b405de1613d9f5bec9fd6c0705e1ba1f2d2afdc349586af0190381","src/client/git/async_io.rs":"97b8dccc93bf5a62349aec7dc967acb59212ca66a49347564da50e4fc64864ec","src/client/git/blocking_io.rs":"42e3ee0f597cc31bd87027e21573ccfd4270b835795526f65ef193cff0da077c","src/client/git/mod.rs":"1c3ad5b754becfbca63b76fab85ebd97c2c5902f907fffbac994caffb82ee4a1","src/client/mod.rs":"563bb655c93af9dde121a6c8ddb94055aac862da5ac3e9d0420ca5eb21892387","src/client/non_io_types.rs":"9ea8334d6271118b1207634d425bf170ca93c221ab84072d7aa40576ea37ed24","src/client/traits.rs":"5c7b1f9d4b35ae049e81aa7aea09c0b142df023005d876765581b6b267a015d6","src/lib.rs":"220bd015a0ac9ad591fb0df4061206ff285b502802f7d6179c9cd2f3488450b6"},"package":"64a39ffed9a9078ed700605e064b15d7c6ae50aa65e7faa36ca6919e8081df15"} +\ No newline at end of file diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index b2d095559c..c44d8fa702 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -9,7 +9,7 @@ Summary: Rust Programming Language Name: rust Version: 1.72.0 -Release: 7%{?dist} +Release: 8%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -42,6 +42,9 @@ Source5: https://static.rust-lang.org/dist/%{release_date}/cargo-%{stage0 Source6: https://static.rust-lang.org/dist/%{release_date}/rustc-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Source7: https://static.rust-lang.org/dist/%{release_date}/rust-std-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Patch0: CVE-2023-45853.patch +Patch1: CVE-2024-32884.patch +Patch2: CVE-2024-31852.patch + BuildRequires: binutils BuildRequires: cmake # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor) @@ -168,6 +171,9 @@ rm %{buildroot}%{_bindir}/*.old %{_mandir}/man1/* %changelog +* Thu Aug 08 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 1.72.0-8 +- Patch CVE-2024-32884 and CVE-2024-31852 + * Mon May 06 2024 Rachel Menge - 1.72.0-7 - Bump release to rebuild against glibc 2.35-7 From 8380f30ee94b7dc435bf8427a24dfd2b78d0e1b6 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:38:40 -0700 Subject: [PATCH 25/43] [AUTO-CHERRYPICK] Fix python-twisted CVEs CVE-2024-41671 and CVE-2024-41810 in 2.0 - branch main (#10122) Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com> --- SPECS/python-twisted/CVE-2024-41671.patch | 208 ++++++++++++ SPECS/python-twisted/CVE-2024-41810.patch | 396 ++++++++++++++++++++++ SPECS/python-twisted/python-twisted.spec | 8 +- 3 files changed, 611 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-twisted/CVE-2024-41671.patch create mode 100644 SPECS/python-twisted/CVE-2024-41810.patch diff --git a/SPECS/python-twisted/CVE-2024-41671.patch b/SPECS/python-twisted/CVE-2024-41671.patch new file mode 100644 index 0000000000..59f44bab66 --- /dev/null +++ b/SPECS/python-twisted/CVE-2024-41671.patch @@ -0,0 +1,208 @@ +From a31f547fe5bb0a9cba97249f3180195c2208a286 Mon Sep 17 00:00:00 2001 +From: Sindhu Karri +Date: Thu, 1 Aug 2024 09:39:06 +0000 +Subject: [PATCH 1/3] 4a930de1 patch apply pass 1 without rejs + +--- + src/twisted/web/http.py | 2 +- + src/twisted/web/newsfragments/12248.bugfix | 1 + + src/twisted/web/test/test_http.py | 120 ++++++++++++++++++--- + 3 files changed, 109 insertions(+), 14 deletions(-) + create mode 100644 src/twisted/web/newsfragments/12248.bugfix + +diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py +index b80a55a..2c3ba55 100644 +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2331,8 +2333,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin): + self.__header = line + + def _finishRequestBody(self, data): +- self.allContentReceived() + self._dataBuffer.append(data) ++ self.allContentReceived() + + def _maybeChooseTransferDecoder(self, header, data): + """ +diff --git a/src/twisted/web/newsfragments/12248.bugfix b/src/twisted/web/newsfragments/12248.bugfix +new file mode 100644 +index 0000000..2fb6067 +--- /dev/null ++++ b/src/twisted/web/newsfragments/12248.bugfix +@@ -0,0 +1 @@ ++The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) +diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py +index f8027f1..e07cf98 100644 +--- a/src/twisted/web/test/test_http.py ++++ b/src/twisted/web/test/test_http.py +@@ -135,7 +135,7 @@ class DummyHTTPHandler(http.Request): + data = self.content.read() + length = self.getHeader(b"content-length") + if length is None: +- length = networkString(str(length)) ++ length = str(length).encode() + request = b"'''\n" + length + b"\n" + data + b"'''\n" + self.setResponseCode(200) + self.setHeader(b"Request", self.uri) +@@ -566,17 +566,23 @@ class HTTP0_9Tests(HTTP1_0Tests): + + class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin): + """ +- Tests that multiple pipelined requests with bodies are correctly buffered. ++ Pipelined requests get buffered and executed in the order received, ++ not processed in parallel. + """ + + requests = ( + b"POST / HTTP/1.1\r\n" + b"Content-Length: 10\r\n" + b"\r\n" +- b"0123456789POST / HTTP/1.1\r\n" +- b"Content-Length: 10\r\n" +- b"\r\n" + b"0123456789" ++ # Chunk encoded request. ++ b"POST / HTTP/1.1\r\n" ++ b"Transfer-Encoding: chunked\r\n" ++ b"\r\n" ++ b"a\r\n" ++ b"0123456789\r\n" ++ b"0\r\n" ++ b"\r\n" + ) + + expectedResponses = [ +@@ -593,14 +599,16 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin): + b"Request: /", + b"Command: POST", + b"Version: HTTP/1.1", +- b"Content-Length: 21", +- b"'''\n10\n0123456789'''\n", ++ b"Content-Length: 23", ++ b"'''\nNone\n0123456789'''\n", + ), + ] + +- def test_noPipelining(self): ++ def test_stepwiseTinyTube(self): + """ +- Test that pipelined requests get buffered, not processed in parallel. ++ Imitate a slow connection that delivers one byte at a time. ++ The request handler (L{DelayedHTTPHandler}) is puppeted to ++ step through the handling of each request. + """ + b = StringTransport() + a = http.HTTPChannel() +@@ -609,10 +617,9 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin): + # one byte at a time, to stress it. + for byte in iterbytes(self.requests): + a.dataReceived(byte) +- value = b.value() + + # So far only one request should have been dispatched. +- self.assertEqual(value, b"") ++ self.assertEqual(b.value(), b"") + self.assertEqual(1, len(a.requests)) + + # Now, process each request one at a time. +@@ -621,8 +628,95 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin): + request = a.requests[0].original + request.delayedProcess() + +- value = b.value() +- self.assertResponseEquals(value, self.expectedResponses) ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_stepwiseDumpTruck(self): ++ """ ++ Imitate a fast connection where several pipelined ++ requests arrive in a single read. The request handler ++ (L{DelayedHTTPHandler}) is puppeted to step through the ++ handling of each request. ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DelayedHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ a.dataReceived(self.requests) ++ ++ # So far only one request should have been dispatched. ++ self.assertEqual(b.value(), b"") ++ self.assertEqual(1, len(a.requests)) ++ ++ # Now, process each request one at a time. ++ while a.requests: ++ self.assertEqual(1, len(a.requests)) ++ request = a.requests[0].original ++ request.delayedProcess() ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateTinyTube(self): ++ """ ++ Imitate a slow connection that delivers one byte at a time. ++ ++ (L{DummyHTTPHandler}) immediately responds, but no more ++ than one ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy # "sync" ++ a.makeConnection(b) ++ ++ # one byte at a time, to stress it. ++ for byte in iterbytes(self.requests): ++ a.dataReceived(byte) ++ # There is never more than one request dispatched at a time: ++ self.assertLessEqual(len(a.requests), 1) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateDumpTruck(self): ++ """ ++ Imitate a fast connection where several pipelined ++ requests arrive in a single read. The request handler ++ (L{DummyHTTPHandler}) immediately responds. ++ ++ This doesn't check the at-most-one pending request ++ invariant but exercises otherwise uncovered code paths. ++ See GHSA-c8m8-j448-xjx7. ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ # All bytes at once to ensure there's stuff to buffer. ++ a.dataReceived(self.requests) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateABiggerTruck(self): ++ """ ++ Imitate a fast connection where a so many pipelined ++ requests arrive in a single read that backpressure is indicated. ++ The request handler (L{DummyHTTPHandler}) immediately responds. ++ ++ This doesn't check the at-most-one pending request ++ invariant but exercises otherwise uncovered code paths. ++ See GHSA-c8m8-j448-xjx7. ++ ++ @see: L{http.HTTPChannel._optimisticEagerReadSize} ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10 ++ a.dataReceived(self.requests * overLimitCount) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount) + + def test_pipeliningReadLimit(self): + """ +-- +2.33.8 + diff --git a/SPECS/python-twisted/CVE-2024-41810.patch b/SPECS/python-twisted/CVE-2024-41810.patch new file mode 100644 index 0000000000..12ae074779 --- /dev/null +++ b/SPECS/python-twisted/CVE-2024-41810.patch @@ -0,0 +1,396 @@ +From a22866244736345239909eaca7be2eb8da791997 Mon Sep 17 00:00:00 2001 +From: Viktor Chuchurski +Date: Thu, 25 Jul 2024 19:34:35 +0200 +Subject: [PATCH 1/6] - added output encoding in redirect HTML + +--- + src/twisted/test/test_redirect_html_escape.py | 46 +++++++++++++++++++ + src/twisted/web/_template_util.py | 2 +- + 2 files changed, 47 insertions(+), 1 deletion(-) + create mode 100644 src/twisted/test/test_redirect_html_escape.py + +diff --git a/src/twisted/test/test_redirect_html_escape.py b/src/twisted/test/test_redirect_html_escape.py +new file mode 100644 +index 00000000000..1f57808cced +--- /dev/null ++++ b/src/twisted/test/test_redirect_html_escape.py +@@ -0,0 +1,46 @@ ++# Copyright (c) Twisted Matrix Laboratories. ++# See LICENSE for details. ++ ++""" ++Tests for L{twisted.web.util.redirectTo}. ++""" ++from twisted.trial import unittest ++from twisted.web.util import redirectTo ++from twisted.web.test.requesthelper import DummyRequest ++ ++class RedirectHtmlEscapeTests(unittest.TestCase): ++ def test_legitimate_redirect(self) -> None: ++ """ ++ Test how redirectTo escapes legitimate URLs ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b'https://twisted.org/', request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ ++ def test_malicious_redirect(self) -> None: ++ """ ++ Test how redirectTo escapes redirect URLs containing HTML tags ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b'https://twisted.org/">', request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) +\ No newline at end of file +diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py +index 230c33f3e8f..4f607fa8fbe 100644 +--- a/src/twisted/web/_template_util.py ++++ b/src/twisted/web/_template_util.py +@@ -92,7 +92,7 @@ def render_GET(self, request): + + + """ % { +- b"url": URL ++ b"url": escape(URL.decode('utf-8')).encode('utf-8') + } + return content + + +From ed886e87dddad64f39ae094e12628dcc255c5aab Mon Sep 17 00:00:00 2001 +From: Viktor Chuchurski +Date: Fri, 26 Jul 2024 10:22:48 +0200 +Subject: [PATCH 2/6] - "redirectTo" HTML encoding test cleanup + +--- + src/twisted/test/test_redirect_html_escape.py | 46 ------------------- + src/twisted/web/test/test_util.py | 36 +++++++++++++++ + 2 files changed, 36 insertions(+), 46 deletions(-) + delete mode 100644 src/twisted/test/test_redirect_html_escape.py + +diff --git a/src/twisted/test/test_redirect_html_escape.py b/src/twisted/test/test_redirect_html_escape.py +deleted file mode 100644 +index 1f57808cced..00000000000 +--- a/src/twisted/test/test_redirect_html_escape.py ++++ /dev/null +@@ -1,46 +0,0 @@ +-# Copyright (c) Twisted Matrix Laboratories. +-# See LICENSE for details. +- +-""" +-Tests for L{twisted.web.util.redirectTo}. +-""" +-from twisted.trial import unittest +-from twisted.web.util import redirectTo +-from twisted.web.test.requesthelper import DummyRequest +- +-class RedirectHtmlEscapeTests(unittest.TestCase): +- def test_legitimate_redirect(self) -> None: +- """ +- Test how redirectTo escapes legitimate URLs +- """ +- request = DummyRequest([b""]) +- html = redirectTo(b'https://twisted.org/', request) +- expected = b""" +- +- +- +- +- +- click here +- +- +-""" +- self.assertEqual(html, expected) +- +- def test_malicious_redirect(self) -> None: +- """ +- Test how redirectTo escapes redirect URLs containing HTML tags +- """ +- request = DummyRequest([b""]) +- html = redirectTo(b'https://twisted.org/">', request) +- expected = b""" +- +- +- +- +- +- click here +- +- +-""" +- self.assertEqual(html, expected) +\ No newline at end of file +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 1e763009ca9..23af6146de1 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -394,3 +394,39 @@ def test_renderNoFailure(self): + gc.collect() + errors = self.flushLoggedErrors(RuntimeError) + self.assertEqual(errors, []) ++ ++ def test_legitimateRedirect(self) -> None: ++ """ ++ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b'https://twisted.org/', request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ ++ def test_maliciousRedirect(self) -> None: ++ """ ++ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b'https://twisted.org/">', request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) + +From 33edbedebad993c953905fcbaa15133c8d007bc2 Mon Sep 17 00:00:00 2001 +From: Tom Most +Date: Fri, 26 Jul 2024 13:02:36 -0700 +Subject: [PATCH 3/6] Automatic formatting changes + +--- + src/twisted/web/_template_util.py | 2 +- + src/twisted/web/test/test_util.py | 10 ++++++---- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py +index 4f607fa8fbe..7266079ac2e 100644 +--- a/src/twisted/web/_template_util.py ++++ b/src/twisted/web/_template_util.py +@@ -92,7 +92,7 @@ def render_GET(self, request): + + + """ % { +- b"url": escape(URL.decode('utf-8')).encode('utf-8') ++ b"url": escape(URL.decode("utf-8")).encode("utf-8") + } + return content + +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 23af6146de1..5ed0818bf8d 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -400,7 +400,7 @@ def test_legitimateRedirect(self) -> None: + Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation + """ + request = DummyRequest([b""]) +- html = redirectTo(b'https://twisted.org/', request) ++ html = redirectTo(b"https://twisted.org/", request) + expected = b""" + + +@@ -410,7 +410,7 @@ def test_legitimateRedirect(self) -> None: + click here + + +-""" ++""" + self.assertEqual(html, expected) + + def test_maliciousRedirect(self) -> None: +@@ -418,7 +418,9 @@ def test_maliciousRedirect(self) -> None: + Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body + """ + request = DummyRequest([b""]) +- html = redirectTo(b'https://twisted.org/">', request) ++ html = redirectTo( ++ b'https://twisted.org/">', request ++ ) + expected = b""" + + +@@ -428,5 +430,5 @@ def test_maliciousRedirect(self) -> None: + click here + + +-""" ++""" + self.assertEqual(html, expected) + +From c1aa1a9572dc1282abd89399d15b56c61b37b80b Mon Sep 17 00:00:00 2001 +From: Tom Most +Date: Fri, 26 Jul 2024 13:08:29 -0700 +Subject: [PATCH 4/6] Move tests, fix MyPy + +--- + src/twisted/web/test/test_util.py | 77 +++++++++++++++---------------- + 1 file changed, 38 insertions(+), 39 deletions(-) + +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 5ed0818bf8d..9847dcbb8b5 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -5,7 +5,6 @@ + Tests for L{twisted.web.util}. + """ + +- + import gc + + from twisted.internet import defer +@@ -64,6 +63,44 @@ def test_redirectToUnicodeURL(self): + targetURL = "http://target.example.com/4321" + self.assertRaises(TypeError, redirectTo, targetURL, request) + ++ def test_legitimateRedirect(self): ++ """ ++ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b"https://twisted.org/", request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ ++ def test_maliciousRedirect(self): ++ """ ++ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo( ++ b'https://twisted.org/">', request ++ ) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ + + class ParentRedirectTests(SynchronousTestCase): + """ +@@ -394,41 +431,3 @@ def test_renderNoFailure(self): + gc.collect() + errors = self.flushLoggedErrors(RuntimeError) + self.assertEqual(errors, []) +- +- def test_legitimateRedirect(self) -> None: +- """ +- Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation +- """ +- request = DummyRequest([b""]) +- html = redirectTo(b"https://twisted.org/", request) +- expected = b""" +- +- +- +- +- +- click here +- +- +-""" +- self.assertEqual(html, expected) +- +- def test_maliciousRedirect(self) -> None: +- """ +- Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body +- """ +- request = DummyRequest([b""]) +- html = redirectTo( +- b'https://twisted.org/">', request +- ) +- expected = b""" +- +- +- +- +- +- click here +- +- +-""" +- self.assertEqual(html, expected) + +From eae359c7d186ae2337390f1798417a168cbe080e Mon Sep 17 00:00:00 2001 +From: Tom Most +Date: Fri, 26 Jul 2024 13:10:09 -0700 +Subject: [PATCH 5/6] Add newsfragment + +--- + src/twisted/web/newsfragments/9839.bugfix | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 src/twisted/web/newsfragments/9839.bugfix + +diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix +new file mode 100644 +index 00000000000..1e2e7f72986 +--- /dev/null ++++ b/src/twisted/web/newsfragments/9839.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). + +From bbb59e62473f67b2bef81f0cd3b66db2856e97fc Mon Sep 17 00:00:00 2001 +From: Viktor Chuchurski +Date: Mon, 29 Jul 2024 13:43:41 +0200 +Subject: [PATCH 6/6] - bugfix news fragment added + +--- + src/twisted/web/newsfragments/12263.bugfix | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 src/twisted/web/newsfragments/12263.bugfix + +diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix +new file mode 100644 +index 00000000000..b3982ca0fb5 +--- /dev/null ++++ b/src/twisted/web/newsfragments/12263.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. +\ No newline at end of file diff --git a/SPECS/python-twisted/python-twisted.spec b/SPECS/python-twisted/python-twisted.spec index b23a6e6278..7c9fb8f0d0 100644 --- a/SPECS/python-twisted/python-twisted.spec +++ b/SPECS/python-twisted/python-twisted.spec @@ -2,7 +2,7 @@ Summary: An asynchronous networking framework written in Python Name: python-twisted Version: 22.10.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,9 @@ Source0: https://github.com/twisted/twisted/archive/twisted-%{version}.ta # Disabling UDP multicast test, which failes in container environments. # For more details, see: https://twistedmatrix.com/trac/ticket/7494 Patch0: disable_multicast_test.patch +Patch1: CVE-2024-41671.patch +# Patch2 is required for both CVE-2024-41671 and CVE-2024-41810 +Patch2: CVE-2024-41810.patch BuildRequires: python3-devel BuildRequires: python3-incremental @@ -98,6 +101,9 @@ LANG=en_US.UTF-8 sudo -u test /home/test/.local/bin/tox -e nocov-posix-alldeps %{_bindir}/cftp3 %changelog +* Thu Aug 01 2024 Sindhu Karri - 22.10.0-3 +- Fix CVE-2024-41671 and CVE-2024-41810 with a patch + * Fri Dec 16 2022 Sam Meluch - 22.10.0-2 - Update version of tox used for package tests From 063e609db9870bb8f3efc7b03be37d3f98faf8f6 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:38:53 -0700 Subject: [PATCH 26/43] [AUTO-CHERRYPICK] Fix for CVE 2024 25620 in cert-manager - branch main (#10127) Co-authored-by: bhagyapathak Co-authored-by: Pawel Winogrodzki --- SPECS/cert-manager/CVE-2024-25620.patch | 110 ++++++++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 10 ++- 2 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 SPECS/cert-manager/CVE-2024-25620.patch diff --git a/SPECS/cert-manager/CVE-2024-25620.patch b/SPECS/cert-manager/CVE-2024-25620.patch new file mode 100644 index 0000000000..dee8d0457d --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-25620.patch @@ -0,0 +1,110 @@ +From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001 +From: Bhagyashri Pathak +Date: Thu, 8 Aug 2024 10:27:21 +0530 +Subject: [PATCH] CVE-2024-25620 patch + +--- + vendor/helm.sh/helm/v3/pkg/chart/metadata.go | 4 ++++ + .../helm.sh/helm/v3/pkg/chartutil/errors.go | 8 ++++++++ + vendor/helm.sh/helm/v3/pkg/chartutil/save.go | 20 +++++++++++++++++++ + .../helm/v3/pkg/lint/rules/chartfile.go | 4 ++++ + 4 files changed, 36 insertions(+) + +diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go +index ae572ab..3834b4c 100644 +--- a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go ++++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go +@@ -16,6 +16,7 @@ limitations under the License. + package chart + + import ( ++ "path/filepath" + "strings" + "unicode" + +@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error { + if md.Name == "" { + return ValidationError("chart.metadata.name is required") + } ++ if md.Name != filepath.Base(md.Name) { ++ return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) ++ } + if md.Version == "" { + return ValidationError("chart.metadata.version is required") + } +diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go +index fcdcc27..0a4046d 100644 +--- a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go ++++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go +@@ -33,3 +33,11 @@ type ErrNoValue struct { + } + + func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) } ++ ++type ErrInvalidChartName struct { ++ Name string ++} ++ ++func (e ErrInvalidChartName) Error() string { ++ return fmt.Sprintf("%q is not a valid chart name", e.Name) ++} +diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go +index 2ce4edd..4ee9070 100644 +--- a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go ++++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go +@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=") + // directory, writing the chart's contents to that subdirectory. + func SaveDir(c *chart.Chart, dest string) error { + // Create the chart directory ++ err := validateName(c.Name()) ++ if err != nil { ++ return err ++ } + outdir := filepath.Join(dest, c.Name()) + if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() { + return errors.Errorf("file %s already exists and is not a directory", outdir) +@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) { + } + + func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error { ++ err := validateName(c.Name()) ++ if err != nil { ++ return err ++ } + base := filepath.Join(prefix, c.Name()) + + // Pull out the dependencies of a v1 Chart, since there's no way +@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error { + _, err := out.Write(body) + return err + } ++ ++// If the name has directory name has characters which would change the location ++// they need to be removed. ++func validateName(name string) error { ++ nname := filepath.Base(name) ++ ++ if nname != name { ++ return ErrInvalidChartName{name} ++ } ++ ++ return nil ++} +diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go +index b49f2ce..f8f033c 100644 +--- a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go ++++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go +@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error { + if cf.Name == "" { + return errors.New("name is required") + } ++ name := filepath.Base(cf.Name) ++ if name != cf.Name { ++ return fmt.Errorf("chart name %q is invalid", cf.Name) ++ } + return nil + } + +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 3bc1633ff7..28ccc114bc 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 12%{?dist} +Release: 13%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -22,7 +22,8 @@ Source1: %{name}-%{version}-govendor.tar.gz Patch0: CVE-2023-48795.patch Patch1: CVE-2023-45288.patch Patch2: CVE-2024-26147.patch -Patch3: CVE-2024-6104.patch +Patch3: CVE-2024-25620.patch +Patch4: CVE-2024-6104.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -115,9 +116,12 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog -* Wed Jul 31 2023 Bala - 1.11.2-12 +* Mon Aug 19 2023 Bala - 1.11.2-13 - Patch for CVE-2024-6104 +* Wed Aug 07 2024 Bhagyashri Pathak - 1.11.2-12 +- Patch for CVE-2024-25620 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 1.11.2-11 - Bump release to rebuild with go 1.21.11 From a58b51846fa4e5ed780bac6eb5437c8386b20a38 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:39:02 -0700 Subject: [PATCH 27/43] [AUTO-CHERRYPICK] qt5-qtbase: Add patch to resolve CVE-2024-39936. - branch main (#10129) Co-authored-by: Sumynwa --- SPECS/qt5-qtbase/CVE-2024-39936.patch | 136 ++++++++++++++++++ ...t5-qtbase-5.15-http-encrypted-signal.patch | 105 ++++++++++++++ SPECS/qt5-qtbase/qt5-qtbase.spec | 11 +- 3 files changed, 251 insertions(+), 1 deletion(-) create mode 100644 SPECS/qt5-qtbase/CVE-2024-39936.patch create mode 100644 SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch diff --git a/SPECS/qt5-qtbase/CVE-2024-39936.patch b/SPECS/qt5-qtbase/CVE-2024-39936.patch new file mode 100644 index 0000000000..94840f6c7b --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2024-39936.patch @@ -0,0 +1,136 @@ +diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp +index d1b5dfda2e2..ee04a1856c6 100644 +--- a/src/network/access/qhttp2protocolhandler.cpp ++++ b/src/network/access/qhttp2protocolhandler.cpp +@@ -375,12 +375,12 @@ bool QHttp2ProtocolHandler::sendRequest() + } + } + +- if (!prefaceSent && !sendClientPreface()) +- return false; +- + if (!requests.size()) + return true; + ++ if (!prefaceSent && !sendClientPreface()) ++ return false; ++ + m_channel->state = QHttpNetworkConnectionChannel::WritingState; + // Check what was promised/pushed, maybe we do not have to send a request + // and have a response already? +diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp +index bd2f32e3528..6f3bd807a09 100644 +--- a/src/network/access/qhttpnetworkconnectionchannel.cpp ++++ b/src/network/access/qhttpnetworkconnectionchannel.cpp +@@ -255,6 +255,10 @@ void QHttpNetworkConnectionChannel::abort() + bool QHttpNetworkConnectionChannel::sendRequest() + { + Q_ASSERT(!protocolHandler.isNull()); ++ if (waitingForPotentialAbort) { ++ needInvokeSendRequest = true; ++ return false; // this return value is unused ++ } + return protocolHandler->sendRequest(); + } + +@@ -267,21 +271,28 @@ bool QHttpNetworkConnectionChannel::sendRequest() + void QHttpNetworkConnectionChannel::sendRequestDelayed() + { + QMetaObject::invokeMethod(this, [this] { +- Q_ASSERT(!protocolHandler.isNull()); + if (reply) +- protocolHandler->sendRequest(); ++ sendRequest(); + }, Qt::ConnectionType::QueuedConnection); + } + + void QHttpNetworkConnectionChannel::_q_receiveReply() + { + Q_ASSERT(!protocolHandler.isNull()); ++ if (waitingForPotentialAbort) { ++ needInvokeReceiveReply = true; ++ return; ++ } + protocolHandler->_q_receiveReply(); + } + + void QHttpNetworkConnectionChannel::_q_readyRead() + { + Q_ASSERT(!protocolHandler.isNull()); ++ if (waitingForPotentialAbort) { ++ needInvokeReadyRead = true; ++ return; ++ } + protocolHandler->_q_readyRead(); + } + +@@ -1289,7 +1300,18 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + // Similar to HTTP/1.1 counterpart below: + const auto &pairs = spdyRequestsToSend.values(); // (request, reply) + const auto &pair = pairs.first(); ++ waitingForPotentialAbort = true; + emit pair.second->encrypted(); ++ ++ // We don't send or handle any received data until any effects from ++ // emitting encrypted() have been processed. This is necessary ++ // because the user may have called abort(). We may also abort the ++ // whole connection if the request has been aborted and there is ++ // no more requests to send. ++ QMetaObject::invokeMethod(this, ++ &QHttpNetworkConnectionChannel::checkAndResumeCommunication, ++ Qt::QueuedConnection); ++ + // In case our peer has sent us its settings (window size, max concurrent streams etc.) + // let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection). + QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection); +@@ -1307,6 +1329,26 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + } + } + ++void QHttpNetworkConnectionChannel::checkAndResumeCommunication() ++{ ++ Q_ASSERT(connection->connectionType() > QHttpNetworkConnection::ConnectionTypeHTTP); ++ ++ // Because HTTP/2 requires that we send a SETTINGS frame as the first thing we do, and respond ++ // to a SETTINGS frame with an ACK, we need to delay any handling until we can ensure that any ++ // effects from emitting encrypted() have been processed. ++ // This function is called after encrypted() was emitted, so check for changes. ++ ++ if (!reply && spdyRequestsToSend.isEmpty()) ++ abort(); ++ waitingForPotentialAbort = false; ++ if (needInvokeReadyRead) ++ _q_readyRead(); ++ if (needInvokeReceiveReply) ++ _q_receiveReply(); ++ if (needInvokeSendRequest) ++ sendRequest(); ++} ++ + void QHttpNetworkConnectionChannel::requeueSpdyRequests() + { + QList spdyPairs = spdyRequestsToSend.values(); +diff --git a/src/network/access/qhttpnetworkconnectionchannel_p.h b/src/network/access/qhttpnetworkconnectionchannel_p.h +index 6be0c51f9fe..613fda7bc31 100644 +--- a/src/network/access/qhttpnetworkconnectionchannel_p.h ++++ b/src/network/access/qhttpnetworkconnectionchannel_p.h +@@ -107,6 +107,10 @@ public: + QAbstractSocket *socket; + bool ssl; + bool isInitialized; ++ bool waitingForPotentialAbort = false; ++ bool needInvokeReceiveReply = false; ++ bool needInvokeReadyRead = false; ++ bool needInvokeSendRequest = false; + ChannelState state; + QHttpNetworkRequest request; // current request, only used for HTTP + QHttpNetworkReply *reply; // current reply for this request, only used for HTTP +@@ -187,6 +191,8 @@ public: + void closeAndResendCurrentRequest(); + void resendCurrentRequest(); + ++ void checkAndResumeCommunication(); ++ + bool isSocketBusy() const; + bool isSocketWriting() const; + bool isSocketWaiting() const; diff --git a/SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch b/SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch new file mode 100644 index 0000000000..ef352d22f2 --- /dev/null +++ b/SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch @@ -0,0 +1,105 @@ +From 09e22c6c3280d4187b1ed2d979ceea478b7bed75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= +Date: Tue, 11 Aug 2020 17:20:03 +0200 +Subject: [PATCH] QNAM: Don't error out if the server doesn't support any ALPN + we request + +If we ask for HTTP/2 or 1.1 and the server doesn't list either then we +should still try to connect using HTTP/1(.1) just in case, to keep +compatibility. + +Task-number: QTBUG-85902 +Change-Id: I6ff2e38ac9d767e482a19ee4c81d101be37d3fab +Reviewed-by: Timur Pocheptsov +--- +From 62d85389a4a3ef22db80e721bf7c646a50874452 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= +Date: Tue, 18 Aug 2020 12:10:16 +0200 +Subject: [PATCH] http: When falling back to http/1 use the socket's ssl config + +And not the ssl configuration we have on the reply since it's missing +e.g. the newly received session ticket. + +Change-Id: Idfeb09012a847605a76d1fe4fb881c663d019b4a +Reviewed-by: Peter Hartmann +Reviewed-by: Timur Pocheptsov +--- +From 95064c35826793c5d6a4edff9fa08ad308b047bb Mon Sep 17 00:00:00 2001 +From: Timur Pocheptsov +Date: Tue, 20 Jul 2021 08:16:28 +0200 +Subject: [PATCH] H2: emit encrypted for at least the first reply, similar to + H1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: QTBUG-95277 +Change-Id: I1fe01503376c0d6278e366d7bd31b412b7cc3a69 +Reviewed-by: Mårten Nordheim +(cherry picked from commit c23b7886348dc313ccec1a131850a7cce1b429de) +--- + + src/network/access/qhttpnetworkconnectionchannel.cpp | 22 +++++++++---------- + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp +index 1fac24ab..d078b194 100644 +--- a/src/network/access/qhttpnetworkconnectionchannel.cpp ++++ b/src/network/access/qhttpnetworkconnectionchannel.cpp +@@ -1176,8 +1176,7 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + // after establishing a secure connection we immediately start sending + // HTTP/2 frames. + switch (sslSocket->sslConfiguration().nextProtocolNegotiationStatus()) { +- case QSslConfiguration::NextProtocolNegotiationNegotiated: +- case QSslConfiguration::NextProtocolNegotiationUnsupported: { ++ case QSslConfiguration::NextProtocolNegotiationNegotiated: { + QByteArray nextProtocol = sslSocket->sslConfiguration().nextNegotiatedProtocol(); + if (nextProtocol == QSslConfiguration::NextProtocolHttp1_1) { + // fall through to create a QHttpProtocolHandler +@@ -1199,17 +1198,12 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + } + } + Q_FALLTHROUGH(); ++ case QSslConfiguration::NextProtocolNegotiationUnsupported: // No agreement, try HTTP/1(.1) + case QSslConfiguration::NextProtocolNegotiationNone: { + protocolHandler.reset(new QHttpProtocolHandler(this)); +- if (!sslConfiguration.data()) { +- // Our own auto-tests bypass the normal initialization (done by +- // QHttpThreadDelegate), this means in the past we'd have here +- // the default constructed QSslConfiguration without any protocols +- // to negotiate. Let's create it now: +- sslConfiguration.reset(new QSslConfiguration); +- } + +- QList protocols = sslConfiguration->allowedNextProtocols(); ++ QSslConfiguration newConfiguration = sslSocket->sslConfiguration(); ++ QList protocols = newConfiguration.allowedNextProtocols(); + const int nProtocols = protocols.size(); + // Clear the protocol that we failed to negotiate, so we do not try + // it again on other channels that our connection can create/open. +@@ -1219,10 +1213,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + protocols.removeAll(QSslConfiguration::NextProtocolSpdy3_0); + + if (nProtocols > protocols.size()) { +- sslConfiguration->setAllowedNextProtocols(protocols); ++ newConfiguration.setAllowedNextProtocols(protocols); + const int channelCount = connection->d_func()->channelCount; + for (int i = 0; i < channelCount; ++i) +- connection->d_func()->channels[i].setSslConfiguration(*sslConfiguration); ++ connection->d_func()->channels[i].setSslConfiguration(newConfiguration); + } + + connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP); +@@ -1257,6 +1251,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted() + connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2Direct) { + // we call setSpdyWasUsed(true) on the replies in the SPDY handler when the request is sent + if (spdyRequestsToSend.count() > 0) { ++ // Similar to HTTP/1.1 counterpart below: ++ const auto &pairs = spdyRequestsToSend.values(); // (request, reply) ++ const auto &pair = pairs.first(); ++ emit pair.second->encrypted(); + // In case our peer has sent us its settings (window size, max concurrent streams etc.) + // let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection). + QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection); +-- +2.25.1 diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index bf2695c8a9..858d864854 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -33,7 +33,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 12%{?dist} +Release: 13%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -159,6 +159,10 @@ Patch89: CVE-2021-38593.patch # Fix CVE-2022-25643 Patch90: CVE-2022-25643.patch +# Fix CVE-2024-39936 +Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch +Patch92: CVE-2024-39936.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -270,6 +274,8 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch88 -p1 %patch89 -p1 %patch90 -p1 +%patch91 -p1 +%patch92 -p1 ## upstream patches @@ -775,6 +781,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Wed Aug 07 2024 Sumedh Sharma - 5.12.11-13 +- Add patch to resolve CVE-2024-39936. + * Wed Mar 27 2024 Alberto David Perez Guevara - 5.12.11-12 - Add patch to resolve CVE-2022-25643. From bf541245129308e7e21c7f28d966f16ee4bb2aa0 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:39:37 -0700 Subject: [PATCH 28/43] [AUTO-CHERRYPICK] Patch Busybox for CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365 - branch main (#10130) Co-authored-by: suresh-thelkar --- SPECS/busybox/CVE-2021-42380.patch | 83 ++ SPECS/busybox/CVE-2023-42363.patch | 63 ++ SPECS/busybox/CVE-2023-42365.patch | 1660 ++++++++++++++++++++++++++++ SPECS/busybox/busybox.spec | 9 +- 4 files changed, 1814 insertions(+), 1 deletion(-) create mode 100644 SPECS/busybox/CVE-2021-42380.patch create mode 100644 SPECS/busybox/CVE-2023-42363.patch create mode 100644 SPECS/busybox/CVE-2023-42365.patch diff --git a/SPECS/busybox/CVE-2021-42380.patch b/SPECS/busybox/CVE-2021-42380.patch new file mode 100644 index 0000000000..7d7686aa72 --- /dev/null +++ b/SPECS/busybox/CVE-2021-42380.patch @@ -0,0 +1,83 @@ +From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 26 May 2023 19:36:58 +0200 +Subject: [PATCH 01/19] awk: fix use-after-realloc (CVE-2021-42380), closes + 15601 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 728ee8685..2af823808 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -555,7 +555,7 @@ struct globals { + const char *g_progname; + int g_lineno; + int nfields; +- int maxfields; /* used in fsrealloc() only */ ++ unsigned maxfields; + var *Fields; + char *g_pos; + char g_saved_ch; +@@ -1931,9 +1931,9 @@ static void fsrealloc(int size) + { + int i, newsize; + +- if (size >= maxfields) { +- /* Sanity cap, easier than catering for overflows */ +- if (size > 0xffffff) ++ if ((unsigned)size >= maxfields) { ++ /* Sanity cap, easier than catering for over/underflows */ ++ if ((unsigned)size > 0xffffff) + bb_die_memory_exhausted(); + + i = maxfields; +@@ -2891,6 +2891,7 @@ static var *evaluate(node *op, var *res) + uint32_t opinfo; + int opn; + node *op1; ++ var *old_Fields_ptr; + + opinfo = op->info; + opn = (opinfo & OPNMASK); +@@ -2899,10 +2900,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn); + + /* execute inevitable things */ ++ old_Fields_ptr = NULL; + if (opinfo & OF_RES1) { + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); ++ /* Does L.v point to $n variable? */ ++ if ((size_t)(L.v - Fields) < maxfields) { ++ /* yes, remember where Fields[] is */ ++ old_Fields_ptr = Fields; ++ } + if (opinfo & OF_STR1) { + L.s = getvar_s(L.v); + debug_printf_eval("L.s:'%s'\n", L.s); +@@ -2921,8 +2928,15 @@ static var *evaluate(node *op, var *res) + */ + if (opinfo & OF_RES2) { + R.v = evaluate(op->r.n, TMPVAR1); +- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs? +- //L.v = NULL; ++ /* Seen in $5=$$5=$0: ++ * Evaluation of R.v ($$5=$0 expression) ++ * made L.v ($5) invalid. It's detected here. ++ */ ++ if (old_Fields_ptr) { ++ //if (old_Fields_ptr != Fields) ++ // debug_printf_eval("L.v moved\n"); ++ L.v += Fields - old_Fields_ptr; ++ } + if (opinfo & OF_STR2) { + R.s = getvar_s(R.v); + debug_printf_eval("R.s:'%s'\n", R.s); +-- +2.46.0 diff --git a/SPECS/busybox/CVE-2023-42363.patch b/SPECS/busybox/CVE-2023-42363.patch new file mode 100644 index 0000000000..2cda30e07c --- /dev/null +++ b/SPECS/busybox/CVE-2023-42363.patch @@ -0,0 +1,63 @@ +From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Mon, 20 May 2024 17:55:28 +0200 +Subject: [PATCH 19/19] awk: fix use after free (CVE-2023-42363) + +function old new delta +evaluate 3377 3385 +8 + +Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 + +Signed-off-by: Natanael Copa +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 0981c6735..ff6d6350b 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2981,19 +2981,14 @@ static var *evaluate(node *op, var *res) + /* yes, remember where Fields[] is */ + old_Fields_ptr = Fields; + } +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -3013,6 +3008,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { +-- +2.46.0 diff --git a/SPECS/busybox/CVE-2023-42365.patch b/SPECS/busybox/CVE-2023-42365.patch new file mode 100644 index 0000000000..956ac09dca --- /dev/null +++ b/SPECS/busybox/CVE-2023-42365.patch @@ -0,0 +1,1660 @@ +From 84ff1825dd82e8de45020e3def34d1430d8e5a99 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 16:16:58 +0200 +Subject: [PATCH 02/19] awk: fix splitting with default FS + +function old new delta +awk_split 543 544 +1 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 2af823808..b3748b502 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2049,13 +2049,17 @@ static int awk_split(const char *s, node *spl, char **slist) + } + return n; + } +- /* space split */ ++ /* space split: "In the special case that FS is a single space, ++ * fields are separated by runs of spaces and/or tabs and/or newlines" ++ */ + while (*s) { +- s = skip_whitespace(s); ++ /* s = skip_whitespace(s); -- WRONG (also skips \v \f \r) */ ++ while (*s == ' ' || *s == '\t' || *s == '\n') ++ s++; + if (!*s) + break; + n++; +- while (*s && !isspace(*s)) ++ while (*s && !(*s == ' ' || *s == '\t' || *s == '\n')) + *s1++ = *s++; + *s1++ = '\0'; + } +@@ -2304,7 +2308,6 @@ static int awk_getline(rstream *rsm, var *v) + setvar_i(intvar[ERRNO], errno); + } + b[p] = '\0'; +- + } while (p > pp); + + if (p == 0) { +@@ -3145,7 +3148,7 @@ static var *evaluate(node *op, var *res) + /* make sure that we never return a temp var */ + if (L.v == TMPVAR0) + L.v = res; +- /* if source is a temporary string, jusk relink it to dest */ ++ /* if source is a temporary string, just relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) + /* Why check !NUMBER? if R.v is a number but has cached R.v->string, +-- +2.46.0 + +From 528808bcd25f7d237874dc82fad2adcddf354b42 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 18:05:42 +0200 +Subject: [PATCH 03/19] awk: get rid of one indirection level for iF (input + file structure) + +function old new delta +try_to_assign - 91 +91 +next_input_file 214 216 +2 +awk_main 827 826 -1 +evaluate 3403 3396 -7 +is_assignment 91 - -91 +------------------------------------------------------------------------------ +(add/remove: 1/1 grow/shrink: 1/2 up/down: 93/-99) Total: -6 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 78 +++++++++++++++++++++++++++------------------------ + 1 file changed, 41 insertions(+), 37 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b3748b502..22f52417d 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -546,7 +546,6 @@ struct globals { + chain beginseq, mainseq, endseq; + chain *seq; + node *break_ptr, *continue_ptr; +- rstream *iF; + xhash *ahash; /* argument names, used only while parsing function bodies */ + xhash *fnhash; /* function names, used only in parsing stage */ + xhash *vhash; /* variables and arrays */ +@@ -579,11 +578,12 @@ struct globals2 { + + var *intvar[NUM_INTERNAL_VARS]; /* often used */ + ++ rstream iF; ++ + /* former statics from various functions */ + char *split_f0__fstrings; + +- rstream next_input_file__rsm; +- smallint next_input_file__files_happen; ++ smallint next_input_file__input_file_seen; + + smalluint exitcode; + +@@ -618,7 +618,6 @@ struct globals2 { + #define seq (G1.seq ) + #define break_ptr (G1.break_ptr ) + #define continue_ptr (G1.continue_ptr) +-#define iF (G1.iF ) + #define ahash (G1.ahash ) + #define fnhash (G1.fnhash ) + #define vhash (G1.vhash ) +@@ -644,6 +643,7 @@ struct globals2 { + #define t_string (G.t_string ) + #define t_lineno (G.t_lineno ) + #define intvar (G.intvar ) ++#define iF (G.iF ) + #define fsplitter (G.fsplitter ) + #define rsplitter (G.rsplitter ) + #define g_buf (G.g_buf ) +@@ -2799,7 +2799,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + + /* if expr looks like "var=value", perform assignment and return 1, + * otherwise return 0 */ +-static int is_assignment(const char *expr) ++static int try_to_assign(const char *expr) + { + char *exprc, *val; + +@@ -2819,39 +2819,44 @@ static int is_assignment(const char *expr) + } + + /* switch to next input file */ +-static rstream *next_input_file(void) ++static int next_input_file(void) + { +-#define rsm (G.next_input_file__rsm) +-#define files_happen (G.next_input_file__files_happen) +- +- const char *fname, *ind; ++#define input_file_seen (G.next_input_file__input_file_seen) ++ const char *fname; + +- if (rsm.F) +- fclose(rsm.F); +- rsm.F = NULL; +- rsm.pos = rsm.adv = 0; ++ if (iF.F) { ++ fclose(iF.F); ++ iF.F = NULL; ++ iF.pos = iF.adv = 0; ++ } + + for (;;) { ++ const char *ind; ++ + if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) { +- if (files_happen) +- return NULL; ++ if (input_file_seen) ++ return FALSE; + fname = "-"; +- rsm.F = stdin; ++ iF.F = stdin; + break; + } + ind = getvar_s(incvar(intvar[ARGIND])); + fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind)); +- if (fname && *fname && !is_assignment(fname)) { +- rsm.F = xfopen_stdin(fname); ++ if (fname && *fname) { ++ /* "If a filename on the command line has the form ++ * var=val it is treated as a variable assignment" ++ */ ++ if (try_to_assign(fname)) ++ continue; ++ iF.F = xfopen_stdin(fname); + break; + } + } + +- files_happen = TRUE; + setvar_s(intvar[FILENAME], fname); +- return &rsm; +-#undef rsm +-#undef files_happen ++ input_file_seen = TRUE; ++ return TRUE; ++#undef input_file_seen + } + + /* +@@ -3231,12 +3236,12 @@ static var *evaluate(node *op, var *res) + } + } + } else { +- if (!iF) +- iF = next_input_file(); +- rsm = iF; ++ if (!iF.F) ++ next_input_file(); ++ rsm = &iF; + } + +- if (!rsm || !rsm->F) { ++ if (!rsm->F) { + setvar_i(intvar[ERRNO], errno); + setvar_i(res, -1); + break; +@@ -3659,7 +3664,7 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + setvar_s(intvar[FS], opt_F); + } + while (list_v) { +- if (!is_assignment(llist_pop(&list_v))) ++ if (!try_to_assign(llist_pop(&list_v))) + bb_show_usage(); + } + +@@ -3718,15 +3723,14 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + awk_exit(); + + /* input file could already be opened in BEGIN block */ +- if (!iF) +- iF = next_input_file(); +- +- /* passing through input files */ +- while (iF) { ++ if (!iF.F) ++ goto next_file; /* no, it wasn't, go try opening */ ++ /* Iterate over input files */ ++ for (;;) { + nextfile = FALSE; + setvar_i(intvar[FNR], 0); + +- while ((i = awk_getline(iF, intvar[F0])) > 0) { ++ while ((i = awk_getline(&iF, intvar[F0])) > 0) { + nextrec = FALSE; + incvar(intvar[NR]); + incvar(intvar[FNR]); +@@ -3735,11 +3739,11 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + if (nextfile) + break; + } +- + if (i < 0) + syntax_error(strerror(errno)); +- +- iF = next_input_file(); ++ next_file: ++ if (!next_input_file()) ++ break; + } + + awk_exit(); +-- +2.46.0 + +From 5c8a9dfd976493e4351abadf6686b621763b564c Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 18:21:38 +0200 +Subject: [PATCH 04/19] awk: remove a local variable "caching" a struct member + +Since we take its address, the variable lives on stack (not a GPR). +Thus, nothing is improved by caching it. + +function old new delta +awk_getline 642 639 -3 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 22f52417d..4a0eb9281 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2236,7 +2236,7 @@ static int awk_getline(rstream *rsm, var *v) + { + char *b; + regmatch_t pmatch[1]; +- int size, a, p, pp = 0; ++ int a, p, pp = 0; + int fd, so, eo, r, rp; + char c, *m, *s; + +@@ -2249,12 +2249,11 @@ static int awk_getline(rstream *rsm, var *v) + m = rsm->buffer; + a = rsm->adv; + p = rsm->pos; +- size = rsm->size; + c = (char) rsplitter.n.info; + rp = 0; + + if (!m) +- m = qrealloc(m, 256, &size); ++ m = qrealloc(m, 256, &rsm->size); + + do { + b = m + a; +@@ -2298,10 +2297,10 @@ static int awk_getline(rstream *rsm, var *v) + a = 0; + } + +- m = qrealloc(m, a+p+128, &size); ++ m = qrealloc(m, a+p+128, &rsm->size); + b = m + a; + pp = p; +- p += safe_read(fd, b+p, size-p-1); ++ p += safe_read(fd, b+p, rsm->size - p - 1); + if (p < pp) { + p = 0; + r = 0; +@@ -2325,7 +2324,6 @@ static int awk_getline(rstream *rsm, var *v) + rsm->buffer = m; + rsm->adv = a + eo; + rsm->pos = p - eo; +- rsm->size = size; + + debug_printf_eval("returning from %s(): %d\n", __func__, r); + +-- +2.46.0 + +From 21dce1c3c3d74a60959b6d8b0c76f38d463b8187 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 19:11:28 +0200 +Subject: [PATCH 05/19] awk: do not read ARGIND, only set it (gawk compat) + +function old new delta +next_input_file 216 243 +27 +evaluate 3396 3402 +6 +awk_main 826 829 +3 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/0 up/down: 36/0) Total: 36 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 4a0eb9281..77e0b0aab 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -583,6 +583,7 @@ struct globals2 { + /* former statics from various functions */ + char *split_f0__fstrings; + ++ unsigned next_input_file__argind; + smallint next_input_file__input_file_seen; + + smalluint exitcode; +@@ -2820,6 +2821,7 @@ static int try_to_assign(const char *expr) + static int next_input_file(void) + { + #define input_file_seen (G.next_input_file__input_file_seen) ++#define argind (G.next_input_file__argind) + const char *fname; + + if (iF.F) { +@@ -2829,17 +2831,22 @@ static int next_input_file(void) + } + + for (;;) { +- const char *ind; +- +- if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) { ++ /* GNU Awk 5.1.1 does not _read_ ARGIND (but does read ARGC). ++ * It only sets ARGIND to 1, 2, 3... for every command-line filename ++ * (VAR=VAL params cause a gap in numbering). ++ * If there are none and stdin is used, then ARGIND is not modified: ++ * if it is set by e.g. 'BEGIN { ARGIND="foo" }', that value will ++ * still be there. ++ */ ++ argind++; ++ if (argind >= getvar_i(intvar[ARGC])) { + if (input_file_seen) + return FALSE; + fname = "-"; + iF.F = stdin; + break; + } +- ind = getvar_s(incvar(intvar[ARGIND])); +- fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind)); ++ fname = getvar_s(findvar(iamarray(intvar[ARGV]), utoa(argind))); + if (fname && *fname) { + /* "If a filename on the command line has the form + * var=val it is treated as a variable assignment" +@@ -2847,6 +2854,7 @@ static int next_input_file(void) + if (try_to_assign(fname)) + continue; + iF.F = xfopen_stdin(fname); ++ setvar_i(intvar[ARGIND], argind); + break; + } + } +@@ -2854,6 +2862,7 @@ static int next_input_file(void) + setvar_s(intvar[FILENAME], fname); + input_file_seen = TRUE; + return TRUE; ++#undef argind + #undef input_file_seen + } + +-- +2.46.0 + +From b76b420b5da1aadad823faf12327b610614f5951 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 17:25:56 +0200 +Subject: [PATCH 06/19] awk: fix closing of non-opened file + +function old new delta +setvar_ERRNO - 53 +53 +.rodata 105252 105246 -6 +awk_getline 639 620 -19 +evaluate 3402 3377 -25 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 0/3 up/down: 53/-50) Total: 3 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 77e0b0aab..83a08aa95 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -1006,6 +1006,11 @@ static var *setvar_i(var *v, double value) + return v; + } + ++static void setvar_ERRNO(void) ++{ ++ setvar_i(intvar[ERRNO], errno); ++} ++ + static const char *getvar_s(var *v) + { + /* if v is numeric and has no cached string, convert it to string */ +@@ -2305,7 +2310,7 @@ static int awk_getline(rstream *rsm, var *v) + if (p < pp) { + p = 0; + r = 0; +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + } + b[p] = '\0'; + } while (p > pp); +@@ -3249,7 +3254,7 @@ static var *evaluate(node *op, var *res) + } + + if (!rsm->F) { +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + setvar_i(res, -1); + break; + } +@@ -3388,16 +3393,18 @@ static var *evaluate(node *op, var *res) + */ + if (rsm->F) + err = rsm->is_pipe ? pclose(rsm->F) : fclose(rsm->F); +-//TODO: fix this case: +-// $ awk 'BEGIN { print close(""); print ERRNO }' +-// -1 +-// close of redirection that was never opened +-// (we print 0, 0) + free(rsm->buffer); + hash_remove(fdhash, L.s); ++ } else { ++ err = -1; ++ /* gawk 'BEGIN { print close(""); print ERRNO }' ++ * -1 ++ * close of redirection that was never opened ++ */ ++ errno = ENOENT; + } + if (err) +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + R_d = (double)err; + break; + } +-- +2.46.0 + +From 05e60007d42b8e4005085a22e122ef70bf888fa5 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 17:51:59 +0200 +Subject: [PATCH 07/19] awk: code shrink + +function old new delta +awk_getline 620 591 -29 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 47 ++++++++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 83a08aa95..eb419e063 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2242,9 +2242,9 @@ static int awk_getline(rstream *rsm, var *v) + { + char *b; + regmatch_t pmatch[1]; +- int a, p, pp = 0; +- int fd, so, eo, r, rp; +- char c, *m, *s; ++ int p, pp; ++ int fd, so, eo, retval, rp; ++ char *m, *s; + + debug_printf_eval("entered %s()\n", __func__); + +@@ -2253,22 +2253,22 @@ static int awk_getline(rstream *rsm, var *v) + */ + fd = fileno(rsm->F); + m = rsm->buffer; +- a = rsm->adv; +- p = rsm->pos; +- c = (char) rsplitter.n.info; +- rp = 0; +- + if (!m) + m = qrealloc(m, 256, &rsm->size); ++ p = rsm->pos; ++ rp = 0; ++ pp = 0; + + do { +- b = m + a; ++ b = m + rsm->adv; + so = eo = p; +- r = 1; ++ retval = 1; + if (p > 0) { ++ char c = (char) rsplitter.n.info; + if (rsplitter.n.info == TI_REGEXP) { + if (regexec(icase ? rsplitter.n.r.ire : rsplitter.n.l.re, +- b, 1, pmatch, 0) == 0) { ++ b, 1, pmatch, 0) == 0 ++ ) { + so = pmatch[0].rm_so; + eo = pmatch[0].rm_eo; + if (b[eo] != '\0') +@@ -2297,43 +2297,44 @@ static int awk_getline(rstream *rsm, var *v) + } + } + +- if (a > 0) { +- memmove(m, m+a, p+1); ++ if (rsm->adv > 0) { ++ memmove(m, m+rsm->adv, p+1); + b = m; +- a = 0; ++ rsm->adv = 0; + } + +- m = qrealloc(m, a+p+128, &rsm->size); +- b = m + a; ++ b = m = qrealloc(m, p+128, &rsm->size); + pp = p; + p += safe_read(fd, b+p, rsm->size - p - 1); + if (p < pp) { + p = 0; +- r = 0; ++ retval = 0; + setvar_ERRNO(); + } + b[p] = '\0'; + } while (p > pp); + + if (p == 0) { +- r--; ++ retval--; + } else { +- c = b[so]; b[so] = '\0'; ++ char c = b[so]; ++ b[so] = '\0'; + setvar_s(v, b+rp); + v->type |= VF_USER; + b[so] = c; +- c = b[eo]; b[eo] = '\0'; ++ c = b[eo]; ++ b[eo] = '\0'; + setvar_s(intvar[RT], b+so); + b[eo] = c; + } + + rsm->buffer = m; +- rsm->adv = a + eo; ++ rsm->adv += eo; + rsm->pos = p - eo; + +- debug_printf_eval("returning from %s(): %d\n", __func__, r); ++ debug_printf_eval("returning from %s(): %d\n", __func__, retval); + +- return r; ++ return retval; + } + + /* formatted output into an allocated buffer, return ptr to buffer */ +-- +2.46.0 + +From 4d7339204f9f823f592562d9903db3ae79a6c640 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 18:00:51 +0200 +Subject: [PATCH 08/19] awk: shrink - use setvar_sn() to set variables from + non-NUL terminated strings + +function old new delta +setvar_sn - 39 +39 +exec_builtin 1145 1136 -9 +awk_getline 591 559 -32 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 0/2 up/down: 39/-41) Total: -2 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index eb419e063..b5774a339 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -979,6 +979,11 @@ static var *setvar_s(var *v, const char *value) + return setvar_p(v, (value && *value) ? xstrdup(value) : NULL); + } + ++static var *setvar_sn(var *v, const char *value, int len) ++{ ++ return setvar_p(v, (value && *value && len > 0) ? xstrndup(value, len) : NULL); ++} ++ + /* same as setvar_s but sets USER flag */ + static var *setvar_u(var *v, const char *value) + { +@@ -2317,15 +2322,9 @@ static int awk_getline(rstream *rsm, var *v) + if (p == 0) { + retval--; + } else { +- char c = b[so]; +- b[so] = '\0'; +- setvar_s(v, b+rp); ++ setvar_sn(v, b+rp, so-rp); + v->type |= VF_USER; +- b[so] = c; +- c = b[eo]; +- b[eo] = '\0'; +- setvar_s(intvar[RT], b+so); +- b[eo] = c; ++ setvar_sn(intvar[RT], b+so, eo-so); + } + + rsm->buffer = m; +@@ -2677,8 +2676,6 @@ static NOINLINE var *exec_builtin(node *op, var *res) + } + + case B_ss: { +- char *s; +- + l = strlen(as[0]); + i = getvar_i(av[1]) - 1; + if (i > l) +@@ -2688,8 +2685,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + n = (nargs > 2) ? getvar_i(av[2]) : l-i; + if (n < 0) + n = 0; +- s = xstrndup(as[0]+i, n); +- setvar_p(res, s); ++ setvar_sn(res, as[0]+i, n); + break; + } + +@@ -2766,8 +2762,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + i = strftime(g_buf, MAXVARFMT, + ((nargs > 0) ? as[0] : "%a %b %d %H:%M:%S %Z %Y"), + localtime(&tt)); +- g_buf[i] = '\0'; +- setvar_s(res, g_buf); ++ setvar_sn(res, g_buf, i); + break; + + case B_mt: +-- +2.46.0 + +From 721bf6eaf4739a2865b071b38d3478f334234d26 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 29 May 2023 10:55:40 +0200 +Subject: [PATCH 09/19] awk: printf(INVALID_FMT) prints it verbatim + +function old new delta +awk_printf 628 640 +12 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b5774a339..c49ad6e02 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2389,7 +2389,7 @@ static char *awk_printf(node *n, size_t *len) + while (1) { + if (isalpha(c)) + break; +- if (c == '*') ++ if (c == '*') /* gawk supports %*d and %*.*f, we don't... */ + syntax_error("%*x formats are not supported"); + c = *++f; + if (!c) { /* "....%...." and no letter found after % */ +@@ -2422,12 +2422,18 @@ static char *awk_printf(node *n, size_t *len) + double d = getvar_i(arg); + if (strchr("diouxX", c)) { + //TODO: make it wider here (%x -> %llx etc)? ++//Can even print the value into a temp string with %.0f, ++//then replace diouxX with s and print that string. ++//This will correctly print even very large numbers, ++//but some replacements are not equivalent: ++//%09d -> %09s: breaks zero-padding; ++//%+d -> %+s: won't prepend +; etc + s = xasprintf(s, (int)d); + } else if (strchr("eEfFgGaA", c)) { + s = xasprintf(s, d); + } else { +-//TODO: GNU Awk 5.0.1: printf "%W" prints "%W", does not error out +- syntax_error(EMSG_INV_FMT); ++ /* gawk 5.1.1 printf("%W") prints "%W", does not error out */ ++ s = xstrndup(s, f - s); + } + } + slen = strlen(s); +-- +2.46.0 + +From 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 30 May 2023 16:42:18 +0200 +Subject: [PATCH 10/19] awk: fix precedence of = relative to == + +Discovered while adding code to disallow assignments to non-lvalues + +function old new delta +parse_expr 936 991 +55 +.rodata 105243 105247 +4 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 66 +++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index c49ad6e02..0f062dcdb 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n) + #undef P + #undef PRIMASK + #undef PRIMASK2 +-#define P(x) (x << 24) ++/* Smaller 'x' means _higher_ operator precedence */ ++#define PRECEDENCE(x) (x << 24) ++#define P(x) PRECEDENCE(x) + #define PRIMASK 0x7F000000 + #define PRIMASK2 0x7E000000 + +@@ -360,7 +362,7 @@ enum { + OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100, + OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400, + OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700, +- OC_DONE = 0x2800, ++ OC_CONST = 0x2800, OC_DONE = 0x2900, + + ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200, + ST_WHILE = 0x3300 +@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', +- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', ++ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) +@@ -1301,7 +1303,7 @@ static uint32_t next_token(uint32_t expected) + save_tclass = tc; + save_info = t_info; + tc = TC_BINOPX; +- t_info = OC_CONCAT | SS | P(35); ++ t_info = OC_CONCAT | SS | PRECEDENCE(35); + } + + t_tclass = tc; +@@ -1361,9 +1363,8 @@ static node *parse_expr(uint32_t term_tc) + { + node sn; + node *cn = &sn; +- node *vn, *glptr; ++ node *glptr; + uint32_t tc, expected_tc; +- var *v; + + debug_printf_parse("%s() term_tc(%x):", __func__, term_tc); + debug_parse_print_tc(term_tc); +@@ -1374,11 +1375,12 @@ static node *parse_expr(uint32_t term_tc) + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc; + + while (!((tc = next_token(expected_tc)) & term_tc)) { ++ node *vn; + + if (glptr && (t_info == TI_LESS)) { + /* input redirection (<) attached to glptr node */ + debug_printf_parse("%s: input redir\n", __func__); +- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37)); ++ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37)); + cn->a.n = glptr; + expected_tc = TS_OPERAND | TS_UOPPRE; + glptr = NULL; +@@ -1390,24 +1392,42 @@ static node *parse_expr(uint32_t term_tc) + * previous operators with higher priority */ + vn = cn; + while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2)) +- || ((t_info == vn->info) && t_info == TI_COLON) ++ || (t_info == vn->info && t_info == TI_COLON) + ) { + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } + if (t_info == TI_TERNARY) + //TODO: why? +- t_info += P(6); ++ t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); + cn->a.n = vn->a.n; + if (tc & TS_BINOP) { + cn->l.n = vn; +-//FIXME: this is the place to detect and reject assignments to non-lvalues. +-//Currently we allow "assignments" to consts and temporaries, nonsense like this: +-// awk 'BEGIN { "qwe" = 1 }' +-// awk 'BEGIN { 7 *= 7 }' +-// awk 'BEGIN { length("qwe") = 1 }' +-// awk 'BEGIN { (1+1) += 3 }' ++ ++ /* Prevent: ++ * awk 'BEGIN { "qwe" = 1 }' ++ * awk 'BEGIN { 7 *= 7 }' ++ * awk 'BEGIN { length("qwe") = 1 }' ++ * awk 'BEGIN { (1+1) += 3 }' ++ */ ++ /* Assignment? (including *= and friends) */ ++ if (((t_info & OPCLSMASK) == OC_MOVE) ++ || ((t_info & OPCLSMASK) == OC_REPLACE) ++ ) { ++ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info); ++ /* Left side is a (variable or array element) ++ * or function argument ++ * or $FIELD ? ++ */ ++ if ((vn->info & OPCLSMASK) != OC_VAR ++ && (vn->info & OPCLSMASK) != OC_FNARG ++ && (vn->info & OPCLSMASK) != OC_FIELD ++ ) { ++ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */ ++ } ++ } ++ + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP; + if (t_info == TI_PGETLINE) { + /* it's a pipe */ +@@ -1443,6 +1463,8 @@ static node *parse_expr(uint32_t term_tc) + /* one should be very careful with switch on tclass - + * only simple tclasses should be used (TC_xyz, not TS_xyz) */ + switch (tc) { ++ var *v; ++ + case TC_VARIABLE: + case TC_ARRAY: + debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__); +@@ -1463,14 +1485,14 @@ static node *parse_expr(uint32_t term_tc) + case TC_NUMBER: + case TC_STRING: + debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__); +- cn->info = OC_VAR; ++ cn->info = OC_CONST; + v = cn->l.v = xzalloc(sizeof(var)); +- if (tc & TC_NUMBER) ++ if (tc & TC_NUMBER) { + setvar_i(v, t_double); +- else { ++ } else { + setvar_s(v, t_string); +- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */ + } ++ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */ + break; + + case TC_REGEXP: +@@ -3124,6 +3146,8 @@ static var *evaluate(node *op, var *res) + + /* -- recursive node type -- */ + ++ case XC( OC_CONST ): ++ debug_printf_eval("CONST "); + case XC( OC_VAR ): + debug_printf_eval("VAR\n"); + L.v = op->l.v; +-- +2.46.0 + +From 5f84c5633663f6ee8c9cc3a4608b86d4b56b39d6 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 3 Jun 2023 00:39:33 +0200 +Subject: [PATCH 11/19] awk: fix backslash handling in sub() builtins + +function old new delta +awk_sub 559 544 -15 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 41 +++++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 0f062dcdb..f77573806 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2492,7 +2492,7 @@ static char *awk_printf(node *n, size_t *len) + * store result into (dest), return number of substitutions. + * If nm = 0, replace all matches. + * If src or dst is NULL, use $0. +- * If subexp != 0, enable subexpression matching (\1-\9). ++ * If subexp != 0, enable subexpression matching (\0-\9). + */ + static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int subexp) + { +@@ -2520,35 +2520,32 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + residx += eo; + if (++match_no >= nm) { + const char *s; +- int nbs; ++ int bslash; + + /* replace */ + residx -= (eo - so); +- nbs = 0; ++ bslash = 0; + for (s = repl; *s; s++) { +- char c = resbuf[residx++] = *s; +- if (c == '\\') { +- nbs++; +- continue; ++ char c = *s; ++ if (c == '\\' && s[1]) { ++ bslash ^= 1; ++ if (bslash) ++ continue; + } +- if (c == '&' || (subexp && c >= '0' && c <= '9')) { +- int j; +- residx -= ((nbs + 3) >> 1); +- j = 0; ++ if ((!bslash && c == '&') ++ || (subexp && bslash && c >= '0' && c <= '9') ++ ) { ++ int n, j = 0; + if (c != '&') { + j = c - '0'; +- nbs++; + } +- if (nbs % 2) { +- resbuf[residx++] = c; +- } else { +- int n = pmatch[j].rm_eo - pmatch[j].rm_so; +- resbuf = qrealloc(resbuf, residx + replen + n, &resbufsize); +- memcpy(resbuf + residx, sp + pmatch[j].rm_so, n); +- residx += n; +- } +- } +- nbs = 0; ++ n = pmatch[j].rm_eo - pmatch[j].rm_so; ++ resbuf = qrealloc(resbuf, residx + replen + n, &resbufsize); ++ memcpy(resbuf + residx, sp + pmatch[j].rm_so, n); ++ residx += n; ++ } else ++ resbuf[residx++] = c; ++ bslash = 0; + } + } + +-- +2.46.0 + +From f4789164e0716a8b1f98cf4149a3eb2dad485b8b Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 6 Jun 2023 12:48:11 +0200 +Subject: [PATCH 12/19] awk: code shrink + +function old new delta +awk_sub 544 548 +4 +exec_builtin 1136 1130 -6 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 1/1 up/down: 4/-6) Total: -2 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index f77573806..b3871ffc5 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2494,7 +2494,7 @@ static char *awk_printf(node *n, size_t *len) + * If src or dst is NULL, use $0. + * If subexp != 0, enable subexpression matching (\0-\9). + */ +-static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int subexp) ++static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest /*,int subexp*/) + { + char *resbuf; + const char *sp; +@@ -2502,6 +2502,8 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + int regexec_flags; + regmatch_t pmatch[10]; + regex_t sreg, *regex; ++ /* True only if called to implement gensub(): */ ++ int subexp = (src != dest); + + resbuf = NULL; + residx = 0; +@@ -2549,7 +2551,6 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + } + } + +- regexec_flags = REG_NOTBOL; + sp += eo; + if (match_no == nm) + break; +@@ -2570,6 +2571,7 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + sp++; + residx++; + } ++ regexec_flags = REG_NOTBOL; + } + + resbuf = qrealloc(resbuf, residx + strlen(sp), &resbufsize); +@@ -2798,16 +2800,16 @@ static NOINLINE var *exec_builtin(node *op, var *res) + res = do_match(an[1], as[0]); + break; + +- case B_ge: +- awk_sub(an[0], as[1], getvar_i(av[2]), av[3], res, TRUE); ++ case B_ge: /* gensub(regex, repl, matchnum, string) */ ++ awk_sub(an[0], as[1], /*matchnum:*/getvar_i(av[2]), /*src:*/av[3], /*dst:*/res/*, TRUE*/); + break; + +- case B_gs: +- setvar_i(res, awk_sub(an[0], as[1], 0, av[2], av[2], FALSE)); ++ case B_gs: /* gsub(regex, repl, string) */ ++ setvar_i(res, awk_sub(an[0], as[1], /*matchnum:all*/0, /*src:*/av[2], /*dst:*/av[2]/*, FALSE*/)); + break; + +- case B_su: +- setvar_i(res, awk_sub(an[0], as[1], 1, av[2], av[2], FALSE)); ++ case B_su: /* sub(regex, repl, string) */ ++ setvar_i(res, awk_sub(an[0], as[1], /*matchnum:first*/1, /*src:*/av[2], /*dst:*/av[2]/*, FALSE*/)); + break; + } + +-- +2.46.0 + +From 113685fbcd4c3432ec9b640583d50ba8da2102e8 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Wed, 7 Jun 2023 10:54:34 +0200 +Subject: [PATCH 13/19] awk: fix SEGV on read error in -f PROGFILE + +function old new delta +awk_main 829 843 +14 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b3871ffc5..df9b7fdc9 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3609,8 +3609,6 @@ static var *evaluate(node *op, var *res) + #undef sreg + } + +-/* -------- main & co. -------- */ +- + static int awk_exit(void) + { + unsigned i; +@@ -3717,6 +3715,8 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + g_progname = llist_pop(&list_f); + fd = xopen_stdin(g_progname); + s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ ++ if (!s) ++ bb_perror_msg_and_die("read error from '%s'", g_progname); + close(fd); + parse_program(s); + free(s); +-- +2.46.0 + +From 2ca39ffd447ca874fcea933194829717d5573247 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 8 Jun 2023 10:42:39 +0200 +Subject: [PATCH 14/19] awk: fix subst code to handle "start of word" pattern + correctly (needs REG_STARTEND) + +function old new delta +awk_sub 637 714 +77 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 49 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index df9b7fdc9..171f0a7ea 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2504,17 +2504,46 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest /*,in + regex_t sreg, *regex; + /* True only if called to implement gensub(): */ + int subexp = (src != dest); +- ++#if defined(REG_STARTEND) ++ const char *src_string; ++ size_t src_strlen; ++ regexec_flags = REG_STARTEND; ++#else ++ regexec_flags = 0; ++#endif + resbuf = NULL; + residx = 0; + match_no = 0; +- regexec_flags = 0; + regex = as_regex(rn, &sreg); + sp = getvar_s(src ? src : intvar[F0]); ++#if defined(REG_STARTEND) ++ src_string = sp; ++ src_strlen = strlen(src_string); ++#endif + replen = strlen(repl); +- while (regexec(regex, sp, 10, pmatch, regexec_flags) == 0) { +- int so = pmatch[0].rm_so; +- int eo = pmatch[0].rm_eo; ++ for (;;) { ++ int so, eo; ++ ++#if defined(REG_STARTEND) ++// REG_STARTEND: "This flag is a BSD extension, not present in POSIX" ++ size_t start_ofs = sp - src_string; ++ pmatch[0].rm_so = start_ofs; ++ pmatch[0].rm_eo = src_strlen; ++ if (regexec(regex, src_string, 10, pmatch, regexec_flags) != 0) ++ break; ++ eo = pmatch[0].rm_eo - start_ofs; ++ so = pmatch[0].rm_so - start_ofs; ++#else ++// BUG: ++// gsub(/\ +Date: Mon, 10 Jul 2023 17:25:21 +0200 +Subject: [PATCH 15/19] Update applet size estimates + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 171f0a7ea..efdff2778 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -7,7 +7,7 @@ + * Licensed under GPLv2 or later, see file LICENSE in this source tree. + */ + //config:config AWK +-//config: bool "awk (23 kb)" ++//config: bool "awk (24 kb)" + //config: default y + //config: help + //config: Awk is used as a pattern scanning and processing language. +-- +2.46.0 + +From 92ab29fcf04bc3ff3d3ad897f1c2463d8b8d1410 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 2 Oct 2023 15:24:06 +0200 +Subject: [PATCH 16/19] awk: implement -E; do not reorder -f and -e + +function old new delta +awk_main 843 891 +48 +next_input_file 243 261 +18 +packed_usage 34631 34638 +7 +.rodata 105391 105390 -1 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/1 up/down: 73/-1) Total: 72 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 113 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 65 insertions(+), 48 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index efdff2778..bc95c4155 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -40,7 +40,7 @@ + //usage:#define awk_full_usage "\n\n" + //usage: " -v VAR=VAL Set variable" + //usage: "\n -F SEP Use SEP as field separator" +-//usage: "\n -f FILE Read program from FILE" ++//usage: "\n -f/-E FILE Read program from FILE" + //usage: IF_FEATURE_AWK_GNU_EXTENSIONS( + //usage: "\n -e AWK_PROGRAM" + //usage: ) +@@ -76,8 +76,8 @@ + * 1: -argz + */ + #define OPTSTR_AWK "+" \ +- "F:v:*f:*" \ +- IF_FEATURE_AWK_GNU_EXTENSIONS("e:*") \ ++ "F:v:f:" \ ++ IF_FEATURE_AWK_GNU_EXTENSIONS("e:E:") \ + "W:" + enum { + OPTBIT_F, /* define field separator */ +@@ -560,6 +560,7 @@ struct globals { + var *Fields; + char *g_pos; + char g_saved_ch; ++ smallint got_program; + smallint icase; + smallint exiting; + smallint nextrec; +@@ -635,6 +636,7 @@ struct globals2 { + #define Fields (G1.Fields ) + #define g_pos (G1.g_pos ) + #define g_saved_ch (G1.g_saved_ch ) ++#define got_program (G1.got_program ) + #define icase (G1.icase ) + #define exiting (G1.exiting ) + #define nextrec (G1.nextrec ) +@@ -2899,11 +2901,13 @@ static int next_input_file(void) + } + fname = getvar_s(findvar(iamarray(intvar[ARGV]), utoa(argind))); + if (fname && *fname) { +- /* "If a filename on the command line has the form +- * var=val it is treated as a variable assignment" +- */ +- if (try_to_assign(fname)) +- continue; ++ if (got_program != 2) { /* there was no -E option */ ++ /* "If a filename on the command line has the form ++ * var=val it is treated as a variable assignment" ++ */ ++ if (try_to_assign(fname)) ++ continue; ++ } + iF.F = xfopen_stdin(fname); + setvar_i(intvar[ARGIND], argind); + break; +@@ -3659,13 +3663,7 @@ static int awk_exit(void) + int awk_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int awk_main(int argc UNUSED_PARAM, char **argv) + { +- unsigned opt; +- char *opt_F; +- llist_t *list_v = NULL; +- llist_t *list_f = NULL; +-#if ENABLE_FEATURE_AWK_GNU_EXTENSIONS +- llist_t *list_e = NULL; +-#endif ++ int ch; + int i; + + INIT_G(); +@@ -3714,49 +3712,68 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + } + } + } +- opt = getopt32(argv, OPTSTR_AWK, &opt_F, &list_v, &list_f, IF_FEATURE_AWK_GNU_EXTENSIONS(&list_e,) NULL); +- argv += optind; +- //argc -= optind; +- if (opt & OPT_W) +- bb_simple_error_msg("warning: option -W is ignored"); +- if (opt & OPT_F) { +- unescape_string_in_place(opt_F); +- setvar_s(intvar[FS], opt_F); +- } +- while (list_v) { +- if (!try_to_assign(llist_pop(&list_v))) +- bb_show_usage(); +- } + +- /* Parse all supplied programs */ + fnhash = hash_init(); + ahash = hash_init(); +- while (list_f) { +- int fd; +- char *s; + +- g_progname = llist_pop(&list_f); +- fd = xopen_stdin(g_progname); +- s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ +- if (!s) +- bb_perror_msg_and_die("read error from '%s'", g_progname); +- close(fd); +- parse_program(s); +- free(s); +- } +- g_progname = "cmd. line"; ++ /* Cannot use getopt32: need to preserve order of -e / -f / -E / -i */ ++ while ((ch = getopt(argc, argv, OPTSTR_AWK)) >= 0) { ++ switch (ch) { ++ case 'F': ++ unescape_string_in_place(optarg); ++ setvar_s(intvar[FS], optarg); ++ break; ++ case 'v': ++ if (!try_to_assign(optarg)) ++ bb_show_usage(); ++ break; ++//TODO: implement -i LIBRARY, it is easy-ish ++ case 'E': ++ case 'f': { ++ int fd; ++ char *s; ++ g_progname = optarg; ++ fd = xopen_stdin(g_progname); ++ s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ ++ if (!s) ++ bb_perror_msg_and_die("read error from '%s'", g_progname); ++ close(fd); ++ parse_program(s); ++ free(s); ++ got_program = 1; ++ if (ch == 'E') { ++ got_program = 2; ++ goto stop_option_parsing; ++ } ++ break; ++ } + #if ENABLE_FEATURE_AWK_GNU_EXTENSIONS +- while (list_e) { +- parse_program(llist_pop(&list_e)); +- } ++ case 'e': ++ g_progname = "cmd. line"; ++ parse_program(optarg); ++ got_program = 1; ++ break; + #endif +-//FIXME: preserve order of -e and -f +-//TODO: implement -i LIBRARY and -E FILE too, they are easy-ish +- if (!(opt & (OPT_f | OPT_e))) { ++ case 'W': ++ bb_simple_error_msg("warning: option -W is ignored"); ++ break; ++ default: ++//bb_error_msg("ch:%d", ch); ++ bb_show_usage(); ++ } ++ } ++ stop_option_parsing: ++ ++ argv += optind; ++ //argc -= optind; ++ ++ if (!got_program) { + if (!*argv) + bb_show_usage(); ++ g_progname = "cmd. line"; + parse_program(*argv++); + } ++ + /* Free unused parse structures */ + //hash_free(fnhash); // ~250 bytes when empty, used only for function names + //^^^^^^^^^^^^^^^^^ does not work, hash_clear() inside SEGVs +-- +2.46.0 + +From 789ccac7d9d1a9e433570ac9628992a01f946643 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 31 Dec 2023 15:49:54 +0100 +Subject: [PATCH 17/19] awk: fix handling of empty fields + +Patch by M Rubon : +Busybox awk handles references to empty (not provided in the input) +fields differently during the first line of input, as compared to +subsequent lines. + +$ (echo a ; echo b) | awk '$2 != 0' #wrong +b + +No field $2 value is provided in the input. When awk references field +$2 for the "a" line, it is seen to have a different behaviour than +when it is referenced for the "b" line. + +Problem in BusyBox v1.36.1 embedded in OpenWrt 23.05.0 +Same problem also in 21.02 versions of OpenWrt +Same problem in BusyBox v1.37.0.git + +I get the correct expected output from Ubuntu gawk and Debian mawk, +and from my fix. +will@dev:~$ (echo a ; echo b) | awk '$2 != 0' #correct +a +b +will@dev:~/busybox$ (echo a ; echo b ) | ./busybox awk '$2 != 0' #fixed +a +b + +I built and poked into the source code at editors/awk.c The function +fsrealloc(int size) is core to allocating, initializing, reallocating, +and reinitializing fields, both real input line fields and imaginary +fields that the script references but do not exist in the input. + +When fsrealloc() needs more field space than it has previously +allocated, it initializes those new fields differently than how they +are later reinitialized for the next input line. This works fine for +fields defined in the input, like $1, but does not work the first time +when there is no input for that field (e.g. field $99) + +My one-line fix simply makes the initialization and clrvar() +reinitialization use the same value for .type. I am not sure if there +are regression tests to run, but I have not done those. + +I'm not sure if I understand why clrvar() is not setting .type to a +default constant value, but in any case I have left that untouched. + +function old new delta +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 0/0 up/down: 0/0) Total: 0 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index bc95c4155..aa485c782 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -555,8 +555,9 @@ struct globals { + //we are reusing ahash as fdhash, via define (see later) + const char *g_progname; + int g_lineno; +- int nfields; +- unsigned maxfields; ++ int num_fields; /* number of existing $N's */ ++ unsigned num_alloc_fields; /* current size of Fields[] */ ++ /* NB: Fields[0] corresponds to $1, not to $0 */ + var *Fields; + char *g_pos; + char g_saved_ch; +@@ -631,8 +632,8 @@ struct globals2 { + // for fdhash in execution stage. + #define g_progname (G1.g_progname ) + #define g_lineno (G1.g_lineno ) +-#define nfields (G1.nfields ) +-#define maxfields (G1.maxfields ) ++#define num_fields (G1.num_fields ) ++#define num_alloc_fields (G1.num_alloc_fields) + #define Fields (G1.Fields ) + #define g_pos (G1.g_pos ) + #define g_saved_ch (G1.g_saved_ch ) +@@ -1966,30 +1967,30 @@ static void fsrealloc(int size) + { + int i, newsize; + +- if ((unsigned)size >= maxfields) { ++ if ((unsigned)size >= num_alloc_fields) { + /* Sanity cap, easier than catering for over/underflows */ + if ((unsigned)size > 0xffffff) + bb_die_memory_exhausted(); + +- i = maxfields; +- maxfields = size + 16; ++ i = num_alloc_fields; ++ num_alloc_fields = size + 16; + +- newsize = maxfields * sizeof(Fields[0]); ++ newsize = num_alloc_fields * sizeof(Fields[0]); + debug_printf_eval("fsrealloc: xrealloc(%p, %u)\n", Fields, newsize); + Fields = xrealloc(Fields, newsize); + debug_printf_eval("fsrealloc: Fields=%p..%p\n", Fields, (char*)Fields + newsize - 1); + /* ^^^ did Fields[] move? debug aid for L.v getting "upstaged" by R.v in evaluate() */ + +- for (; i < maxfields; i++) { +- Fields[i].type = VF_SPECIAL; ++ for (; i < num_alloc_fields; i++) { ++ Fields[i].type = VF_SPECIAL | VF_DIRTY; + Fields[i].string = NULL; + } + } +- /* if size < nfields, clear extra field variables */ +- for (i = size; i < nfields; i++) { ++ /* if size < num_fields, clear extra field variables */ ++ for (i = size; i < num_fields; i++) { + clrvar(Fields + i); + } +- nfields = size; ++ num_fields = size; + } + + static int regexec1_nonempty(const regex_t *preg, const char *s, regmatch_t pmatch[]) +@@ -2126,7 +2127,7 @@ static void split_f0(void) + /* set NF manually to avoid side effects */ + clrvar(intvar[NF]); + intvar[NF]->type = VF_NUMBER | VF_SPECIAL; +- intvar[NF]->number = nfields; ++ intvar[NF]->number = num_fields; + #undef fstrings + } + +@@ -2976,7 +2977,7 @@ static var *evaluate(node *op, var *res) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); + /* Does L.v point to $n variable? */ +- if ((size_t)(L.v - Fields) < maxfields) { ++ if ((size_t)(L.v - Fields) < num_alloc_fields) { + /* yes, remember where Fields[] is */ + old_Fields_ptr = Fields; + } +@@ -3517,7 +3518,7 @@ static var *evaluate(node *op, var *res) + res = intvar[F0]; + } else { + split_f0(); +- if (i > nfields) ++ if (i > num_fields) + fsrealloc(i); + res = &Fields[i - 1]; + } +-- +2.46.0 + +From e1a68741067167dc4837e0a26d3d5c318a631fc7 Mon Sep 17 00:00:00 2001 +From: Ron Yorston +Date: Fri, 19 Jan 2024 15:41:17 +0000 +Subject: [PATCH 18/19] awk: fix segfault when compiled by clang + +A 32-bit build of BusyBox using clang segfaulted in the test +"awk assign while assign". Specifically, on line 7 of the test +input where the adjustment of the L.v pointer when the Fields +array was reallocated + + L.v += Fields - old_Fields_ptr; + +was out by 4 bytes. + +Rearrange to code so both gcc and clang generate code that works. + +Signed-off-by: Ron Yorston +Signed-off-by: Bernhard Reutner-Fischer +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editors/awk.c b/editors/awk.c +index aa485c782..0981c6735 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3006,7 +3006,7 @@ static var *evaluate(node *op, var *res) + if (old_Fields_ptr) { + //if (old_Fields_ptr != Fields) + // debug_printf_eval("L.v moved\n"); +- L.v += Fields - old_Fields_ptr; ++ L.v = Fields + (L.v - old_Fields_ptr); + } + if (opinfo & OF_STR2) { + R.s = getvar_s(R.v); +-- +2.46.0 \ No newline at end of file diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec index a061fbfef2..2a82abfc04 100644 --- a/SPECS/busybox/busybox.spec +++ b/SPECS/busybox/busybox.spec @@ -1,7 +1,7 @@ Summary: Statically linked binary providing simplified versions of system commands Name: busybox Version: 1.35.0 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -17,6 +17,10 @@ Patch4: ash-fix-use-after-free-in-pattern-substituon-code.patch Patch5: ash-fix-use-after-free-in-bash-pattern-substitution.patch Patch6: selinux-copy-file.patch Patch7: selinux-cp-a.patch +Patch8: CVE-2021-42380.patch +# Also Fixes CVE-2023-42364 +Patch9: CVE-2023-42363.patch +Patch10: CVE-2023-42365.patch BuildRequires: gcc BuildRequires: glibc-static >= 2.35-7%{?dist} BuildRequires: libselinux-devel >= 1.27.7-2 @@ -96,6 +100,9 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Tue Aug 13 2024 Suresh Thelkar - 1.35.0-11 +- Address CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365 + * Mon May 06 2024 Rachel Menge - 1.35.0-10 - Bump release to rebuild against glibc 2.35-7 From f619b674952069ccd5013eac6300ac98625f7ac9 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:43:03 -0700 Subject: [PATCH 29/43] [AUTO-CHERRYPICK] Patch cmake for CVE-2023-28320 - branch main (#10137) Co-authored-by: joejoew <111843948+joejoew@users.noreply.github.com> --- SPECS/cmake/CVE-2023-28320.patch | 78 +++++++++++++++++++ SPECS/cmake/cmake.spec | 6 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 4 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 SPECS/cmake/CVE-2023-28320.patch diff --git a/SPECS/cmake/CVE-2023-28320.patch b/SPECS/cmake/CVE-2023-28320.patch new file mode 100644 index 0000000000..a63da55d9f --- /dev/null +++ b/SPECS/cmake/CVE-2023-28320.patch @@ -0,0 +1,78 @@ +From def1a172f3a5ac13c3cd5687d2a352262b02e358 Mon Sep 17 00:00:00 2001 +From: Zhichun Wan +Date: Fri, 26 Jul 2024 22:30:10 +0000 +Subject: [PATCH] patches + +--- + Utilities/cmcurl/lib/hostip.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/Utilities/cmcurl/lib/hostip.c b/Utilities/cmcurl/lib/hostip.c +index e0e3cfc2..a763ad84 100644 +--- a/Utilities/cmcurl/lib/hostip.c ++++ b/Utilities/cmcurl/lib/hostip.c +@@ -72,12 +72,19 @@ + #include + #endif + +-#if defined(CURLRES_SYNCH) && \ +- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) ++#if defined(CURLRES_SYNCH) && \ ++ defined(HAVE_ALARM) && \ ++ defined(SIGALRM) && \ ++ defined(HAVE_SIGSETJMP) && \ ++ defined(GLOBAL_INIT_IS_THREADSAFE) + /* alarm-based timeouts can only be used with all the dependencies satisfied */ + #define USE_ALARM_TIMEOUT + #endif + ++#ifdef USE_ALARM_TIMEOUT ++#include "easy_lock.h" ++#endif ++ + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -249,11 +256,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) + Curl_share_unlock(data, CURL_LOCK_DATA_DNS); + } + +-#ifdef HAVE_SIGSETJMP ++#ifdef USE_ALARM_TIMEOUT + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ + sigjmp_buf curl_jmpenv; ++curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +@@ -640,7 +648,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, + static + void alarmfunc(int sig) + { +- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ + (void)sig; + siglongjmp(curl_jmpenv, 1); + } +@@ -720,6 +727,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, + This should be the last thing we do before calling Curl_resolv(), + as otherwise we'd have to worry about variables that get modified + before we invoke Curl_resolv() (and thus use "volatile"). */ ++ curl_simple_lock_lock(&curl_jmpenv_lock); ++ + if(sigsetjmp(curl_jmpenv, 1)) { + /* this is coming from a siglongjmp() after an alarm signal */ + failf(data, "name lookup timed out"); +@@ -788,6 +797,8 @@ clean_up: + #endif + #endif /* HAVE_SIGACTION */ + ++ curl_simple_lock_unlock(&curl_jmpenv_lock); ++ + /* switch back the alarm() to either zero or to what it was before minus + the time we spent until now! */ + if(prev_alarm) { +-- +2.39.4 + diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 145dd4093c..3bf920bff3 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 10%{?dist} +Release: 11%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -20,6 +20,7 @@ Patch5: CVE-2023-35945.patch Patch6: CVE-2023-38545.patch Patch7: CVE-2023-38546.patch Patch8: cve-2023-44487.patch +Patch9: CVE-2023-28320.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -85,6 +86,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog +* Fri Jul 26 2024 Zhichun Wan - 3.21.4-11 +- Patch CVE-2023-28320.patch + * Thu Oct 19 2023 Dan Streetman - 3.21.4-10 - Patch vendored nghttp2 for CVE-2023-44487 diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index fc18f7e990..515f406e68 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-10.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-10.cm2.aarch64.rpm +cmake-3.21.4-11.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-11.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4ae297ceb7..2a257629e6 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-10.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-10.cm2.x86_64.rpm +cmake-3.21.4-11.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-11.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm From f8d9c8fb33ef1840bc1e9254d7eba7f0d014ddcf Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:43:12 -0700 Subject: [PATCH 30/43] [AUTO-CHERRYPICK] bind: upgrade version 9.16.48 -> 9.16.50 & patch CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076 - branch main (#10131) Co-authored-by: Muhammad Falak R Wani --- SPECS/bind/CVE-2024-1737.patch | 521 ++++++++++++++++++++++++++++++++ SPECS/bind/CVE-2024-1975.patch | 432 ++++++++++++++++++++++++++ SPECS/bind/CVE-2024-4076.patch | 31 ++ SPECS/bind/bind.signatures.json | 34 +-- SPECS/bind/bind.spec | 12 +- cgmanifest.json | 4 +- 6 files changed, 1014 insertions(+), 20 deletions(-) create mode 100644 SPECS/bind/CVE-2024-1737.patch create mode 100644 SPECS/bind/CVE-2024-1975.patch create mode 100644 SPECS/bind/CVE-2024-4076.patch diff --git a/SPECS/bind/CVE-2024-1737.patch b/SPECS/bind/CVE-2024-1737.patch new file mode 100644 index 0000000000..a7cc542f61 --- /dev/null +++ b/SPECS/bind/CVE-2024-1737.patch @@ -0,0 +1,521 @@ +From 835ce6a069a1741b5df6977a10ef824598b5c027 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Fri, 1 Mar 2024 08:26:07 +0100 +Subject: [PATCH 1/6] Add a limit to the number of RRs in RRSets + +Previously, the number of RRs in the RRSets were internally unlimited. +As the data structure that holds the RRs is just a linked list, and +there are places where we just walk through all of the RRs, adding an +RRSet with huge number of RRs inside would slow down processing of said +RRSets. + +The fix for end-of-life branches make the limit compile-time only for +simplicity and the limit can be changed at the compile time by adding +following define to CFLAGS: + + -DDNS_RDATASET_MAX_RECORDS= + +(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e) +Signed-off-by: Muhammad Falak R Wani +--- + configure | 2 +- + configure.ac | 2 +- + lib/dns/rdataslab.c | 12 ++++++++++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 1b436d6..30e65f1 100755 +--- a/configure ++++ b/configure +@@ -12341,7 +12341,7 @@ fi + + XTARGETS= + if test "$enable_developer" = "yes"; then : +- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1" ++ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${with_cmocka+set}" = set || with_cmocka=yes +diff --git a/configure.ac b/configure.ac +index fb6f172..ffe087e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer], + + XTARGETS= + AS_IF([test "$enable_developer" = "yes"], +- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1" ++ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${with_cmocka+set}" = set || with_cmocka=yes +diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c +index 14c4381..d74e84c 100644 +--- a/lib/dns/rdataslab.c ++++ b/lib/dns/rdataslab.c +@@ -112,6 +112,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable, + } + #endif /* if DNS_RDATASET_FIXED */ + ++#ifndef DNS_RDATASET_MAX_RECORDS ++#define DNS_RDATASET_MAX_RECORDS 100 ++#endif /* DNS_RDATASET_MAX_RECORDS */ ++ + isc_result_t + dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + isc_region_t *region, unsigned int reservelen) { +@@ -156,6 +160,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + return (ISC_R_SUCCESS); + } + ++ if (nitems > DNS_RDATASET_MAX_RECORDS) { ++ return (DNS_R_TOOMANYRECORDS); ++ } ++ + if (nitems > 0xffff) { + return (ISC_R_NOSPACE); + } +@@ -524,6 +532,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, + #endif /* if DNS_RDATASET_FIXED */ + INSIST(ocount > 0 && ncount > 0); + ++ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) { ++ return (DNS_R_TOOMANYRECORDS); ++ } ++ + #if DNS_RDATASET_FIXED + oncount = ncount; + #endif /* if DNS_RDATASET_FIXED */ +-- +2.40.1 + +From c2309258b876feb7d818da89312e5af385790eaf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 29 May 2024 08:43:39 +0200 +Subject: [PATCH 2/6] Add a limit to the number of RR types for single name + +Previously, the number of RR types for a single owner name was limited +only by the maximum number of the types (64k). As the data structure +that holds the RR types for the database node is just a linked list, and +there are places where we just walk through the whole list (again and +again), adding a large number of RR types for a single owner named with +would slow down processing of such name (database node). + +Add a hard-coded limit (100) to cap the number of the RR types for a single +owner. The limit can be changed at the compile time by adding following +define to CFLAGS: + + -DDNS_RBTDB_MAX_RTYPES= + +Signed-off-by: Muhammad Falak R Wani +--- + configure | 2 +- + configure.ac | 2 +- + lib/dns/rbtdb.c | 17 +++++++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 30e65f1..835cd94 100755 +--- a/configure ++++ b/configure +@@ -12341,7 +12341,7 @@ fi + + XTARGETS= + if test "$enable_developer" = "yes"; then : +- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000" ++ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${with_cmocka+set}" = set || with_cmocka=yes +diff --git a/configure.ac b/configure.ac +index ffe087e..6db4250 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer], + + XTARGETS= + AS_IF([test "$enable_developer" = "yes"], +- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000" ++ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000" + test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes + test "${enable_querytrace+set}" = set || enable_querytrace=yes + test "${with_cmocka+set}" = set || with_cmocka=yes +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 3f06545..b35e101 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -6240,6 +6240,10 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion, + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); + } + ++#ifndef DNS_RBTDB_MAX_RTYPES ++#define DNS_RBTDB_MAX_RTYPES 100 ++#endif /* DNS_RBTDB_MAX_RTYPES */ ++ + /* + * write lock on rbtnode must be held. + */ +@@ -6261,6 +6265,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_rdatatype_t negtype, sigtype; + dns_trust_t trust; + int idx; ++ uint32_t ntypes; + + /* + * Add an rdatasetheader_t to a node. +@@ -6325,6 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + set_ttl(rbtdb, topheader, 0); + mark_header_ancient(rbtdb, topheader); + } ++ ntypes = 0; + goto find_header; + } + /* +@@ -6348,9 +6354,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + * check for an extant non-ancient NODATA ncache + * entry which covers the same type as the RRSIG. + */ ++ ntypes = 0; + for (topheader = rbtnode->data; topheader != NULL; + topheader = topheader->next) + { ++ ntypes++; + if ((topheader->type == + RBTDB_RDATATYPE_NCACHEANY) || + (newheader->type == sigtype && +@@ -6395,9 +6403,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + } + } + ++ ntypes = 0; + for (topheader = rbtnode->data; topheader != NULL; + topheader = topheader->next) + { ++ ntypes++; + if (prio_type(topheader->type)) { + prioheader = topheader; + } +@@ -6755,6 +6765,13 @@ find_header: + /* + * No rdatasets of the given type exist at the node. + */ ++ ++ if (ntypes > DNS_RBTDB_MAX_RTYPES) { ++ free_rdataset(rbtdb, rbtdb->common.mctx, ++ newheader); ++ return (ISC_R_QUOTA); ++ } ++ + newheader->down = NULL; + + if (prio_type(newheader->type)) { +-- +2.40.1 + +From 23797a4f5db6698baf98bdeaeb1e6095e67772a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= +Date: Thu, 6 Jun 2024 15:29:14 +0200 +Subject: [PATCH 3/6] Revert "Build gcc:oraclelinux9:amd64 CI jobs with + --disable-developer" + +This reverts commit 6a7ec0c01cf9df31cc29b81883be3304c07ffafd. + +Signed-off-by: Muhammad Falak R Wani +--- + .gitlab-ci.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml +index 06b17c3..9e10eca 100644 +--- a/.gitlab-ci.yml ++++ b/.gitlab-ci.yml +@@ -733,7 +733,7 @@ gcc:oraclelinux9:amd64: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" +- EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" ++ EXTRA_CONFIGURE: "--with-libidn2" + <<: *oraclelinux_9_amd64_image + <<: *build_job + +-- +2.40.1 + +From 03b3c1c24cb2758814b61ce65d6cd300d161ab6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Mon, 17 Jun 2024 11:40:40 +0200 +Subject: [PATCH 4/6] Expand the list of the priority types + +Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of +the priority types that are put at the beginning of the slabheader list +for faster access and to avoid eviction when there are more types than +the max-types-per-name limit. + +(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb) +Signed-off-by: Muhammad Falak R Wani +--- + lib/dns/rbtdb.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index b35e101..0932453 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -990,6 +990,8 @@ prio_type(rbtdb_rdatatype_t type) { + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa): + case dns_rdatatype_a: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a): ++ case dns_rdatatype_mx: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx): + case dns_rdatatype_aaaa: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa): + case dns_rdatatype_nsec: +@@ -1002,6 +1004,22 @@ prio_type(rbtdb_rdatatype_t type) { + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds): + case dns_rdatatype_cname: + case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname): ++ case dns_rdatatype_dname: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname): ++ case dns_rdatatype_svcb: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_svcb): ++ case dns_rdatatype_https: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_https): ++ case dns_rdatatype_dnskey: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey): ++ case dns_rdatatype_srv: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv): ++ case dns_rdatatype_txt: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt): ++ case dns_rdatatype_ptr: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr): ++ case dns_rdatatype_naptr: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr): + return (true); + } + return (false); +-- +2.40.1 + +From 3798953881077eae1cc6992d0bce27e2637b942e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Mon, 17 Jun 2024 17:54:09 +0200 +Subject: [PATCH 5/6] Make the resolver qtype ANY test order agnostic + +Instead of relying on a specific order of the RR types in the databases +pick the first RR type as returned from the cache. + +(cherry picked from commit 58f660cf2b800963fa649bc9823a626009db3a7e) +Signed-off-by: Muhammad Falak R Wani +--- + bin/tests/system/resolver/tests.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh +index fc05635..2e089fa 100755 +--- a/bin/tests/system/resolver/tests.sh ++++ b/bin/tests/system/resolver/tests.sh +@@ -596,18 +596,18 @@ n=$((n + 1)) + echo_i "check prefetch qtype * (${n})" + ret=0 + dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1 +-ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}) ++ttl1=$(awk '/^fetchall.tld/ { print $2 - 3; exit }' dig.out.1.${n}) + # sleep so we are in prefetch range + sleep "${ttl1:-0}" + # trigger prefetch + dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1 +-ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) ++ttl2=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.2.${n}) + sleep 1 + # check that prefetch occurred; +-# note that only one record is prefetched, which is the AAAA record in this case, ++# note that only the first record is prefetched, + # because of the order of the records in the cache + dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1 +-ttl3=$(awk '/::1/ { print $2 }' dig.out.3.${n}) ++ttl3=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.3.${n}) + test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +-- +2.40.1 + +From 84ce66c3491df6f31225b50d27e9a9e5fa93eaed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Mon, 17 Jun 2024 11:40:40 +0200 +Subject: [PATCH 6/6] Be smarter about refusing to add many RR types to the + database + +Instead of outright refusing to add new RR types to the cache, be a bit +smarter: + +1. If the new header type is in our priority list, we always add either + positive or negative entry at the beginning of the list. + +2. If the new header type is negative entry, and we are over the limit, + we mark it as ancient immediately, so it gets evicted from the cache + as soon as possible. + +3. Otherwise add the new header after the priority headers (or at the + head of the list). + +4. If we are over the limit, evict the last entry on the normal header + list. + +(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120) +Signed-off-by: Muhammad Falak R Wani +--- + lib/dns/rbtdb.c | 68 +++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 57 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 0932453..9670671 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -6262,6 +6262,26 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion, + #define DNS_RBTDB_MAX_RTYPES 100 + #endif /* DNS_RBTDB_MAX_RTYPES */ + ++static bool ++overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) { ++ UNUSED(rbtdb); ++ ++ if (DNS_RBTDB_MAX_RTYPES == 0) { ++ return (false); ++ } ++ ++ return (ntypes >= DNS_RBTDB_MAX_RTYPES); ++} ++ ++static bool ++prio_header(rdatasetheader_t *header) { ++ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) { ++ return (true); ++ } ++ ++ return (prio_type(header->type)); ++} ++ + /* + * write lock on rbtnode must be held. + */ +@@ -6273,7 +6293,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_changed_t *changed = NULL; + rdatasetheader_t *topheader = NULL, *topheader_prev = NULL; + rdatasetheader_t *header = NULL, *sigheader = NULL; +- rdatasetheader_t *prioheader = NULL; ++ rdatasetheader_t *prioheader = NULL, *expireheader = NULL; + unsigned char *merged = NULL; + isc_result_t result; + bool header_nx; +@@ -6283,7 +6303,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_rdatatype_t negtype, sigtype; + dns_trust_t trust; + int idx; +- uint32_t ntypes; ++ uint32_t ntypes = 0; + + /* + * Add an rdatasetheader_t to a node. +@@ -6348,7 +6368,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + set_ttl(rbtdb, topheader, 0); + mark_header_ancient(rbtdb, topheader); + } +- ntypes = 0; + goto find_header; + } + /* +@@ -6360,6 +6379,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + { + if (topheader->type == sigtype) { + sigheader = topheader; ++ break; + } + } + negtype = RBTDB_RDATATYPE_VALUE(covers, 0); +@@ -6372,11 +6392,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + * check for an extant non-ancient NODATA ncache + * entry which covers the same type as the RRSIG. + */ +- ntypes = 0; + for (topheader = rbtnode->data; topheader != NULL; + topheader = topheader->next) + { +- ntypes++; + if ((topheader->type == + RBTDB_RDATATYPE_NCACHEANY) || + (newheader->type == sigtype && +@@ -6421,12 +6439,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + } + } + +- ntypes = 0; + for (topheader = rbtnode->data; topheader != NULL; + topheader = topheader->next) + { +- ntypes++; +- if (prio_type(topheader->type)) { ++ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) { ++ ++ntypes; ++ expireheader = topheader; ++ } else if (!IS_CACHE(rbtdb)) { ++ ++ntypes; ++ } ++ if (prio_header(topheader)) { + prioheader = topheader; + } + if (topheader->type == newheader->type || +@@ -6783,8 +6805,7 @@ find_header: + /* + * No rdatasets of the given type exist at the node. + */ +- +- if (ntypes > DNS_RBTDB_MAX_RTYPES) { ++ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) { + free_rdataset(rbtdb, rbtdb->common.mctx, + newheader); + return (ISC_R_QUOTA); +@@ -6792,7 +6813,7 @@ find_header: + + newheader->down = NULL; + +- if (prio_type(newheader->type)) { ++ if (prio_header(newheader)) { + /* This is a priority type, prepend it */ + newheader->next = rbtnode->data; + rbtnode->data = newheader; +@@ -6805,6 +6826,31 @@ find_header: + newheader->next = rbtnode->data; + rbtnode->data = newheader; + } ++ ++ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) { ++ if (expireheader == NULL) { ++ expireheader = newheader; ++ } ++ if (NEGATIVE(newheader) && ++ !prio_header(newheader)) ++ { ++ /* ++ * Add the new non-priority negative ++ * header to the database only ++ * temporarily. ++ */ ++ expireheader = newheader; ++ } ++ ++ set_ttl(rbtdb, expireheader, 0); ++ mark_header_ancient(rbtdb, expireheader); ++ /* ++ * FIXME: In theory, we should mark the RRSIG ++ * and the header at the same time, but there is ++ * no direct link between those two header, so ++ * we would have to check the whole list again. ++ */ ++ } + } + } + +-- +2.40.1 + diff --git a/SPECS/bind/CVE-2024-1975.patch b/SPECS/bind/CVE-2024-1975.patch new file mode 100644 index 0000000000..62ccb7e8a9 --- /dev/null +++ b/SPECS/bind/CVE-2024-1975.patch @@ -0,0 +1,432 @@ +From 6a4565566db942eb660e421786f73bc5baffc7b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= +Date: Thu, 16 May 2024 12:10:41 +0200 +Subject: [PATCH 1/5] Remove support for SIG(0) message verification + +(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13) +Signed-off-by: Muhammad Falak R Wani +--- + lib/dns/message.c | 99 +++-------------------------------------------- + lib/ns/client.c | 7 ++++ + 2 files changed, 13 insertions(+), 93 deletions(-) + +diff --git a/lib/dns/message.c b/lib/dns/message.c +index 22aa552..12331ab 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -3301,111 +3301,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) { + + isc_result_t + dns_message_checksig(dns_message_t *msg, dns_view_t *view) { +- isc_buffer_t b, msgb; ++ isc_buffer_t msgb; + + REQUIRE(DNS_MESSAGE_VALID(msg)); + +- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) { ++ if (msg->tsigkey == NULL && msg->tsig == NULL) { + return (ISC_R_SUCCESS); + } + + INSIST(msg->saved.base != NULL); + isc_buffer_init(&msgb, msg->saved.base, msg->saved.length); + isc_buffer_add(&msgb, msg->saved.length); +- if (msg->tsigkey != NULL || msg->tsig != NULL) { + #ifdef SKAN_MSG_DEBUG +- dns_message_dumpsig(msg, "dns_message_checksig#1"); ++ dns_message_dumpsig(msg, "dns_message_checksig#1"); + #endif /* ifdef SKAN_MSG_DEBUG */ +- if (view != NULL) { +- return (dns_view_checksig(view, &msgb, msg)); +- } else { +- return (dns_tsig_verify(&msgb, msg, NULL, NULL)); +- } ++ if (view != NULL) { ++ return (dns_view_checksig(view, &msgb, msg)); + } else { +- dns_rdata_t rdata = DNS_RDATA_INIT; +- dns_rdata_sig_t sig; +- dns_rdataset_t keyset; +- isc_result_t result; +- +- result = dns_rdataset_first(msg->sig0); +- INSIST(result == ISC_R_SUCCESS); +- dns_rdataset_current(msg->sig0, &rdata); +- +- /* +- * This can occur when the message is a dynamic update, since +- * the rdata length checking is relaxed. This should not +- * happen in a well-formed message, since the SIG(0) is only +- * looked for in the additional section, and the dynamic update +- * meta-records are in the prerequisite and update sections. +- */ +- if (rdata.length == 0) { +- return (ISC_R_UNEXPECTEDEND); +- } +- +- result = dns_rdata_tostruct(&rdata, &sig, NULL); +- if (result != ISC_R_SUCCESS) { +- return (result); +- } +- +- dns_rdataset_init(&keyset); +- if (view == NULL) { +- result = DNS_R_KEYUNAUTHORIZED; +- goto freesig; +- } +- result = dns_view_simplefind(view, &sig.signer, +- dns_rdatatype_key /* SIG(0) */, 0, +- 0, false, &keyset, NULL); +- +- if (result != ISC_R_SUCCESS) { +- /* XXXBEW Should possibly create a fetch here */ +- result = DNS_R_KEYUNAUTHORIZED; +- goto freesig; +- } else if (keyset.trust < dns_trust_secure) { +- /* XXXBEW Should call a validator here */ +- result = DNS_R_KEYUNAUTHORIZED; +- goto freesig; +- } +- result = dns_rdataset_first(&keyset); +- INSIST(result == ISC_R_SUCCESS); +- for (; result == ISC_R_SUCCESS; +- result = dns_rdataset_next(&keyset)) +- { +- dst_key_t *key = NULL; +- +- dns_rdata_reset(&rdata); +- dns_rdataset_current(&keyset, &rdata); +- isc_buffer_init(&b, rdata.data, rdata.length); +- isc_buffer_add(&b, rdata.length); +- +- result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b, +- view->mctx, &key); +- if (result != ISC_R_SUCCESS) { +- continue; +- } +- if (dst_key_alg(key) != sig.algorithm || +- dst_key_id(key) != sig.keyid || +- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC || +- dst_key_proto(key) == DNS_KEYPROTO_ANY)) +- { +- dst_key_free(&key); +- continue; +- } +- result = dns_dnssec_verifymessage(&msgb, msg, key); +- dst_key_free(&key); +- if (result == ISC_R_SUCCESS) { +- break; +- } +- } +- if (result == ISC_R_NOMORE) { +- result = DNS_R_KEYUNAUTHORIZED; +- } +- +- freesig: +- if (dns_rdataset_isassociated(&keyset)) { +- dns_rdataset_disassociate(&keyset); +- } +- dns_rdata_freestruct(&sig); +- return (result); ++ return (dns_tsig_verify(&msgb, msg, NULL, NULL)); + } + } + +diff --git a/lib/ns/client.c b/lib/ns/client.c +index d4ce000..2679a5e 100644 +--- a/lib/ns/client.c ++++ b/lib/ns/client.c +@@ -2041,6 +2041,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request is signed by a nonauthoritative key"); ++ } else if (result == DNS_R_NOTVERIFIEDYET && ++ client->message->sig0 != NULL) ++ { ++ ns_client_log(client, DNS_LOGCATEGORY_SECURITY, ++ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), ++ "request has a SIG(0) signature but its support " ++ "was removed (CVE-2024-1975)"); + } else { + char tsigrcode[64]; + isc_buffer_t b; +-- +2.40.1 + +From afd9c8976d78a5145a92ff0cccc2954083042555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= +Date: Thu, 16 May 2024 12:15:23 +0200 +Subject: [PATCH 2/5] Document SIG(0) verification removal + +(cherry picked from commit 654ba34d80b8b6ed805461d7ada2466f8c19a6f1) +Signed-off-by: Muhammad Falak R Wani +--- + doc/arm/advanced.rst | 18 +++--------------- + doc/arm/general.rst | 6 ++---- + doc/arm/reference.rst | 4 ++-- + doc/arm/security.rst | 4 ++-- + 4 files changed, 9 insertions(+), 23 deletions(-) + +diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst +index 4405b5c..f3325d9 100644 +--- a/doc/arm/advanced.rst ++++ b/doc/arm/advanced.rst +@@ -537,7 +537,7 @@ zone). + The TKEY process is initiated by a client or server by sending a query + of type TKEY to a TKEY-aware server. The query must include an + appropriate KEY record in the additional section, and must be signed +-using either TSIG or SIG(0) with a previously established key. The ++using either TSIG with a previously established key. The + server's response, if successful, contains a TKEY record in its + answer section. After this transaction, both participants have + enough information to calculate a shared secret using Diffie-Hellman key +@@ -555,20 +555,8 @@ deletion" mode. + SIG(0) + ------ + +-BIND partially supports DNSSEC SIG(0) transaction signatures as +-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to +-authenticate messages. Access control is performed in the same manner as with +-TSIG keys; privileges can be granted or denied in ACL directives based +-on the key name. +- +-When a SIG(0) signed message is received, it is only verified if +-the key is known and trusted by the server. The server does not attempt +-to recursively fetch or validate the key. +- +-SIG(0) signing of multiple-message TCP streams is not supported. +- +-The only tool shipped with BIND 9 that generates SIG(0) signed messages +-is ``nsupdate``. ++Support for DNSSEC SIG(0) transaction signatures was removed. ++This is a countermeasure for CVE-2024-1975. + + .. include:: managed-keys.rst + .. include:: pkcs11.rst +diff --git a/doc/arm/general.rst b/doc/arm/general.rst +index d7b7c20..136e806 100644 +--- a/doc/arm/general.rst ++++ b/doc/arm/general.rst +@@ -367,10 +367,8 @@ Notes + .. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a + feature. + +-.. [#rfc2931] When receiving a query signed with a SIG(0), the server is +- only able to verify the signature if it has the key in its local +- authoritative data; it cannot do recursion or validation to +- retrieve unknown keys. ++.. [#rfc2931] Support for SIG(0) message verification was removed ++ as a countermeasure for CVE-2024-1975. + + .. [#rfc2874] Compliance is with loading and serving of A6 records only. + A6 records were moved to the experimental category by :rfc:`3363`. +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index ecc84d4..f982e0a 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -5900,7 +5900,7 @@ The ``update-policy`` clause allows more fine-grained control over which + updates are allowed. It specifies a set of rules, in which each rule + either grants or denies permission for one or more names in the zone to + be updated by one or more identities. Identity is determined by the key +-that signed the update request, using either TSIG or SIG(0). In most ++that signed the update request, using either TSIG. In most + cases, ``update-policy`` rules only apply to key-based identities. There + is no way to specify update permissions based on the client source address. + +@@ -5957,7 +5957,7 @@ field), and the type of the record to be updated matches the ``types`` + field. Details for each rule type are described below. + + The ``identity`` field must be set to a fully qualified domain name. In +-most cases, this represents the name of the TSIG or SIG(0) key that ++most cases, this represents the name of the TSIG key that + must be used to sign the update request. If the specified name is a + wildcard, it is subject to DNS wildcard expansion, and the rule may + apply to multiple identities. When a TKEY exchange has been used to +diff --git a/doc/arm/security.rst b/doc/arm/security.rst +index 817ebd0..92b1668 100644 +--- a/doc/arm/security.rst ++++ b/doc/arm/security.rst +@@ -83,7 +83,7 @@ Limiting access to the server by outside parties can help prevent + spoofing and denial of service (DoS) attacks against the server. + + ACLs match clients on the basis of up to three characteristics: 1) The +-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the ++client's IP address; 2) the TSIG key that was used to sign the + request, if any; and 3) an address prefix encoded in an EDNS + Client-Subnet option, if any. + +@@ -124,7 +124,7 @@ and no queries at all from the networks specified in ``bogusnets``. + + In addition to network addresses and prefixes, which are matched against + the source address of the DNS request, ACLs may include ``key`` +-elements, which specify the name of a TSIG or SIG(0) key. ++elements, which specify the name of a TSIG key. + + When BIND 9 is built with GeoIP support, ACLs can also be used for + geographic access restrictions. This is done by specifying an ACL +-- +2.40.1 + +From d58461e425e61c1740ff4e914c7d41513c972850 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Tue, 21 May 2024 08:45:48 +0000 +Subject: [PATCH 3/5] Enable stdout autoflush in authsock.pl + +With enabled buffering the output gets lost when the process +receives a TERM signal. Disable the buffering. + +(cherry picked from commit a0311dfb6e2a51f89dfa8b200b96a0f4675fb654) +Signed-off-by: Muhammad Falak R Wani +--- + bin/tests/system/tsiggss/authsock.pl | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl +index d629c65..d181b1a 100644 +--- a/bin/tests/system/tsiggss/authsock.pl ++++ b/bin/tests/system/tsiggss/authsock.pl +@@ -33,6 +33,10 @@ if (!defined($path)) { + exit(1); + } + ++# Enable output autoflush so that it's not lost when the parent sends TERM. ++select STDOUT; ++$| = 1; ++ + unlink($path); + my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +-- +2.40.1 + +From d8431d0c68df185077cf656edf46a985f3291a30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= +Date: Fri, 17 May 2024 12:23:05 +0200 +Subject: [PATCH 4/5] Adapt the tsiggss test to the SIG(0) removal + +Test that SIG(0) signer is NOT sent to the external socket for +authorization. It MUST NOT be considered a valid signature by +any chance. + +Also check that the signer's name does not appear in authsock.pl +output. + +(cherry picked from commit cf8838085905171fbc00747eb210e8b8284ca0e1) +Signed-off-by: Muhammad Falak R Wani +--- + bin/tests/system/tsiggss/authsock.pl | 1 + + bin/tests/system/tsiggss/clean.sh | 2 +- + bin/tests/system/tsiggss/tests.sh | 12 +++++++----- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl +index d181b1a..b3888fb 100644 +--- a/bin/tests/system/tsiggss/authsock.pl ++++ b/bin/tests/system/tsiggss/authsock.pl +@@ -59,6 +59,7 @@ if ($timeout != 0) { + } + + while (my $client = $server->accept()) { ++ printf("accept()\n"); + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + +diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh +index 0ace209..ce885d5 100644 +--- a/bin/tests/system/tsiggss/clean.sh ++++ b/bin/tests/system/tsiggss/clean.sh +@@ -21,7 +21,7 @@ rm -f ns1/_default.tsigkeys + rm -f */named.memstats + rm -f */named.conf + rm -f */named.run +-rm -f authsock.pid ++rm -f authsock.log authsock.pid + rm -f ns1/core + rm -f nsupdate.out* + rm -f ns*/named.lock +diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh +index a665703..34b8c89 100644 +--- a/bin/tests/system/tsiggss/tests.sh ++++ b/bin/tests/system/tsiggss/tests.sh +@@ -116,7 +116,7 @@ status=$((status + ret)) + + echo_i "testing external update policy (CNAME) with auth sock ($n)" + ret=0 +-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 & ++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 & + sleep 1 + test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 + n=$((n + 1)) +@@ -130,17 +130,19 @@ n=$((n + 1)) + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + +-echo_i "testing external policy with SIG(0) key ($n)" ++echo_i "testing external policy with unsupported SIG(0) key ($n)" + ret=0 +-$NSUPDATE -k ns1/Kkey.example.nil.*.private </dev/null 2>&1 || ret=1 ++$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <nsupdate.out${n} 2>&1 || true ++debug + server 10.53.0.1 ${PORT} + zone example.nil + update add fred.example.nil 120 cname foo.bar. + send + END + output=$($DIG $DIGOPTS +short cname fred.example.nil.) +-[ -n "$output" ] || ret=1 +-[ $ret -eq 0 ] || echo_i "failed" ++# update must have failed - SIG(0) signer is not supported ++[ -n "$output" ] && ret=1 ++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1 + n=$((n + 1)) + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +-- +2.40.1 + +From db69c8bb093a19eafb016b14aff45b69803f0065 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Tue, 21 May 2024 09:29:35 +0000 +Subject: [PATCH 5/5] Adapt the upforwd test to the SIG(0) removal + +Change the check so that update with SIG(0) is expected to fail. + +(cherry picked from commit 5f7558f6dbb0527c08caf281299245ab8de268cd) +Signed-off-by: Muhammad Falak R Wani +--- + bin/tests/system/upforwd/tests.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index 9165ba9..89e2241 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -262,10 +262,12 @@ if $FEATURETEST --enable-dnstap; then + fi + + if test -f keyname; then +- echo_i "checking update forwarding to with sig0 ($n)" ++ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)" + ret=0 + keyname=$(cat keyname) +- $NSUPDATE -k $keyname.private -- - <nsupdate.out.$n 2>&1 && ret=1 + $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n || ret=1 +- grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 ++ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + n=$(expr $n + 1) +-- +2.40.1 + diff --git a/SPECS/bind/CVE-2024-4076.patch b/SPECS/bind/CVE-2024-4076.patch new file mode 100644 index 0000000000..92ff26f556 --- /dev/null +++ b/SPECS/bind/CVE-2024-4076.patch @@ -0,0 +1,31 @@ +From 63fac0c45a583983847b17d1220dccf13d1cac7e Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 16 Jan 2024 14:25:27 +1100 +Subject: [PATCH] Clear qctx->zversion + +Clear qctx->zversion when clearing qctx->zrdataset et al in +lib/ns/query.c:qctx_freedata. The uncleared pointer could lead to +an assertion failure if zone data needed to be re-saved which could +happen with stale data support enabled. + +(cherry picked from commit 179fb3532ab8d4898ab070b2db54c0ce872ef709) +Signed-off-by: Muhammad Falak R Wani +--- + lib/ns/query.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 1290c30..ec9bf5b 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5260,6 +5260,7 @@ qctx_freedata(query_ctx_t *qctx) { + ns_client_releasename(qctx->client, &qctx->zfname); + dns_db_detachnode(qctx->zdb, &qctx->znode); + dns_db_detach(&qctx->zdb); ++ qctx->zversion = NULL; + } + + if (qctx->event != NULL && !qctx->client->nodetach) { +-- +2.40.1 + diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index f626188192..5a5e532fca 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,19 +1,19 @@ { - "Signatures": { - "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", - "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", - "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", - "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", - "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", - "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", - "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", - "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", - "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", - "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", - "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", - "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", - "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a", - "setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864", - "bind-9.16.48.tar.xz": "8d3814582348f90dead1ad410b1019094cd399d3d83930abebb2b3b1eb0b2bbb" - } + "Signatures": { + "bind-9.16.50.tar.xz": "816dbaa3c115019f30fcebd9e8ef8f7637f4adde91c79daa099b035255a15795", + "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", + "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", + "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", + "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", + "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", + "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", + "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", + "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", + "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", + "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", + "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", + "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", + "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a", + "setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864" + } } \ No newline at end of file diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 44d31175ab..5dced892cb 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -9,7 +9,7 @@ Summary: Domain Name System software Name: bind -Version: 9.16.48 +Version: 9.16.50 Release: 1%{?dist} License: ISC Vendor: Microsoft Corporation @@ -33,6 +33,9 @@ Source14: setup-named-softhsm.sh Source15: named-chroot.files Patch9: bind-9.14-config-pkcs11.patch Patch10: bind-9.10-dist-native-pkcs11.patch +Patch11: CVE-2024-1737.patch +Patch12: CVE-2024-1975.patch +Patch13: CVE-2024-4076.patch BuildRequires: gcc BuildRequires: json-c-devel @@ -234,6 +237,9 @@ cp -r bin/dnssec{,-pkcs11} cp -r lib/dns{,-pkcs11} cp -r lib/ns{,-pkcs11} %patch10 -p1 -b .dist_pkcs11 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f @@ -613,6 +619,10 @@ fi; %{_mandir}/man8/named-nzd2nzf.8* %changelog +* Tue Aug 06 2024 Muhammad Falak - 9.16.50-1 +- Bump version to 9.16.50 +- Introduce patch to address CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076 + * Wed Feb 28 2024 CBL-Mariner Servicing Account - 9.16.48-1 - Auto-upgrade to 9.16.48 - Fix CVE-2023-50387 diff --git a/cgmanifest.json b/cgmanifest.json index e3227dca11..378467cf52 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1097,8 +1097,8 @@ "type": "other", "other": { "name": "bind", - "version": "9.16.48", - "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.48/bind-9.16.48.tar.xz" + "version": "9.16.50", + "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.50/bind-9.16.50.tar.xz" } } }, From f911450e0a12035c82966b0b201a1445eb0a0fd9 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:43:59 -0700 Subject: [PATCH 31/43] [AUTO-CHERRYPICK] Patch CVE-2024-7006 in libtiff - branch main (#10154) Co-authored-by: aadhar-agarwal <108542189+aadhar-agarwal@users.noreply.github.com> Co-authored-by: Pawel Winogrodzki --- SPECS/libtiff/CVE-2024-7006.patch | 61 +++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 10 +++-- 2 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 SPECS/libtiff/CVE-2024-7006.patch diff --git a/SPECS/libtiff/CVE-2024-7006.patch b/SPECS/libtiff/CVE-2024-7006.patch new file mode 100644 index 0000000000..9483210cdf --- /dev/null +++ b/SPECS/libtiff/CVE-2024-7006.patch @@ -0,0 +1,61 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0e705e8..4cfdaad 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2c49dc6..78396c4 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4260,11 +4260,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5138,11 +5136,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +2.34.1 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 1e5a583c60..2cce57eca6 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Mariner @@ -9,7 +9,8 @@ Group: System Environment/Libraries URL: https://gitlab.com/libtiff/libtiff Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz Patch0: CVE-2023-52356.patch -Patch1: CVE-2023-6277.patch +Patch1: CVE-2024-7006.patch +Patch2: CVE-2023-6277.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libjpeg-turbo-devel @@ -62,9 +63,12 @@ make %{?_smp_mflags} -k check %{_docdir}/* %changelog -* Wed Aug 07 2024 Sumedh Sharma - 4.6.0-3 +* Mon Aug 19 2024 Sumedh Sharma - 4.6.0-4 - Add patch to resolve CVE-2023-6277 +* Tue Aug 13 2024 Aadhar Agarwal - 4.6.0-3 +- Add patch for CVE-2024-7006 + * Thu Mar 7 2024 Xiaohong Deng - 4.6.0-2 - Add patches for CVE-2023-52356 From 1171ff9846b4c01291fe8b4dcb21421d7bb26291 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 22:13:35 -0700 Subject: [PATCH 32/43] [AUTOPATCHER-kernel] Kernel CVE - branch main - CVE-2024-36901 CVE-2024-41007 CVE-2024-41009 CVE-2024-42225 CVE-2024-42229 CVE-2024-42224 CVE-2024-42223 CVE-2024-42157 CVE-2024-42161 CVE-2024-42154 CVE-2024-42244 CVE-2024-42153 CVE-2024-42236 CVE-2024-42232 CVE-2024-42247 CVE-2024-42152 (#10178) --- SPECS/kernel/CVE-2024-36901.nopatch | 3 +++ SPECS/kernel/CVE-2024-41007.nopatch | 3 +++ SPECS/kernel/CVE-2024-41009.nopatch | 3 +++ SPECS/kernel/CVE-2024-42152.nopatch | 3 +++ SPECS/kernel/CVE-2024-42153.nopatch | 3 +++ SPECS/kernel/CVE-2024-42154.nopatch | 3 +++ SPECS/kernel/CVE-2024-42157.nopatch | 3 +++ SPECS/kernel/CVE-2024-42161.nopatch | 3 +++ SPECS/kernel/CVE-2024-42223.nopatch | 3 +++ SPECS/kernel/CVE-2024-42224.nopatch | 3 +++ SPECS/kernel/CVE-2024-42225.nopatch | 3 +++ SPECS/kernel/CVE-2024-42229.nopatch | 3 +++ SPECS/kernel/CVE-2024-42232.nopatch | 3 +++ SPECS/kernel/CVE-2024-42236.nopatch | 3 +++ SPECS/kernel/CVE-2024-42244.nopatch | 3 +++ SPECS/kernel/CVE-2024-42247.nopatch | 3 +++ 16 files changed, 48 insertions(+) create mode 100644 SPECS/kernel/CVE-2024-36901.nopatch create mode 100644 SPECS/kernel/CVE-2024-41007.nopatch create mode 100644 SPECS/kernel/CVE-2024-41009.nopatch create mode 100644 SPECS/kernel/CVE-2024-42152.nopatch create mode 100644 SPECS/kernel/CVE-2024-42153.nopatch create mode 100644 SPECS/kernel/CVE-2024-42154.nopatch create mode 100644 SPECS/kernel/CVE-2024-42157.nopatch create mode 100644 SPECS/kernel/CVE-2024-42161.nopatch create mode 100644 SPECS/kernel/CVE-2024-42223.nopatch create mode 100644 SPECS/kernel/CVE-2024-42224.nopatch create mode 100644 SPECS/kernel/CVE-2024-42225.nopatch create mode 100644 SPECS/kernel/CVE-2024-42229.nopatch create mode 100644 SPECS/kernel/CVE-2024-42232.nopatch create mode 100644 SPECS/kernel/CVE-2024-42236.nopatch create mode 100644 SPECS/kernel/CVE-2024-42244.nopatch create mode 100644 SPECS/kernel/CVE-2024-42247.nopatch diff --git a/SPECS/kernel/CVE-2024-36901.nopatch b/SPECS/kernel/CVE-2024-36901.nopatch new file mode 100644 index 0000000000..e0567f4d34 --- /dev/null +++ b/SPECS/kernel/CVE-2024-36901.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36901 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 4db783d68b9b39a411a96096c10828ff5dfada7a - stable 2272e2db38f2e85929278146d7c770f22f528579 + diff --git a/SPECS/kernel/CVE-2024-41007.nopatch b/SPECS/kernel/CVE-2024-41007.nopatch new file mode 100644 index 0000000000..e81766c7cf --- /dev/null +++ b/SPECS/kernel/CVE-2024-41007.nopatch @@ -0,0 +1,3 @@ +CVE-2024-41007 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 97a9063518f198ec0adb2ecb89789de342bb8283 - stable 04317a2471c2f637b4c49cbd0e9c0d04a519f570 + diff --git a/SPECS/kernel/CVE-2024-41009.nopatch b/SPECS/kernel/CVE-2024-41009.nopatch new file mode 100644 index 0000000000..fdcd73ca73 --- /dev/null +++ b/SPECS/kernel/CVE-2024-41009.nopatch @@ -0,0 +1,3 @@ +CVE-2024-41009 - patched in 5.15.164.1 - (generated by autopatch tool) +upstream cfa1a2329a691ffd991fcf7248a57d752e712881 - stable 0f98f40eb1ed52af8b81f61901b6c0289ff59de4 + diff --git a/SPECS/kernel/CVE-2024-42152.nopatch b/SPECS/kernel/CVE-2024-42152.nopatch new file mode 100644 index 0000000000..96d6226cf9 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42152.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42152 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4 - stable b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5 + diff --git a/SPECS/kernel/CVE-2024-42153.nopatch b/SPECS/kernel/CVE-2024-42153.nopatch new file mode 100644 index 0000000000..f2c5e64874 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42153.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42153 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream f63b94be6942ba82c55343e196bd09b53227618e - stable 3503372d0bf7b324ec0bd6b90606703991426176 + diff --git a/SPECS/kernel/CVE-2024-42154.nopatch b/SPECS/kernel/CVE-2024-42154.nopatch new file mode 100644 index 0000000000..d213a52010 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42154.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42154 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 66be40e622e177316ae81717aa30057ba9e61dff - stable ef7c428b425beeb52b894e16f1c4b629d6cebfb6 + diff --git a/SPECS/kernel/CVE-2024-42157.nopatch b/SPECS/kernel/CVE-2024-42157.nopatch new file mode 100644 index 0000000000..46f7b6b9db --- /dev/null +++ b/SPECS/kernel/CVE-2024-42157.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42157 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 1d8c270de5eb74245d72325d285894a577a945d9 - stable 4889f117755b2f18c23045a0f57977f3ec130581 + diff --git a/SPECS/kernel/CVE-2024-42161.nopatch b/SPECS/kernel/CVE-2024-42161.nopatch new file mode 100644 index 0000000000..83c21e9fa1 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42161.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42161 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 009367099eb61a4fc2af44d4eb06b6b4de7de6db - stable 3364c2ed1c241989847f19cf83e3db903ce689e3 + diff --git a/SPECS/kernel/CVE-2024-42223.nopatch b/SPECS/kernel/CVE-2024-42223.nopatch new file mode 100644 index 0000000000..ac61e86f2a --- /dev/null +++ b/SPECS/kernel/CVE-2024-42223.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42223 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 1aa1329a67cc214c3b7bd2a14d1301a795760b07 - stable bd5620439959a7e02012588c724c6ff5143b80af + diff --git a/SPECS/kernel/CVE-2024-42224.nopatch b/SPECS/kernel/CVE-2024-42224.nopatch new file mode 100644 index 0000000000..3994766898 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42224.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42224 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b - stable 8c2c3cca816d074c75a2801d1ca0dea7b0148114 + diff --git a/SPECS/kernel/CVE-2024-42225.nopatch b/SPECS/kernel/CVE-2024-42225.nopatch new file mode 100644 index 0000000000..ba12bb96e0 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42225.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42225 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 7f819a2f4fbc510e088b49c79addcf1734503578 - stable dc7f14d00d0c4c21898f3504607f4a31079065a2 + diff --git a/SPECS/kernel/CVE-2024-42229.nopatch b/SPECS/kernel/CVE-2024-42229.nopatch new file mode 100644 index 0000000000..775400b0be --- /dev/null +++ b/SPECS/kernel/CVE-2024-42229.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42229 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 23e4099bdc3c8381992f9eb975c79196d6755210 - stable 71dd428615375e36523f4d4f7685ddd54113646d + diff --git a/SPECS/kernel/CVE-2024-42232.nopatch b/SPECS/kernel/CVE-2024-42232.nopatch new file mode 100644 index 0000000000..4c6b497f17 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42232.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42232 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 - stable 20cf67dcb7db842f941eff1af6ee5e9dc41796d7 + diff --git a/SPECS/kernel/CVE-2024-42236.nopatch b/SPECS/kernel/CVE-2024-42236.nopatch new file mode 100644 index 0000000000..7110fbb571 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42236.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42236 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 6d3c721e686ea6c59e18289b400cc95c76e927e0 - stable 72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce + diff --git a/SPECS/kernel/CVE-2024-42244.nopatch b/SPECS/kernel/CVE-2024-42244.nopatch new file mode 100644 index 0000000000..03ddace4c2 --- /dev/null +++ b/SPECS/kernel/CVE-2024-42244.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42244 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream c15a688e49987385baa8804bf65d570e362f8576 - stable b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4 + diff --git a/SPECS/kernel/CVE-2024-42247.nopatch b/SPECS/kernel/CVE-2024-42247.nopatch new file mode 100644 index 0000000000..18596917fc --- /dev/null +++ b/SPECS/kernel/CVE-2024-42247.nopatch @@ -0,0 +1,3 @@ +CVE-2024-42247 - patched in 5.15.163.1 - (generated by autopatch tool) +upstream 948f991c62a4018fb81d85804eeab3029c6209f8 - stable b4764f0ad3d68de8a0b847c05f427afb86dd54e6 + From bb4e1dc0065e3274e312dabf27c4db5066e6d7cf Mon Sep 17 00:00:00 2001 From: AZaugg Date: Tue, 20 Aug 2024 21:12:32 -0700 Subject: [PATCH 33/43] Add new package: Mosh to spec-extended (#8976) Signed-off-by: Chris Co Co-authored-by: Chris Co --- SPECS-EXTENDED/mosh/mosh.signatures.json | 5 + SPECS-EXTENDED/mosh/mosh.spec | 226 ++++++++++++++++++ SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md | 2 +- SPECS/LICENSES-AND-NOTICES/data/licenses.json | 1 + cgmanifest.json | 10 + 5 files changed, 243 insertions(+), 1 deletion(-) create mode 100644 SPECS-EXTENDED/mosh/mosh.signatures.json create mode 100644 SPECS-EXTENDED/mosh/mosh.spec diff --git a/SPECS-EXTENDED/mosh/mosh.signatures.json b/SPECS-EXTENDED/mosh/mosh.signatures.json new file mode 100644 index 0000000000..362fd010eb --- /dev/null +++ b/SPECS-EXTENDED/mosh/mosh.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "mosh-1.4.0.tar.gz": "872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd" + } +} diff --git a/SPECS-EXTENDED/mosh/mosh.spec b/SPECS-EXTENDED/mosh/mosh.spec new file mode 100644 index 0000000000..8c71b2f904 --- /dev/null +++ b/SPECS-EXTENDED/mosh/mosh.spec @@ -0,0 +1,226 @@ +Name: mosh +Version: 1.4.0 +Release: 6%{?dist} +Summary: Mobile shell that supports roaming and intelligent local echo +Vendor: Microsoft Corporation +Distribution: Mariner + +License: GPLv3+ +URL: https://mosh.mit.edu/ +Source0: https://github.com/mobile-shell/mosh/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz + +BuildRequires: libutempter-devel +BuildRequires: ncurses-devel +BuildRequires: openssl-devel +BuildRequires: perl-diagnostics +BuildRequires: perl-generators +BuildRequires: protobuf-compiler +BuildRequires: protobuf-devel +BuildRequires: zlib-devel +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: make +Requires: openssh-clients +Requires: openssl +Requires: perl-IO-Socket-IP + +%description +Mosh is a remote terminal application that supports: + - intermittent network connectivity, + - roaming to different IP address without dropping the connection, and + - intelligent local echo and line editing to reduce the effects + of "network lag" on high-latency connections. + + +%prep +%setup -q + + +%build +%configure --disable-silent-rules CC=gcc CXX=g++ +%make_build + + +%install +%make_install + + +%files +%doc README.md ChangeLog +%license COPYING +%{_bindir}/mosh +%{_bindir}/mosh-client +%{_bindir}/mosh-server +%{_mandir}/man1/mosh.1.gz +%{_mandir}/man1/mosh-client.1.gz +%{_mandir}/man1/mosh-server.1.gz + + +%changelog +* Sun Aug 11 2024 Chris Co - 1.4.0-6 +- Initial CBL-Mariner import from Fedora 40 (license: MIT) +- License verified + +* Thu Jan 25 2024 Fedora Release Engineering - 1.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1.4.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 1.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 1.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Oct 26 2022 Alex Chernyakhovsky - 1.4.0-1 +- Update to mosh 1.4.0 + +* Thu Jul 21 2022 Fedora Release Engineering - 1.3.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Apr 05 2022 Michal Josef Špaček - 1.3.2-14 +- Remove dependency to obsolete IO::Socket::INET6 + +* Thu Jan 20 2022 Fedora Release Engineering - 1.3.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 1.3.2-12 +- Rebuilt for protobuf 3.19.0 + +* Tue Oct 26 2021 Adrian Reber - 1.3.2-11 +- Rebuilt for protobuf 3.18.1 + +* Tue Sep 14 2021 Sahana Prasad - 1.3.2-10 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Jul 22 2021 Fedora Release Engineering - 1.3.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 1.3.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 14 08:32:44 CET 2021 Adrian Reber - 1.3.2-7 +- Rebuilt for protobuf 3.14 + +* Thu Sep 24 2020 Adrian Reber - 1.3.2-6 +- Rebuilt for protobuf 3.13 + +* Tue Jul 28 2020 Fedora Release Engineering - 1.3.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Jun 14 2020 Adrian Reber - 1.3.2-4 +- Rebuilt for protobuf 3.12 + +* Wed Jan 29 2020 Fedora Release Engineering - 1.3.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Dec 19 2019 Orion Poplawski - 1.3.2-2 +- Rebuild for protobuf 3.11 + +* Sun Sep 22 2019 Alex Chernyakhovsky - 1.3.2-1 +- Update to mosh 1.3.2 + +* Thu Jul 25 2019 Fedora Release Engineering - 1.3.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.3.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Nov 21 2018 Igor Gnatenko - 1.3.0-9 +- Rebuild for protobuf 3.6 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.3.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 1.3.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Nov 29 2017 Igor Gnatenko - 1.3.0-6 +- Rebuild for protobuf 3.5 + +* Mon Nov 13 2017 Igor Gnatenko - 1.3.0-5 +- Rebuild for protobuf 3.4 + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 13 2017 Orion Poplawski - 1.3.0-2 +- Rebuild for protobuf 3.3.1 + +* Sun Mar 26 2017 Alex Chernyakhovsky - 1.3.0-1 +- Update to mosh 1.3.0 + +* Fri Feb 10 2017 Fedora Release Engineering - 1.2.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 26 2017 Orion Poplawski - 1.2.6-3 +- Rebuild for protobuf 3.2.0 + +* Sat Nov 19 2016 Orion Poplawski - 1.2.6-2 +- Rebuild for protobuf 3.1.0 + +* Wed Aug 10 2016 Alex Chernyakhovsky - 1.2.6-1 +- Update to mosh 1.2.6 + +* Mon Feb 08 2016 Ralf Corsépius - 1.2.5-3 +- Let package honor RPM_OPT_FLAGS (Fix F24FTBFS). +- Add %%license. +- Make building verbose. + +* Thu Feb 04 2016 Fedora Release Engineering - 1.2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Aug 6 2015 Alex Chernyakhovsky - 1.2.5-1 +- Update to mosh 1.2.5 + +* Wed Jun 17 2015 Fedora Release Engineering - 1.2.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Apr 26 2015 Alex Chernyakhovsky - 1.2.4-6 +- Rebuild for protobuf version bump. + +* Sun Aug 17 2014 Fedora Release Engineering - 1.2.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.2.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 1.2.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 1.2.4-2 +- Perl 5.18 rebuild + +* Wed Mar 27 2013 Alexander Chernyakhovsky - 1.2.4-1 +- Update to mosh 1.2.4 + +* Sun Mar 10 2013 Alexander Chernyakhovsky - 1.2.3-3 +- Rebuilt for Protobuf API change from 2.4.1 to 2.5.0 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Oct 19 2012 Alexander Chernyakhovsky - 1.2.3-1 +- Update to mosh 1.2.3 + +* Fri Jul 20 2012 Fedora Release Engineering - 1.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 13 2012 Alexander Chernyakhovsky - 1.2.2-1 +- Update to mosh 1.2.2 + +* Sat Apr 28 2012 Alexander Chernyakhovsky - 1.2-2 +- Add -g and -O2 CFLAGS + +* Fri Apr 27 2012 Alexander Chernyakhovsky - 1.2-1 +- Update to mosh 1.2. + +* Mon Mar 26 2012 Alexander Chernyakhovsky - 1.1.1-1 +- Update to mosh 1.1.1. + +* Wed Mar 21 2012 Alexander Chernyakhovsky - 1.1-1 +- Initial packaging for mosh. diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 7933279b94..aae573b205 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -5,7 +5,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command
delve
fstrm
nodejs-nodemon
rhnlib
rt-setup
rt-tests
rtctl
tuned | | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
argparse-manpage
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bogofilter
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
containernetworking-plugins
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
double-conversion
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
evemu
execstack
exempi
exiv2
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fapolicyd
fdk-aac-free
fdupes
fence-virt
fetchmail
fftw
filebench
fio
fipscheck
firewalld
fish
flac
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fxload
gavl
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
giflib
gl-manpages
glew
glm
glog
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kexec-tools
keybinder3
keycloak-httpd-client-install
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbi-drivers
libdbusmenu
libdc1394
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libewf
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtraceevent
libtranslit
libucil
libunicap
libuninameslist
liburing
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunit
lua-rpm-macros
lua-term
luajit
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
moreutils
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
multilib-rpm-config
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvmetcli
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-migrate-parsetree
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-ppx-derivers
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-stdio
ocaml-topkg
ocaml-tyxml
ocaml-uuidm
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
opus
opusfile
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-Time-Duration
perl-TimeDate
perl-Tree-DAG_Node
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus
prometheus-node-exporter
ps_mem
psacct
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-argcomplete
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-cached_property
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-package-handling
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fields
python-filelock
python-fixtures
python-flake8
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit-xml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-markdown
python-mccabe
python-memcached
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-process-tests
python-productmd
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-redis
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rpm-generators
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-sniffio
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-typing-extensions
python-uamqp
python-unittest2
python-uritemplate
python-urwid
python-varlink
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xmltodict
python-yubico
python-zipp
python-zmq
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt5-qtbase
qt5-qtconnectivity
qt5-qtdeclarative
qt5-qtsensors
qt5-qtserialport
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
quagga
quota
quotatool
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
redland
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-thread_order
rusers
rust-cbindgen
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
SDL
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
sendmail
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stunnel
subscription-manager
suitesparse
SuperLU
supermin
switcheroo-control
symlinks
sympy
sysfsutils
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
tpm-quote-tools
tpm-tools
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
virtiofsd
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
z3
zenity
zerofree
zfs-fuse
zipper
zopfli
zziplib | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
argparse-manpage
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bogofilter
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
containernetworking-plugins
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
double-conversion
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
evemu
execstack
exempi
exiv2
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fapolicyd
fdk-aac-free
fdupes
fence-virt
fetchmail
fftw
filebench
fio
fipscheck
firewalld
fish
flac
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fxload
gavl
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
giflib
gl-manpages
glew
glm
glog
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kexec-tools
keybinder3
keycloak-httpd-client-install
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbi-drivers
libdbusmenu
libdc1394
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libewf
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtraceevent
libtranslit
libucil
libunicap
libuninameslist
liburing
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunit
lua-rpm-macros
lua-term
luajit
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
moreutils
mosh
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
multilib-rpm-config
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvmetcli
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-migrate-parsetree
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-ppx-derivers
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-stdio
ocaml-topkg
ocaml-tyxml
ocaml-uuidm
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
opus
opusfile
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-Time-Duration
perl-TimeDate
perl-Tree-DAG_Node
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus
prometheus-node-exporter
ps_mem
psacct
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-argcomplete
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-cached_property
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-package-handling
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fields
python-filelock
python-fixtures
python-flake8
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit-xml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-markdown
python-mccabe
python-memcached
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-process-tests
python-productmd
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-redis
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rpm-generators
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-sniffio
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-typing-extensions
python-uamqp
python-unittest2
python-uritemplate
python-urwid
python-varlink
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xmltodict
python-yubico
python-zipp
python-zmq
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt5-qtbase
qt5-qtconnectivity
qt5-qtdeclarative
qt5-qtsensors
qt5-qtserialport
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
quagga
quota
quotatool
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
redland
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-thread_order
rusers
rust-cbindgen
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
SDL
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
sendmail
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stunnel
subscription-manager
suitesparse
SuperLU
supermin
switcheroo-control
symlinks
sympy
sysfsutils
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
tpm-quote-tools
tpm-tools
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
virtiofsd
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
z3
zenity
zerofree
zfs-fuse
zipper
zopfli
zziplib | | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 1757165987..4825eaf884 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -909,6 +909,7 @@ "mod_wsgi", "mokutil", "moreutils", + "mosh", "mpage", "mrtg", "mstflint", diff --git a/cgmanifest.json b/cgmanifest.json index 378467cf52..2b796ece79 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13548,6 +13548,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "mosh", + "version": "1.4.0", + "downloadUrl": "https://github.com/mobile-shell/mosh/releases/download/mosh-1.4.0/mosh-1.4.0.tar.gz" + } + } + }, { "component": { "type": "other", From f871a79a43b346e097aca8a21f9ce7f44156e062 Mon Sep 17 00:00:00 2001 From: aadhar-agarwal <108542189+aadhar-agarwal@users.noreply.github.com> Date: Wed, 21 Aug 2024 10:51:00 -0700 Subject: [PATCH 34/43] Add patch for CVE-2024-43168 in unbound (#10157) --- SPECS/unbound/CVE-2024-43168.patch | 25 +++++++++++++++++++++++++ SPECS/unbound/unbound.spec | 6 +++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 SPECS/unbound/CVE-2024-43168.patch diff --git a/SPECS/unbound/CVE-2024-43168.patch b/SPECS/unbound/CVE-2024-43168.patch new file mode 100644 index 0000000000..280dbee1d9 --- /dev/null +++ b/SPECS/unbound/CVE-2024-43168.patch @@ -0,0 +1,25 @@ +From 193401e7543a1e561dd634a3eaae932fa462a2b9 Mon Sep 17 00:00:00 2001 +From: zhailiangliang +Date: Wed, 3 Apr 2024 15:40:58 +0800 +Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of + file util/config_file.c + +--- + util/config_file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/util/config_file.c b/util/config_file.c +index 26185da02..e7b2f1959 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -1761,6 +1761,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num) + #endif + if(!mid) { + int port = atoi(str); ++ if(port < 0) { ++ log_err("Prevent out-of-bounds access to array avail"); ++ return 0; ++ } + if(port == 0 && strcmp(str, "0") != 0) { + log_err("cannot parse port number '%s'", str); + return 0; diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec index 4acc01c254..33755c716f 100644 --- a/SPECS/unbound/unbound.spec +++ b/SPECS/unbound/unbound.spec @@ -1,7 +1,7 @@ Summary: unbound dns server Name: unbound Version: 1.19.1 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: System/Servers URL: https://nlnetlabs.nl/projects/unbound/about/ Source0: https://github.com/nlnetlabs/%{name}/archive/release-%{version}.tar.gz#/%{name}-release-%{version}.tar.gz Source1: %{name}.service +Patch0: CVE-2024-43168.patch BuildRequires: expat-devel BuildRequires: libevent-devel BuildRequires: python3-devel @@ -96,6 +97,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %{_mandir}/* %changelog +* Thu Aug 15 2024 Aadhar Agarwal - 1.19.1-2 +- Add patch to fix CVE-2024-43168 + * Wed Feb 28 2024 CBL-Mariner Servicing Account - 1.19.1-1 - Auto-upgrade to 1.19.1 - Fix CVE-2023-50387 From a3fedc41d073cfe4f3cd31af49ba2e644a7ed605 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:37:02 -0700 Subject: [PATCH 35/43] [AUTO-CHERRYPICK] Bump frr to 8.5.5 to fix CVE-2024-31950 & CVE-2024-31951 - branch main (#10214) Co-authored-by: Sumynwa --- SPECS/frr/frr.signatures.json | 2 +- SPECS/frr/frr.spec | 13 ++++++------- cgmanifest.json | 4 ++-- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/SPECS/frr/frr.signatures.json b/SPECS/frr/frr.signatures.json index bc6c22159a..a3358ec8ba 100644 --- a/SPECS/frr/frr.signatures.json +++ b/SPECS/frr/frr.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "frr-8.5.3.tar.gz": "5f0d9e47e2621ad01307764df8a228ed0a4ae18f58e8912d638cb8db2c072d78", + "frr-8.5.5.tar.gz": "efa3a834c4fae6de9144a20d16f3ef5f0aa66f5b171f168413eec725ce269d5f", "frr-sysusers.conf": "c6f5a54402aa5f11e21dac3bd0e6cdeadfbf7937e9b34775b5fd368a9ca96fa4", "frr-tmpfiles.conf": "edd7b01b11f2be66bb6b4531496d1eaf6536add9f4b549c659b27f5a32cdc512" } diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec index e4f51e3c90..dbb9f83a9e 100644 --- a/SPECS/frr/frr.spec +++ b/SPECS/frr/frr.spec @@ -2,8 +2,8 @@ Summary: Routing daemon Name: frr -Version: 8.5.3 -Release: 6%{?dist} +Version: 8.5.5 +Release: 1%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Mariner @@ -16,11 +16,6 @@ Patch1: 0001-enable-openssl.patch Patch2: 0002-disable-eigrp-crypto.patch Patch3: 0003-fips-mode.patch Patch4: 0004-remove-grpc-test.patch -Patch5: CVE-2023-46752.patch -Patch6: CVE-2023-46753.patch -Patch7: CVE-2023-47235.patch -Patch8: CVE-2023-47234.patch -Patch9: CVE-2024-34088.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -202,6 +197,10 @@ rm tests/lib/*grpc* %{_sysusersdir}/%{name}.conf %changelog +* Tue Aug 06 2024 Sumedh Sharma - 8.5.5-1 +- Bump version to fix CVE-2024-31950 & CVE-2024-31951 +- Remove patches present in sources + * Fri May 03 2024 Henry Beberman - 8.5.3-6 - Patch CVE-2024-34088 - Remove CVE-2024-27913 patch since it's replaced by the CVE-2024-34088 patch diff --git a/cgmanifest.json b/cgmanifest.json index 2b796ece79..17a2156f4f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3930,8 +3930,8 @@ "type": "other", "other": { "name": "frr", - "version": "8.5.3", - "downloadUrl": "https://github.com/FRRouting/frr/archive/refs/tags/frr-8.5.3.tar.gz" + "version": "8.5.5", + "downloadUrl": "https://github.com/FRRouting/frr/archive/refs/tags/frr-8.5.5.tar.gz" } } }, From f056ffd982fdd5605945a931bdeee836ce48bdf7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:38:17 -0700 Subject: [PATCH 36/43] [AUTO-CHERRYPICK] Set ptest retries to 1 for PR package build check. - branch main (#10215) Co-authored-by: Pawel Winogrodzki --- .pipelines/prchecks/PackageBuildPRCheck.yml | 1 + .pipelines/templates/PackageBuild.yml | 17 +++++++++++++---- toolkit/Makefile | 4 ++-- toolkit/scripts/pkggen.mk | 4 ++-- .../scheduler/schedulerutils/buildworker.go | 2 +- 5 files changed, 19 insertions(+), 9 deletions(-) diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml index 4ddd05ce43..0bae726732 100644 --- a/.pipelines/prchecks/PackageBuildPRCheck.yml +++ b/.pipelines/prchecks/PackageBuildPRCheck.yml @@ -107,6 +107,7 @@ extends: steps: - template: .pipelines/templates/PackageBuild.yml@self parameters: + checkBuildRetries: "1" customToolchainArtifactName: $(toolchainArtifactName) isCheckBuild: true isQuickRebuildPackages: true diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml index 02964e0bc7..ca3038450a 100644 --- a/.pipelines/templates/PackageBuild.yml +++ b/.pipelines/templates/PackageBuild.yml @@ -6,6 +6,10 @@ parameters: type: string default: "$(Build.SourcesDirectory)" + - name: checkBuildRetries + type: string + default: "" + - name: concurrentPackageBuilds type: number default: 12 @@ -22,10 +26,6 @@ parameters: type: string default: "" - - name: testRerunList - type: string - default: "" - - name: failOnTestFailures type: boolean default: true @@ -125,6 +125,10 @@ parameters: type: string default: "" + - name: testRerunList + type: string + default: "" + - name: testSuiteName type: string default: "Package test" @@ -176,6 +180,10 @@ steps: displayName: "Populate cache RPMs" - script: | + if [[ -n "${{ parameters.checkBuildRetries }}" ]]; then + check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}" + fi + if [[ ${{ parameters.isDeltaBuild }} == "true" ]]; then delta_fetch_arg="DELTA_FETCH=y" elif [[ ${{ parameters.isDeltaBuild }} == "false" ]]; then @@ -217,6 +225,7 @@ steps: SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \ SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \ TEST_RERUN_LIST="${{ parameters.testRerunList }}" \ + $check_build_retries_arg \ $delta_fetch_arg \ $max_cascading_rebuilds_arg \ $quick_rebuild_packages_arg \ diff --git a/toolkit/Makefile b/toolkit/Makefile index cd71b90273..a0e9baba00 100644 --- a/toolkit/Makefile +++ b/toolkit/Makefile @@ -53,8 +53,8 @@ PACKAGE_CACHE_SUMMARY ?= IMAGE_CACHE_SUMMARY ?= INITRD_CACHE_SUMMARY ?= PACKAGE_ARCHIVE ?= -PACKAGE_BUILD_RETRIES ?= 1 -CHECK_BUILD_RETRIES ?= 1 +PACKAGE_BUILD_RETRIES ?= 0 +CHECK_BUILD_RETRIES ?= 0 EXTRA_BUILD_LAYERS ?= 0 REFRESH_WORKER_CHROOT ?= y # Set to 0 to use the number of logical CPUs. diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk index 41beca8e90..15f71eca74 100644 --- a/toolkit/scripts/pkggen.mk +++ b/toolkit/scripts/pkggen.mk @@ -285,8 +285,8 @@ $(STATUS_FLAGS_DIR)/build-rpms.flag: $(no_repo_acl) $(preprocessed_file) $(chroo --distro-release-version="$(RELEASE_VERSION)" \ --distro-build-number="$(BUILD_NUMBER)" \ --rpmmacros-file="$(TOOLCHAIN_MANIFESTS_DIR)/macros.override" \ - --build-attempts="$(PACKAGE_BUILD_RETRIES)" \ - --check-attempts="$(CHECK_BUILD_RETRIES)" \ + --build-attempts="$$(($(PACKAGE_BUILD_RETRIES)+1))" \ + --check-attempts="$$(($(CHECK_BUILD_RETRIES)+1))" \ $(if $(MAX_CASCADING_REBUILDS),--max-cascading-rebuilds="$(MAX_CASCADING_REBUILDS)") \ --extra-layers="$(EXTRA_BUILD_LAYERS)" \ --build-agent="chroot-agent" \ diff --git a/toolkit/tools/scheduler/schedulerutils/buildworker.go b/toolkit/tools/scheduler/schedulerutils/buildworker.go index 55591cbb88..d6a3ce5a21 100644 --- a/toolkit/tools/scheduler/schedulerutils/buildworker.go +++ b/toolkit/tools/scheduler/schedulerutils/buildworker.go @@ -312,7 +312,7 @@ func testSRPMFile(agent buildagents.BuildAgent, checkAttempts int, basePackageNa }, checkAttempts, retryDuration) if checkFailed { - logger.Log.Debugf("Tests failed for '%s' after %d retries.", basePackageName, checkAttempts) + logger.Log.Debugf("Tests failed for '%s' after %d attempt(s).", basePackageName, checkAttempts) err = nil } return From 54b7e86fd177984f20a321b635aa869d97f2bdba Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:38:46 -0700 Subject: [PATCH 37/43] [AUTO-CHERRYPICK] python3: CVE-2024-7592 (mariner 2) - branch main (#10223) Co-authored-by: bfjelds --- SPECS/python3/CVE-2024-7592.patch | 226 ++++++++++++++++++ SPECS/python3/python3.spec | 7 +- .../manifests/package/pkggen_core_aarch64.txt | 8 +- .../manifests/package/pkggen_core_x86_64.txt | 8 +- .../manifests/package/toolchain_aarch64.txt | 18 +- .../manifests/package/toolchain_x86_64.txt | 18 +- 6 files changed, 258 insertions(+), 27 deletions(-) create mode 100644 SPECS/python3/CVE-2024-7592.patch diff --git a/SPECS/python3/CVE-2024-7592.patch b/SPECS/python3/CVE-2024-7592.patch new file mode 100644 index 0000000000..10de974971 --- /dev/null +++ b/SPECS/python3/CVE-2024-7592.patch @@ -0,0 +1,226 @@ +From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 16 Aug 2024 19:13:37 +0300 +Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies + with backslashes + +This fixes CVE-2024-7592. +--- + Lib/http/cookies.py | 34 ++++------------- + Lib/test/test_http_cookies.py | 38 +++++++++++++++++++ + ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 + + 3 files changed, 47 insertions(+), 26 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 351faf428a20cd..11a67e8a2e008b 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,8 +184,12 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") +-_QuotePatt = re.compile(r"[\\].") ++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') ++def _unquote_replace(m): ++ if m[1]: ++ return chr(int(m[1], 8)) ++ else: ++ return m[2] + + def _unquote(str): + # If there aren't any doublequotes, +@@ -205,30 +209,8 @@ def _unquote(str): + # \012 --> \n + # \" --> " + # +- i = 0 +- n = len(str) +- res = [] +- while 0 <= i < n: +- o_match = _OctalPatt.search(str, i) +- q_match = _QuotePatt.search(str, i) +- if not o_match and not q_match: # Neither matched +- res.append(str[i:]) +- break +- # else: +- j = k = -1 +- if o_match: +- j = o_match.start(0) +- if q_match: +- k = q_match.start(0) +- if q_match and (not o_match or k < j): # QuotePatt matched +- res.append(str[i:k]) +- res.append(str[k+1]) +- i = k + 2 +- else: # OctalPatt matched +- res.append(str[i:j]) +- res.append(chr(int(str[j+1:j+4], 8))) +- i = j + 4 +- return _nulljoin(res) ++ ++ return _unquote_re.sub(_unquote_replace, str) + + # The _getdate() routine is used to set the expiration time in the cookie's HTTP + # header. By default, _getdate() returns the current time in the appropriate +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 925c8697f60de6..13b526d49b0856 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -5,6 +5,7 @@ + import unittest + from http import cookies + import pickle ++from test import support + + + class CookieTests(unittest.TestCase): +@@ -58,6 +59,43 @@ def test_basic(self): + for k, v in sorted(case['dict'].items()): + self.assertEqual(C[k].value, v) + ++ def test_unquote(self): ++ cases = [ ++ (r'a="b=\""', 'b="'), ++ (r'a="b=\\"', 'b=\\'), ++ (r'a="b=\="', 'b=\\='), ++ (r'a="b=\n"', 'b=\\n'), ++ (r'a="b=\042"', 'b="'), ++ (r'a="b=\134"', 'b=\\'), ++ (r'a="b=\377"', 'b=\xff'), ++ (r'a="b=\400"', 'b=\\400'), ++ (r'a="b=\42"', 'b=\\42'), ++ (r'a="b=\\042"', 'b=\\042'), ++ (r'a="b=\\134"', 'b=\\134'), ++ (r'a="b=\\\""', 'b=\\"'), ++ (r'a="b=\\\042"', 'b=\\"'), ++ (r'a="b=\134\""', 'b=\\"'), ++ (r'a="b=\134\042"', 'b=\\"'), ++ ] ++ for encoded, decoded in cases: ++ with self.subTest(encoded): ++ C = cookies.SimpleCookie() ++ C.load(encoded) ++ self.assertEqual(C['a'].value, decoded) ++ ++ @support.requires_resource('cpu') ++ def test_unquote_large(self): ++ n = 10**6 ++ for encoded in r'\\', r'\134': ++ with self.subTest(encoded): ++ data = 'a="b=' + encoded*n + ';"' ++ C = cookies.SimpleCookie() ++ C.load(data) ++ value = C['a'].value ++ self.assertEqual(value[:3], 'b=\\') ++ self.assertEqual(value[-2:], '\\;') ++ self.assertEqual(len(value), n + 3) ++ + def test_load(self): + C = cookies.SimpleCookie() + C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') +diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +new file mode 100644 +index 00000000000000..158b938a65a2d4 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +@@ -0,0 +1 @@ ++Fix quadratic complexity in parsing cookies with backslashes. + +From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 16 Aug 2024 19:38:20 +0300 +Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping. + +--- + Lib/http/cookies.py | 2 +- + Lib/test/test_http_cookies.py | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 11a67e8a2e008b..464abeb0fb253a 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,7 +184,7 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') ++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') + def _unquote_replace(m): + if m[1]: + return chr(int(m[1], 8)) +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 13b526d49b0856..8879902a6e2f41 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -63,13 +63,13 @@ def test_unquote(self): + cases = [ + (r'a="b=\""', 'b="'), + (r'a="b=\\"', 'b=\\'), +- (r'a="b=\="', 'b=\\='), +- (r'a="b=\n"', 'b=\\n'), ++ (r'a="b=\="', 'b=='), ++ (r'a="b=\n"', 'b=n'), + (r'a="b=\042"', 'b="'), + (r'a="b=\134"', 'b=\\'), + (r'a="b=\377"', 'b=\xff'), +- (r'a="b=\400"', 'b=\\400'), +- (r'a="b=\42"', 'b=\\42'), ++ (r'a="b=\400"', 'b=400'), ++ (r'a="b=\42"', 'b=42'), + (r'a="b=\\042"', 'b=\\042'), + (r'a="b=\\134"', 'b=\\134'), + (r'a="b=\\\""', 'b=\\"'), + +From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sat, 17 Aug 2024 12:40:11 +0300 +Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object. + +--- + Lib/http/cookies.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 464abeb0fb253a..6b9ed24ad8ec78 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,7 +184,8 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') ++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub ++ + def _unquote_replace(m): + if m[1]: + return chr(int(m[1], 8)) +@@ -209,8 +210,7 @@ def _unquote(str): + # \012 --> \n + # \" --> " + # +- +- return _unquote_re.sub(_unquote_replace, str) ++ return _unquote_sub(_unquote_replace, str) + + # The _getdate() routine is used to set the expiration time in the cookie's HTTP + # header. By default, _getdate() returns the current time in the appropriate + +From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sat, 17 Aug 2024 13:08:20 +0300 +Subject: [PATCH 4/4] Add a reference to the module in NEWS. + +--- + .../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +index 158b938a65a2d4..6a234561fe31a3 100644 +--- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst ++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +@@ -1 +1 @@ +-Fix quadratic complexity in parsing cookies with backslashes. ++Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`. diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 8519755d1a..7402c06bf7 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -12,7 +12,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.9.19 -Release: 3%{?dist} +Release: 4%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -23,6 +23,7 @@ Patch0: cgi3.patch # Backport https://github.com/python/cpython/commit/069fefdaf42490f1e00243614fb5f3d5d2614b81 from 3.10 to 3.9 Patch1: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch Patch2: CVE-2024-0397.patch +Patch3: CVE-2024-7592.patch # Patch for setuptools, resolved in 65.5.1 Patch1000: CVE-2022-40897.patch Patch1001: CVE-2024-6345.patch @@ -163,6 +164,7 @@ The test package contains all regression tests for Python as well as the modules %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build # Remove GCC specs and build environment linker scripts @@ -318,6 +320,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Wed Aug 21 2024 Brian Fjeldstad - 3.9.19-4 +- Patch for CVE-2024-7592 + * Tue Jul 23 2024 Rohit Rawat - 3.9.19-3 - Patch for CVE-2024-0397 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index e6ae32c3d0..a099460792 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-18.cm2.noarch.rpm ca-certificates-2.0.0-18.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-20.cm2.aarch64.rpm -python3-3.9.19-3.cm2.aarch64.rpm -python3-devel-3.9.19-3.cm2.aarch64.rpm -python3-libs-3.9.19-3.cm2.aarch64.rpm -python3-setuptools-3.9.19-3.cm2.noarch.rpm +python3-3.9.19-4.cm2.aarch64.rpm +python3-devel-3.9.19-4.cm2.aarch64.rpm +python3-libs-3.9.19-4.cm2.aarch64.rpm +python3-setuptools-3.9.19-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.aarch64.rpm libselinux-3.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6d15aaa1fb..42e607ee96 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-18.cm2.noarch.rpm ca-certificates-2.0.0-18.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-20.cm2.x86_64.rpm -python3-3.9.19-3.cm2.x86_64.rpm -python3-devel-3.9.19-3.cm2.x86_64.rpm -python3-libs-3.9.19-3.cm2.x86_64.rpm -python3-setuptools-3.9.19-3.cm2.noarch.rpm +python3-3.9.19-4.cm2.x86_64.rpm +python3-devel-3.9.19-4.cm2.x86_64.rpm +python3-libs-3.9.19-4.cm2.x86_64.rpm +python3-setuptools-3.9.19-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.x86_64.rpm libselinux-3.2-1.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 515f406e68..b76f05fad7 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm procps-ng-lang-3.3.17-2.cm2.aarch64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm -python3-3.9.19-3.cm2.aarch64.rpm +python3-3.9.19-4.cm2.aarch64.rpm python3-audit-3.0.6-8.cm2.aarch64.rpm python3-cracklib-2.9.7-5.cm2.aarch64.rpm -python3-curses-3.9.19-3.cm2.aarch64.rpm +python3-curses-3.9.19-4.cm2.aarch64.rpm python3-Cython-0.29.33-2.cm2.aarch64.rpm -python3-debuginfo-3.9.19-3.cm2.aarch64.rpm -python3-devel-3.9.19-3.cm2.aarch64.rpm +python3-debuginfo-3.9.19-4.cm2.aarch64.rpm +python3-devel-3.9.19-4.cm2.aarch64.rpm python3-gpg-1.16.0-2.cm2.aarch64.rpm python3-jinja2-3.0.3-4.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm -python3-libs-3.9.19-3.cm2.aarch64.rpm +python3-libs-3.9.19-4.cm2.aarch64.rpm python3-libxml2-2.10.4-3.cm2.aarch64.rpm python3-lxml-4.9.1-1.cm2.aarch64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.aarch64.rpm python3-newt-0.52.21-5.cm2.aarch64.rpm -python3-pip-3.9.19-3.cm2.noarch.rpm +python3-pip-3.9.19-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.aarch64.rpm -python3-setuptools-3.9.19-3.cm2.noarch.rpm -python3-test-3.9.19-3.cm2.aarch64.rpm -python3-tools-3.9.19-3.cm2.aarch64.rpm +python3-setuptools-3.9.19-4.cm2.noarch.rpm +python3-test-3.9.19-4.cm2.aarch64.rpm +python3-tools-3.9.19-4.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-debuginfo-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 2a257629e6..8870096c63 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm procps-ng-lang-3.3.17-2.cm2.x86_64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm -python3-3.9.19-3.cm2.x86_64.rpm +python3-3.9.19-4.cm2.x86_64.rpm python3-audit-3.0.6-8.cm2.x86_64.rpm python3-cracklib-2.9.7-5.cm2.x86_64.rpm -python3-curses-3.9.19-3.cm2.x86_64.rpm +python3-curses-3.9.19-4.cm2.x86_64.rpm python3-Cython-0.29.33-2.cm2.x86_64.rpm -python3-debuginfo-3.9.19-3.cm2.x86_64.rpm -python3-devel-3.9.19-3.cm2.x86_64.rpm +python3-debuginfo-3.9.19-4.cm2.x86_64.rpm +python3-devel-3.9.19-4.cm2.x86_64.rpm python3-gpg-1.16.0-2.cm2.x86_64.rpm python3-jinja2-3.0.3-4.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm -python3-libs-3.9.19-3.cm2.x86_64.rpm +python3-libs-3.9.19-4.cm2.x86_64.rpm python3-libxml2-2.10.4-3.cm2.x86_64.rpm python3-lxml-4.9.1-1.cm2.x86_64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.x86_64.rpm python3-newt-0.52.21-5.cm2.x86_64.rpm -python3-pip-3.9.19-3.cm2.noarch.rpm +python3-pip-3.9.19-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.x86_64.rpm -python3-setuptools-3.9.19-3.cm2.noarch.rpm -python3-test-3.9.19-3.cm2.x86_64.rpm -python3-tools-3.9.19-3.cm2.x86_64.rpm +python3-setuptools-3.9.19-4.cm2.noarch.rpm +python3-test-3.9.19-4.cm2.x86_64.rpm +python3-tools-3.9.19-4.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-debuginfo-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm From f0722dfa7d6ae35b3b9b1a7f41297462000c5af3 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:39:22 -0700 Subject: [PATCH 38/43] [AUTO-CHERRYPICK] openldap: Add patch to resolve CVE-2023-2953 - branch main (#10234) Co-authored-by: Sumynwa --- SPECS/openldap/CVE-2023-2953.patch | 94 ++++++++++++++++++++++++++++++ SPECS/openldap/openldap.spec | 6 +- 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 SPECS/openldap/CVE-2023-2953.patch diff --git a/SPECS/openldap/CVE-2023-2953.patch b/SPECS/openldap/CVE-2023-2953.patch new file mode 100644 index 0000000000..95faf60ba3 --- /dev/null +++ b/SPECS/openldap/CVE-2023-2953.patch @@ -0,0 +1,94 @@ +From c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 24 Aug 2022 14:40:51 +0100 +Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure + +Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a +--- + libraries/libldap/fetch.c | 2 ++ + libraries/libldap/url.c | 21 ++++++++++++--------- + 2 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c +index cdc69b8..fe5c4e5 100644 +--- a/libraries/libldap/fetch.c ++++ b/libraries/libldap/fetch.c +@@ -69,6 +69,8 @@ ldif_open_url( + } + + p = ber_strdup( urlstr ); ++ if ( p == NULL ) ++ return NULL; + + /* But we should convert to LDAP_DIRSEP before use */ + if ( LDAP_DIRSEP[0] != '/' ) { +--- +From 6563fab9e2feccb0a684d0398e78571d09fb808b Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Thu, 25 Aug 2022 16:13:21 +0100 +Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure + +Avoid unnecessary strdup in IPv6 addr parsing, check for strdup +failure when dup'ing scheme. + +Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59 +--- +diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c +index b39f70b..01a167d 100644 +--- a/libraries/libldap/url.c ++++ b/libraries/libldap/url.c +@@ -1357,24 +1357,22 @@ ldap_url_parsehosts( + } + ludp->lud_port = port; + ludp->lud_host = specs[i]; +- specs[i] = NULL; + p = strchr(ludp->lud_host, ':'); + if (p != NULL) { + /* more than one :, IPv6 address */ + if ( strchr(p+1, ':') != NULL ) { + /* allow [address] and [address]:port */ + if ( *ludp->lud_host == '[' ) { +- p = LDAP_STRDUP(ludp->lud_host+1); +- /* copied, make sure we free source later */ +- specs[i] = ludp->lud_host; +- ludp->lud_host = p; +- p = strchr( ludp->lud_host, ']' ); ++ p = strchr( ludp->lud_host+1, ']' ); + if ( p == NULL ) { + LDAP_FREE(ludp); + ldap_charray_free(specs); + return LDAP_PARAM_ERROR; + } +- *p++ = '\0'; ++ /* Truncate trailing ']' and shift hostname down 1 char */ ++ *p = '\0'; ++ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host ); ++ p++; + if ( *p != ':' ) { + if ( *p != '\0' ) { + LDAP_FREE(ludp); +@@ -1400,14 +1398,19 @@ ldap_url_parsehosts( + } + } + } +- ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_scheme = LDAP_STRDUP("ldap"); ++ if ( ludp->lud_scheme == NULL ) { ++ LDAP_FREE(ludp); ++ ldap_charray_free(specs); ++ return LDAP_NO_MEMORY; ++ } ++ specs[i] = NULL; ++ ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_next = *ludlist; + *ludlist = ludp; + } + + /* this should be an array of NULLs now */ +- /* except entries starting with [ */ + ldap_charray_free(specs); + return LDAP_SUCCESS; + } +-- +2.25.1 + diff --git a/SPECS/openldap/openldap.spec b/SPECS/openldap/openldap.spec index c99584a872..6044f933af 100644 --- a/SPECS/openldap/openldap.spec +++ b/SPECS/openldap/openldap.spec @@ -2,7 +2,7 @@ Summary: OpenLDAP (Lightweight Directory Access Protocol) Name: openldap Version: 2.4.57 -Release: 8%{?dist} +Release: 9%{?dist} License: OpenLDAP Vendor: Microsoft Corporation Distribution: Mariner @@ -15,6 +15,7 @@ Patch1: openldap-2.4.44-consolidated-2.patch Patch2: CVE-2015-3276.patch Patch3: CVE-2021-27212.patch Patch4: CVE-2022-29155.patch +Patch5: CVE-2023-2953.patch BuildRequires: cyrus-sasl-bootstrap-devel >= 2.1 BuildRequires: e2fsprogs-devel BuildRequires: groff @@ -72,6 +73,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_sysconfdir}/openldap/* %changelog +* Thu Aug 22 2024 Sumedh Sharma - 2.4.57-9 +- Add patch to resolve CVE-2023-2953. + * Fri Feb 10 2023 Sriram Nambakam - 2.4.57-8 - Let openldap depend on cyrus-sasl. From b22d9697056e69e8c5d5e3c0c28728109cfcee42 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:40:07 -0700 Subject: [PATCH 39/43] [AUTO-CHERRYPICK] jx: Add patch to resolve CVE-2023-45288 - branch main (#10236) Co-authored-by: Sumynwa --- SPECS/jx/CVE-2023-45288.patch | 83 +++++++++++++++++++++++++++++++++++ SPECS/jx/jx.spec | 6 ++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 SPECS/jx/CVE-2023-45288.patch diff --git a/SPECS/jx/CVE-2023-45288.patch b/SPECS/jx/CVE-2023-45288.patch new file mode 100644 index 0000000000..4d53dfb512 --- /dev/null +++ b/SPECS/jx/CVE-2023-45288.patch @@ -0,0 +1,83 @@ +From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec index f5ca795cca..0409fe120c 100644 --- a/SPECS/jx/jx.spec +++ b/SPECS/jx/jx.spec @@ -1,7 +1,7 @@ Summary: Command line tool for working with Jenkins X. Name: jx Version: 3.2.236 -Release: 18%{?dist} +Release: 19%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -29,6 +29,7 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-44487.patch Patch1: CVE-2021-44716.patch +Patch2: CVE-2023-45288.patch BuildRequires: golang %global debug_package %{nil} @@ -71,6 +72,9 @@ make test && \ %{_bindir}/jx %changelog +* Thu Aug 22 2024 Sumedh Sharma - 3.2.236-19 +- Add patch to resolve CVE-2023-45288 + * Wed Jul 17 2024 Muhammad Falak R Wani - 3.2.236-18 - Drop requirement on a specific version of golang From b216136dd4af98f3ce18e44cbe91dd3864e86fec Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:41:03 -0700 Subject: [PATCH 40/43] [AUTO-CHERRYPICK] moby-cli: Add patch to resolve CVE-2023-45288 - branch main (#10237) Co-authored-by: Sumynwa --- SPECS/moby-cli/CVE-2023-45288.patch | 83 +++++++++++++++++++++++++++++ SPECS/moby-cli/moby-cli.spec | 6 ++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 SPECS/moby-cli/CVE-2023-45288.patch diff --git a/SPECS/moby-cli/CVE-2023-45288.patch b/SPECS/moby-cli/CVE-2023-45288.patch new file mode 100644 index 0000000000..4d53dfb512 --- /dev/null +++ b/SPECS/moby-cli/CVE-2023-45288.patch @@ -0,0 +1,83 @@ +From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } diff --git a/SPECS/moby-cli/moby-cli.spec b/SPECS/moby-cli/moby-cli.spec index 001417335c..6c9de9ca5c 100644 --- a/SPECS/moby-cli/moby-cli.spec +++ b/SPECS/moby-cli/moby-cli.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine client. Name: moby-cli Version: 24.0.9 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ URL: https://github.com/docker/cli Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-govendor-v1.tar.gz Patch0: disable_manpage_vendor.patch +Patch1: CVE-2023-45288.patch BuildRequires: git BuildRequires: go-md2man BuildRequires: golang @@ -77,6 +78,9 @@ install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fi %{_datadir}/fish/vendor_completions.d/docker.fish %changelog +* Thu Aug 22 2024 Sumedh Sharma - 24.0.9-3 +- Add patch to resolve CVE-2023-45288 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 24.0.9-2 - Bump release to rebuild with go 1.21.11 From 529c4fe200e50e60f46d128ceac0ca09ed85be43 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:42:15 -0700 Subject: [PATCH 41/43] [AUTO-CHERRYPICK] rpm-ostree: Add patch to resolve CVE-2023-26964 in vendored h2 sources - branch main (#10238) Co-authored-by: Sumynwa --- SPECS/rpm-ostree/CVE-2023-26964.patch | 489 ++++++++++++++++++++++++++ SPECS/rpm-ostree/rpm-ostree.spec | 6 +- 2 files changed, 494 insertions(+), 1 deletion(-) create mode 100644 SPECS/rpm-ostree/CVE-2023-26964.patch diff --git a/SPECS/rpm-ostree/CVE-2023-26964.patch b/SPECS/rpm-ostree/CVE-2023-26964.patch new file mode 100644 index 0000000000..dc2abeb85a --- /dev/null +++ b/SPECS/rpm-ostree/CVE-2023-26964.patch @@ -0,0 +1,489 @@ +From 5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 Mon Sep 17 00:00:00 2001 +From: Sean McArthur +Date: Wed, 12 Apr 2023 12:23:56 -0400 +Subject: [PATCH] fix: limit the amount of pending-accept reset streams + +Streams that have been received by the peer, but not accepted by the +user, can also receive a RST_STREAM. This is a legitimate pattern: one +could send a request and then shortly after, realize it is not needed, +sending a CANCEL. + +However, since those streams are now "closed", they don't count towards +the max concurrent streams. So, they will sit in the accept queue, using +memory. + +In most cases, the user is calling `accept` in a loop, and they can +accept requests that have been reset fast enough that this isn't an +issue in practice. + +But if the peer is able to flood the network faster than the server +accept loop can run (simply accepting, not processing requests; that +tends to happen in a separate task), the memory could grow. + +So, this introduces a maximum count for streams in the pending-accept +but remotely-reset state. If the maximum is reached, a GOAWAY frame with +the error code of ENHANCE_YOUR_CALM is sent, and the connection marks +itself as errored. + +ref CVE-2023-26964 +ref GHSA-f8vr-r385-rh5r + +Closes https://github.com/hyperium/hyper/issues/2877 +--- + vendor/h2/.cargo-checksum.json | 2 +- + vendor/h2/src/client.rs | 49 ++++++++++++++++++++++ + vendor/h2/src/proto/connection.rs | 9 ++++- + vendor/h2/src/proto/mod.rs | 1 + + vendor/h2/src/proto/streams/counts.rs | 53 +++++++++++++++++++----- + vendor/h2/src/proto/streams/mod.rs | 4 ++ + vendor/h2/src/proto/streams/recv.rs | 29 ++++++++++++- + vendor/h2/src/proto/streams/state.rs | 7 ++++ + vendor/h2/src/proto/streams/streams.rs | 8 +++- + vendor/h2/src/server.rs | 56 ++++++++++++++++++++++++++ + 10 files changed, 204 insertions(+), 14 deletions(-) + +diff --git a/vendor/h2/.cargo-checksum.json b/vendor/h2/.cargo-checksum.json +index 15f2233f..d2286e4d 100644 +--- a/vendor/h2/.cargo-checksum.json ++++ b/vendor/h2/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"c4ff0f1f71a1527093a63af4678bca296d6617f5daf7bd9ace5ebeec2ff68cef","CONTRIBUTING.md":"eff9610bd3a73e6c297b9b487a629bcdb40da9090e6e28c26e48fcfd3a899a6c","Cargo.lock":"b27ce095023ad9bffc680d4f6b7b377863a37b2b551dab1548ab4c8d40a10d3b","Cargo.toml":"e9f82adcb5f9d5b440693a3534ada6bb259b9ac7d67cb514a8374fc8e9546238","LICENSE":"b21623012e6c453d944b0342c515b631cfcbf30704c2621b291526b69c10724d","README.md":"1c23aebc383c31dd70a14880c93ec2ddac0001aa4ba1d8f3c5b0a9897fa5ef11","examples/akamai.rs":"f8d310ba4ba0364f887746071f76f566fdffa3b0959050ec07c47afeeb8786d4","examples/client.rs":"5ad136b838e9d55ae3d1fd8801cec4af88139b58864d6438f75d0e173eb3aeb3","examples/server.rs":"14c354d505fd82917efb8077f1aeb430ac8c56de3ef6a22602ab206727b4213d","src/client.rs":"c23d51eba494dce6660f435ffe55688480f16f6f1e5d3350c86e05805480bef0","src/codec/error.rs":"beb559466193d480f853cc0b26033667d01d9946239f74539dcf103d314c7ef4","src/codec/framed_read.rs":"e1b4e5b31fd17f2df98de7b7f29fd656643db4e70b2277e870500604cb6f0974","src/codec/framed_write.rs":"6ae09b84e8c6bf818f99c2ebcafe01073146a33bae090874d5f4221e6309d9ae","src/codec/mod.rs":"10ed96b6e187a86c827f066bb81b4047dbdff942f9cc7fab81bd37c989a8a9c1","src/error.rs":"445f810c0d9f3bdd2889792aac00d6af06363c0d8e5cb73a400ae39191cdefde","src/frame/data.rs":"65fbfe306d525df7ac0ba229ca75ec3d142203ec62ddd3df0b8452da1496da3e","src/frame/go_away.rs":"f76843de59a0e3e82536972af7754498c3913577ee248a6e1601df2b68e06c96","src/frame/head.rs":"9cde126609db8ddd1e27b8212af3a613a1d59461166567ae1c97fcba7902f2fe","src/frame/headers.rs":"49ba7b0c5d25d890ae23dd0ce047ff38e0e909eacb0813c05ebc5e8bc7896020","src/frame/mod.rs":"f1baebdfff10c0f1d9937681b0f21df8631196c285aa860516235d49275ae90f","src/frame/ping.rs":"ff4e4059101300e7b03c23d271026b058da4315c3bd68280422e144c2aa1b9e6","src/frame/priority.rs":"9392b7aa2636157024dc645c92d0e450a4d3f7a53bc9de1188d3b61178c2b5fc","src/frame/reason.rs":"4337f5933bfd4064337c80d3c110f51514cbdfb97bc26f4980ee009e4f6fa773","src/frame/reset.rs":"7dceecf432ee82bea3f02ce50065350f6f7cf02f98378e7608568e3eb5bf913a","src/frame/settings.rs":"c769341d0fb009a3d7e57862a371dd223028f327628b466b2c22368c8ca06b26","src/frame/stream_id.rs":"0aa72cc3d735aa31e4d0cca0a8b94bae75c97d041c3712fe8e49f687881a73fe","src/frame/util.rs":"1a1408ddefe35f9efe5faa5360cb5ecc461fc0846175d4b43031720da7f5188d","src/frame/window_update.rs":"05c1b84478208802d09154f5d6fb5eb886d45397f43ccc6ccbf40bf3be912819","src/fuzz_bridge.rs":"a233d7c986671a91fd84af996a281068814e6d3a1fd7f22a77e4b4cd54a0d773","src/hpack/decoder.rs":"d5955341d436e8dece258dd66b3373249cfc2473e4484a0d5d57fa5e6b8776f4","src/hpack/encoder.rs":"ca2b76e9d7d8fdc1b8d482a72b6a886516f4f641fe88b2ea3d237051c11fe7ca","src/hpack/header.rs":"d5b5ed925d4cf06b13a765d34f858004d1dd0003fd2e1d35d7927f86cf34f1dc","src/hpack/huffman/mod.rs":"04fc9b146177e7bf615156b8570fa0f97b89f68a2c02b946778711728b81e81f","src/hpack/huffman/table.rs":"6b7f94af0bb5d236d4e671eff4afe5dc254a20eaddd2d57dd6e8f53e2a60c337","src/hpack/mod.rs":"702a0b41ef5aa9e83683cec25363fb4f9c0f61c6697f9def9994967440fea378","src/hpack/table.rs":"c76073d0cf07e6379b4d4b26bc3883b69d7c5555dd1c0c38a5e2c69b80e59330","src/hpack/test/fixture.rs":"9ab6b0ed15fa3643e012bd2742e89ecf7aab821e2d0713dc6835c332611f2ec7","src/hpack/test/fuzz.rs":"83daceb07b9c4ad5330df01c5c9de63d9da8cc91ac590ae40f108166ef150c48","src/hpack/test/mod.rs":"56ad5643e7f1e273e5bce8a6fc0552be39c326dacfffd7f9757ccdbe75e9b66e","src/lib.rs":"d4692389a49d909184adda23479c006bb3e9e165be549cffa93860fcb88d3ea6","src/proto/connection.rs":"fe7efe1bb8a329ce093505be4012b3b496d8dedf4632e3e33e7135a4872dc601","src/proto/error.rs":"7486777b6d9f13c9df3e4a921196e6d16ae45922b4e34aa15282876198d1ebf7","src/proto/go_away.rs":"16fdecca841ce046960d29ca03a3dbf61886e4b7b9532217dde493ebcdc10477","src/proto/mod.rs":"9a858c0c937cc9209b6cb5c0feeaf41ec116d58e2c3c7483fa7460e3e66bf0f3","src/proto/peer.rs":"6047ab139e774d50fc4def41508869a6fed950007825d3e76141840d4b01dcff","src/proto/ping_pong.rs":"eb4757f4ba7e4f323d38724e1a09476c29efda01c5606af8e1b6e91942af45e1","src/proto/settings.rs":"4b2cd95dbde4b4caf750d3761221cf680d1830247a18f18fb778e7b9f2c54263","src/proto/streams/buffer.rs":"cf2205c607f8a6b8aa8662983d9907fedeb14b5890e051d8e63d7bc2b0a960e9","src/proto/streams/counts.rs":"46e9e574d1c804b0b3a426c393a81867d8a10f553859b4964dbfd9ef9a44ee94","src/proto/streams/flow_control.rs":"bb85d9848b798b15a5f6d692bf2b6345d0aecccf43adfc431d6bef44a152d301","src/proto/streams/mod.rs":"72cd11d368ba26b65abae838ad1d7baf15ba338d57e61ceed9d62d182cb58f8c","src/proto/streams/prioritize.rs":"62caf7b502849a15a37d0fb06315b833bc816506a1cc359a6d377c84e7ffbedc","src/proto/streams/recv.rs":"e0795574db6dd8e0eecb78bf72507af6cbc0e7b85d320ffd4de925ffc78ac2df","src/proto/streams/send.rs":"2fcff0e988daf1c84d2a4b008ae651b17d8c83aa6060133e98579ee678b9fec2","src/proto/streams/state.rs":"85db4958e88e25a2905186ff04c4daf6c9061b237e3b05fece26721dae7e2541","src/proto/streams/store.rs":"75c6b6f8d6fe3f2a4ddc2e821fbad4be7a813f2ed04ee7f423ad622cbec43a83","src/proto/streams/stream.rs":"e948c7c34472b934e87b6dc5ddc624a5e4d98b3cb6aed287bf843b5f775a6bfc","src/proto/streams/streams.rs":"07e748f2de2bd5fe9aa2e53201472e3e48e1779f4ae68712c058e22acc4d0daf","src/server.rs":"21b559cc0aa6018880b78ff4000d2fd258b5281902ea8b245a525693b878b704","src/share.rs":"0f8629a40390a62e34e9ab5b0590877af5616e48a70bde484af469de23053f7d"},"package":"825343c4eef0b63f541f8903f395dc5beb362a979b5799a84062527ef1e37726"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"c4ff0f1f71a1527093a63af4678bca296d6617f5daf7bd9ace5ebeec2ff68cef","CONTRIBUTING.md":"eff9610bd3a73e6c297b9b487a629bcdb40da9090e6e28c26e48fcfd3a899a6c","Cargo.lock":"b27ce095023ad9bffc680d4f6b7b377863a37b2b551dab1548ab4c8d40a10d3b","Cargo.toml":"e9f82adcb5f9d5b440693a3534ada6bb259b9ac7d67cb514a8374fc8e9546238","LICENSE":"b21623012e6c453d944b0342c515b631cfcbf30704c2621b291526b69c10724d","README.md":"1c23aebc383c31dd70a14880c93ec2ddac0001aa4ba1d8f3c5b0a9897fa5ef11","examples/akamai.rs":"f8d310ba4ba0364f887746071f76f566fdffa3b0959050ec07c47afeeb8786d4","examples/client.rs":"5ad136b838e9d55ae3d1fd8801cec4af88139b58864d6438f75d0e173eb3aeb3","examples/server.rs":"14c354d505fd82917efb8077f1aeb430ac8c56de3ef6a22602ab206727b4213d","src/client.rs":"ed9a09e3be56391d5f83bad45ffcf650e9b7dc92001706a126fc18ff981a38f3","src/codec/error.rs":"beb559466193d480f853cc0b26033667d01d9946239f74539dcf103d314c7ef4","src/codec/framed_read.rs":"e1b4e5b31fd17f2df98de7b7f29fd656643db4e70b2277e870500604cb6f0974","src/codec/framed_write.rs":"6ae09b84e8c6bf818f99c2ebcafe01073146a33bae090874d5f4221e6309d9ae","src/codec/mod.rs":"10ed96b6e187a86c827f066bb81b4047dbdff942f9cc7fab81bd37c989a8a9c1","src/error.rs":"445f810c0d9f3bdd2889792aac00d6af06363c0d8e5cb73a400ae39191cdefde","src/frame/data.rs":"65fbfe306d525df7ac0ba229ca75ec3d142203ec62ddd3df0b8452da1496da3e","src/frame/go_away.rs":"f76843de59a0e3e82536972af7754498c3913577ee248a6e1601df2b68e06c96","src/frame/head.rs":"9cde126609db8ddd1e27b8212af3a613a1d59461166567ae1c97fcba7902f2fe","src/frame/headers.rs":"49ba7b0c5d25d890ae23dd0ce047ff38e0e909eacb0813c05ebc5e8bc7896020","src/frame/mod.rs":"f1baebdfff10c0f1d9937681b0f21df8631196c285aa860516235d49275ae90f","src/frame/ping.rs":"ff4e4059101300e7b03c23d271026b058da4315c3bd68280422e144c2aa1b9e6","src/frame/priority.rs":"9392b7aa2636157024dc645c92d0e450a4d3f7a53bc9de1188d3b61178c2b5fc","src/frame/reason.rs":"4337f5933bfd4064337c80d3c110f51514cbdfb97bc26f4980ee009e4f6fa773","src/frame/reset.rs":"7dceecf432ee82bea3f02ce50065350f6f7cf02f98378e7608568e3eb5bf913a","src/frame/settings.rs":"c769341d0fb009a3d7e57862a371dd223028f327628b466b2c22368c8ca06b26","src/frame/stream_id.rs":"0aa72cc3d735aa31e4d0cca0a8b94bae75c97d041c3712fe8e49f687881a73fe","src/frame/util.rs":"1a1408ddefe35f9efe5faa5360cb5ecc461fc0846175d4b43031720da7f5188d","src/frame/window_update.rs":"05c1b84478208802d09154f5d6fb5eb886d45397f43ccc6ccbf40bf3be912819","src/fuzz_bridge.rs":"a233d7c986671a91fd84af996a281068814e6d3a1fd7f22a77e4b4cd54a0d773","src/hpack/decoder.rs":"d5955341d436e8dece258dd66b3373249cfc2473e4484a0d5d57fa5e6b8776f4","src/hpack/encoder.rs":"ca2b76e9d7d8fdc1b8d482a72b6a886516f4f641fe88b2ea3d237051c11fe7ca","src/hpack/header.rs":"d5b5ed925d4cf06b13a765d34f858004d1dd0003fd2e1d35d7927f86cf34f1dc","src/hpack/huffman/mod.rs":"04fc9b146177e7bf615156b8570fa0f97b89f68a2c02b946778711728b81e81f","src/hpack/huffman/table.rs":"6b7f94af0bb5d236d4e671eff4afe5dc254a20eaddd2d57dd6e8f53e2a60c337","src/hpack/mod.rs":"702a0b41ef5aa9e83683cec25363fb4f9c0f61c6697f9def9994967440fea378","src/hpack/table.rs":"c76073d0cf07e6379b4d4b26bc3883b69d7c5555dd1c0c38a5e2c69b80e59330","src/hpack/test/fixture.rs":"9ab6b0ed15fa3643e012bd2742e89ecf7aab821e2d0713dc6835c332611f2ec7","src/hpack/test/fuzz.rs":"83daceb07b9c4ad5330df01c5c9de63d9da8cc91ac590ae40f108166ef150c48","src/hpack/test/mod.rs":"56ad5643e7f1e273e5bce8a6fc0552be39c326dacfffd7f9757ccdbe75e9b66e","src/lib.rs":"d4692389a49d909184adda23479c006bb3e9e165be549cffa93860fcb88d3ea6","src/proto/connection.rs":"62a59c8ea8a3f7ea2849a895a99182e846450bcbad876b0efdc57aba604e75e6","src/proto/error.rs":"7486777b6d9f13c9df3e4a921196e6d16ae45922b4e34aa15282876198d1ebf7","src/proto/go_away.rs":"16fdecca841ce046960d29ca03a3dbf61886e4b7b9532217dde493ebcdc10477","src/proto/mod.rs":"b25ae834a7253d520c684acba0e75a40eb1711b3a43bee56269b685bc1dc2447","src/proto/peer.rs":"6047ab139e774d50fc4def41508869a6fed950007825d3e76141840d4b01dcff","src/proto/ping_pong.rs":"eb4757f4ba7e4f323d38724e1a09476c29efda01c5606af8e1b6e91942af45e1","src/proto/settings.rs":"4b2cd95dbde4b4caf750d3761221cf680d1830247a18f18fb778e7b9f2c54263","src/proto/streams/buffer.rs":"cf2205c607f8a6b8aa8662983d9907fedeb14b5890e051d8e63d7bc2b0a960e9","src/proto/streams/counts.rs":"23e984a270372936ab43da3c44d79d85d78f181ef0056e8b4824b51f062fd748","src/proto/streams/flow_control.rs":"bb85d9848b798b15a5f6d692bf2b6345d0aecccf43adfc431d6bef44a152d301","src/proto/streams/mod.rs":"94e9d2592d93f92da9cacc697ea7ba0beafe01ca5dae91061b40e52463679a8d","src/proto/streams/prioritize.rs":"62caf7b502849a15a37d0fb06315b833bc816506a1cc359a6d377c84e7ffbedc","src/proto/streams/recv.rs":"ee346806c65da77c6309cd629e2ac7e49d8d1913b4baaa2d360ed11757ecc6c1","src/proto/streams/send.rs":"2fcff0e988daf1c84d2a4b008ae651b17d8c83aa6060133e98579ee678b9fec2","src/proto/streams/state.rs":"fbddd27c1b706fce7d841b4a01ffa06acd020839fcea49d1b4debc908b6ad0db","src/proto/streams/store.rs":"75c6b6f8d6fe3f2a4ddc2e821fbad4be7a813f2ed04ee7f423ad622cbec43a83","src/proto/streams/stream.rs":"e948c7c34472b934e87b6dc5ddc624a5e4d98b3cb6aed287bf843b5f775a6bfc","src/proto/streams/streams.rs":"248d62f2c368606cb1d77b5d9e588f164a92713ac17128811a07667116d888c1","src/server.rs":"b251879976021363b924c3eadf44cf9f42233020e68455dd51e6d5fc1c78c218","src/share.rs":"0f8629a40390a62e34e9ab5b0590877af5616e48a70bde484af469de23053f7d"},"package":"825343c4eef0b63f541f8903f395dc5beb362a979b5799a84062527ef1e37726"} +diff --git a/vendor/h2/src/client.rs b/vendor/h2/src/client.rs +index 5bbbaf49..0d553d8b 100644 +--- a/vendor/h2/src/client.rs ++++ b/vendor/h2/src/client.rs +@@ -322,6 +322,10 @@ pub struct Builder { + /// Maximum number of locally reset streams to keep at a time. + reset_stream_max: usize, + ++ /// Maximum number of remotely reset streams to allow in the pending ++ /// accept queue. ++ pending_accept_reset_stream_max: usize, ++ + /// Initial `Settings` frame to send as part of the handshake. + settings: Settings, + +@@ -616,6 +620,7 @@ impl Builder { + Builder { + reset_stream_duration: Duration::from_secs(proto::DEFAULT_RESET_STREAM_SECS), + reset_stream_max: proto::DEFAULT_RESET_STREAM_MAX, ++ pending_accept_reset_stream_max: proto::DEFAULT_REMOTE_RESET_STREAM_MAX, + initial_target_connection_window_size: None, + initial_max_send_streams: usize::MAX, + settings: Default::default(), +@@ -948,6 +953,49 @@ impl Builder { + self + } + ++ /// Sets the maximum number of pending-accept remotely-reset streams. ++ /// ++ /// Streams that have been received by the peer, but not accepted by the ++ /// user, can also receive a RST_STREAM. This is a legitimate pattern: one ++ /// could send a request and then shortly after, realize it is not needed, ++ /// sending a CANCEL. ++ /// ++ /// However, since those streams are now "closed", they don't count towards ++ /// the max concurrent streams. So, they will sit in the accept queue, ++ /// using memory. ++ /// ++ /// When the number of remotely-reset streams sitting in the pending-accept ++ /// queue reaches this maximum value, a connection error with the code of ++ /// `ENHANCE_YOUR_CALM` will be sent to the peer, and returned by the ++ /// `Future`. ++ /// ++ /// The default value is currently 20, but could change. ++ /// ++ /// # Examples ++ /// ++ /// ``` ++ /// # use tokio::io::{AsyncRead, AsyncWrite}; ++ /// # use h2::client::*; ++ /// # use bytes::Bytes; ++ /// # ++ /// # async fn doc(my_io: T) ++ /// # -> Result<((SendRequest, Connection)), h2::Error> ++ /// # { ++ /// // `client_fut` is a future representing the completion of the HTTP/2 ++ /// // handshake. ++ /// let client_fut = Builder::new() ++ /// .max_pending_accept_reset_streams(100) ++ /// .handshake(my_io); ++ /// # client_fut.await ++ /// # } ++ /// # ++ /// # pub fn main() {} ++ /// ``` ++ pub fn max_pending_accept_reset_streams(&mut self, max: usize) -> &mut Self { ++ self.pending_accept_reset_stream_max = max; ++ self ++ } ++ + /// Enables or disables server push promises. + /// + /// This value is included in the initial SETTINGS handshake. When set, the +@@ -1172,6 +1220,7 @@ where + initial_max_send_streams: builder.initial_max_send_streams, + reset_stream_duration: builder.reset_stream_duration, + reset_stream_max: builder.reset_stream_max, ++ remote_reset_stream_max: builder.pending_accept_reset_stream_max, + settings: builder.settings.clone(), + }, + ); +diff --git a/vendor/h2/src/proto/connection.rs b/vendor/h2/src/proto/connection.rs +index b44fdcd5..37a0c8f0 100644 +--- a/vendor/h2/src/proto/connection.rs ++++ b/vendor/h2/src/proto/connection.rs +@@ -13,7 +13,7 @@ use std::pin::Pin; + use std::task::{Context, Poll}; + use std::time::Duration; + use tokio::io::{AsyncRead, AsyncWrite}; +- ++ + /// An H2 connection + #[derive(Debug)] + pub(crate) struct Connection +@@ -79,6 +79,7 @@ pub(crate) struct Config { + pub initial_max_send_streams: usize, + pub reset_stream_duration: Duration, + pub reset_stream_max: usize, ++ pub remote_reset_stream_max: usize, + pub settings: frame::Settings, + } + +@@ -112,6 +113,7 @@ where + local_push_enabled: config.settings.is_push_enabled().unwrap_or(true), + local_reset_duration: config.reset_stream_duration, + local_reset_max: config.reset_stream_max, ++ remote_reset_max: config.remote_reset_stream_max, + remote_init_window_sz: DEFAULT_INITIAL_WINDOW_SIZE, + remote_max_initiated: config + .settings +@@ -159,6 +161,11 @@ where + self.inner.streams.max_recv_streams() + } + ++ #[cfg(feature = "unstable")] ++ pub fn num_wired_streams(&self) -> usize { ++ self.inner.streams.num_wired_streams() ++ } ++ + /// Returns `Ready` when the connection is ready to receive a frame. + /// + /// Returns `RecvError` as this may raise errors that are caused by delayed +diff --git a/vendor/h2/src/proto/mod.rs b/vendor/h2/src/proto/mod.rs +index 84fd8542..fcb461c6 100644 +--- a/vendor/h2/src/proto/mod.rs ++++ b/vendor/h2/src/proto/mod.rs +@@ -31,5 +31,6 @@ pub type WindowSize = u32; + + // Constants + pub const MAX_WINDOW_SIZE: WindowSize = (1 << 31) - 1; ++pub const DEFAULT_REMOTE_RESET_STREAM_MAX: usize = 20; + pub const DEFAULT_RESET_STREAM_MAX: usize = 10; + pub const DEFAULT_RESET_STREAM_SECS: u64 = 30; +diff --git a/vendor/h2/src/proto/streams/counts.rs b/vendor/h2/src/proto/streams/counts.rs +index 70dfc785..e41859f3 100644 +--- a/vendor/h2/src/proto/streams/counts.rs ++++ b/vendor/h2/src/proto/streams/counts.rs +@@ -21,10 +21,16 @@ pub(super) struct Counts { + num_recv_streams: usize, + + /// Maximum number of pending locally reset streams +- max_reset_streams: usize, +- ++ max_local_reset_streams: usize, ++ + /// Current number of pending locally reset streams +- num_reset_streams: usize, ++ num_local_reset_streams: usize, ++ ++ /// Max number of "pending accept" streams that were remotely reset ++ max_remote_reset_streams: usize, ++ ++ /// Current number of "pending accept" streams that were remotely reset ++ num_remote_reset_streams: usize, + } + + impl Counts { +@@ -36,8 +42,10 @@ impl Counts { + num_send_streams: 0, + max_recv_streams: config.remote_max_initiated.unwrap_or(usize::MAX), + num_recv_streams: 0, +- max_reset_streams: config.local_reset_max, +- num_reset_streams: 0, ++ max_local_reset_streams: config.local_reset_max, ++ num_local_reset_streams: 0, ++ max_remote_reset_streams: config.remote_reset_max, ++ num_remote_reset_streams: 0, + } + } + +@@ -90,7 +98,7 @@ impl Counts { + + /// Returns true if the number of pending reset streams can be incremented. + pub fn can_inc_num_reset_streams(&self) -> bool { +- self.max_reset_streams > self.num_reset_streams ++ self.max_local_reset_streams > self.num_local_reset_streams + } + + /// Increments the number of pending reset streams. +@@ -101,7 +109,34 @@ impl Counts { + pub fn inc_num_reset_streams(&mut self) { + assert!(self.can_inc_num_reset_streams()); + +- self.num_reset_streams += 1; ++ self.num_local_reset_streams += 1; ++ } ++ ++ pub(crate) fn max_remote_reset_streams(&self) -> usize { ++ self.max_remote_reset_streams ++ } ++ ++ /// Returns true if the number of pending REMOTE reset streams can be ++ /// incremented. ++ pub(crate) fn can_inc_num_remote_reset_streams(&self) -> bool { ++ self.max_remote_reset_streams > self.num_remote_reset_streams ++ } ++ ++ /// Increments the number of pending REMOTE reset streams. ++ /// ++ /// # Panics ++ /// ++ /// Panics on failure as this should have been validated before hand. ++ pub(crate) fn inc_num_remote_reset_streams(&mut self) { ++ assert!(self.can_inc_num_remote_reset_streams()); ++ ++ self.num_remote_reset_streams += 1; ++ } ++ ++ pub(crate) fn dec_num_remote_reset_streams(&mut self) { ++ assert!(self.num_remote_reset_streams > 0); ++ ++ self.num_remote_reset_streams -= 1; + } + + pub fn apply_remote_settings(&mut self, settings: &frame::Settings) { +@@ -194,8 +229,8 @@ impl Counts { + } + + fn dec_num_reset_streams(&mut self) { +- assert!(self.num_reset_streams > 0); +- self.num_reset_streams -= 1; ++ assert!(self.num_local_reset_streams > 0); ++ self.num_local_reset_streams -= 1; + } + } + +diff --git a/vendor/h2/src/proto/streams/mod.rs b/vendor/h2/src/proto/streams/mod.rs +index 608395c0..6055ae53 100644 +--- a/vendor/h2/src/proto/streams/mod.rs ++++ b/vendor/h2/src/proto/streams/mod.rs +@@ -53,6 +53,10 @@ pub struct Config { + /// Maximum number of locally reset streams to keep at a time + pub local_reset_max: usize, + ++ /// Maximum number of remotely reset "pending accept" streams to keep at a ++ /// time. Going over this number results in a connection error. ++ pub remote_reset_max: usize, ++ + /// Initial window size of remote initiated streams + pub remote_init_window_sz: WindowSize, + +diff --git a/vendor/h2/src/proto/streams/recv.rs b/vendor/h2/src/proto/streams/recv.rs +index 252fd868..dbe89daa 100644 +--- a/vendor/h2/src/proto/streams/recv.rs ++++ b/vendor/h2/src/proto/streams/recv.rs +@@ -745,7 +745,31 @@ impl Recv { + } + + /// Handle remote sending an explicit RST_STREAM. +- pub fn recv_reset(&mut self, frame: frame::Reset, stream: &mut Stream) { ++ pub fn recv_reset( ++ &mut self, ++ frame: frame::Reset, ++ stream: &mut Stream, ++ counts: &mut Counts, ++ ) -> Result<(), RecvError> { ++ // Reseting a stream that the user hasn't accepted is possible, ++ // but should be done with care. These streams will continue ++ // to take up memory in the accept queue, but will no longer be ++ // counted as "concurrent" streams. ++ // ++ // So, we have a separate limit for these. ++ // ++ // See https://github.com/hyperium/hyper/issues/2877 ++ if stream.is_pending_accept { ++ if counts.can_inc_num_remote_reset_streams() { ++ counts.inc_num_remote_reset_streams(); ++ } else { ++ tracing::warn!( ++ "recv_reset; remotely-reset pending-accept streams reached limit ({:?})", ++ counts.max_remote_reset_streams(), ++ ); ++ return Err(RecvError::Connection(Reason::ENHANCE_YOUR_CALM)); ++ } ++ } + // Notify the stream + stream + .state +@@ -753,6 +777,8 @@ impl Recv { + + stream.notify_send(); + stream.notify_recv(); ++ ++ Ok(()) + } + + /// Handle a received error +@@ -1024,7 +1050,6 @@ impl Recv { + cx: &Context, + stream: &mut Stream, + ) -> Poll>> { +- // TODO: Return error when the stream is reset + match stream.pending_recv.pop_front(&mut self.buffer) { + Some(Event::Data(payload)) => Poll::Ready(Some(Ok(payload))), + Some(event) => { +diff --git a/vendor/h2/src/proto/streams/state.rs b/vendor/h2/src/proto/streams/state.rs +index 3e739daf..b753d44f 100644 +--- a/vendor/h2/src/proto/streams/state.rs ++++ b/vendor/h2/src/proto/streams/state.rs +@@ -362,6 +362,13 @@ impl State { + } + } + ++ pub fn is_remote_reset(&self) -> bool { ++ match self.inner { ++ Closed(Cause::LocallyReset(_)) => true, ++ _ => false, ++ } ++ } ++ + /// Returns true if the stream is already reset. + pub fn is_reset(&self) -> bool { + match self.inner { +diff --git a/vendor/h2/src/proto/streams/streams.rs b/vendor/h2/src/proto/streams/streams.rs +index c694203a..1eadb5bb 100644 +--- a/vendor/h2/src/proto/streams/streams.rs ++++ b/vendor/h2/src/proto/streams/streams.rs +@@ -140,6 +140,12 @@ where + // TODO: ideally, OpaqueStreamRefs::new would do this, but we're holding + // the lock, so it can't. + me.refs += 1; ++ ++ // Pending-accepted remotely-reset streams are counted. ++ if stream.state.is_remote_reset() { ++ me.counts.dec_num_remote_reset_streams(); ++ } ++ + StreamRef { + opaque: OpaqueStreamRef::new(self.inner.clone(), stream), + send_buffer: self.send_buffer.clone(), +@@ -598,7 +604,7 @@ impl Inner { + let actions = &mut self.actions; + + self.counts.transition(stream, |counts, stream| { +- actions.recv.recv_reset(frame, stream); ++ actions.recv.recv_reset(frame, stream, counts)?; + actions.send.recv_err(send_buffer, stream, counts); + assert!(stream.state.is_closed()); + Ok(()) +diff --git a/vendor/h2/src/server.rs b/vendor/h2/src/server.rs +index 6ad010bd..9b6693bb 100644 +--- a/vendor/h2/src/server.rs ++++ b/vendor/h2/src/server.rs +@@ -238,6 +238,10 @@ pub struct Builder { + /// Maximum number of locally reset streams to keep at a time. + reset_stream_max: usize, + ++ /// Maximum number of remotely reset streams to allow in the pending ++ /// accept queue. ++ pending_accept_reset_stream_max: usize, ++ + /// Initial `Settings` frame to send as part of the handshake. + settings: Settings, + +@@ -557,6 +561,13 @@ where + pub fn max_concurrent_recv_streams(&self) -> usize { + self.connection.max_recv_streams() + } ++ ++ // Could disappear at anytime. ++ #[doc(hidden)] ++ #[cfg(feature = "unstable")] ++ pub fn num_wired_streams(&self) -> usize { ++ self.connection.num_wired_streams() ++ } + } + + #[cfg(feature = "stream")] +@@ -616,6 +627,7 @@ impl Builder { + Builder { + reset_stream_duration: Duration::from_secs(proto::DEFAULT_RESET_STREAM_SECS), + reset_stream_max: proto::DEFAULT_RESET_STREAM_MAX, ++ pending_accept_reset_stream_max: proto::DEFAULT_REMOTE_RESET_STREAM_MAX, + settings: Settings::default(), + initial_target_connection_window_size: None, + } +@@ -855,6 +867,49 @@ impl Builder { + self + } + ++ /// Sets the maximum number of pending-accept remotely-reset streams. ++ /// ++ /// Streams that have been received by the peer, but not accepted by the ++ /// user, can also receive a RST_STREAM. This is a legitimate pattern: one ++ /// could send a request and then shortly after, realize it is not needed, ++ /// sending a CANCEL. ++ /// ++ /// However, since those streams are now "closed", they don't count towards ++ /// the max concurrent streams. So, they will sit in the accept queue, ++ /// using memory. ++ /// ++ /// When the number of remotely-reset streams sitting in the pending-accept ++ /// queue reaches this maximum value, a connection error with the code of ++ /// `ENHANCE_YOUR_CALM` will be sent to the peer, and returned by the ++ /// `Future`. ++ /// ++ /// The default value is currently 20, but could change. ++ /// ++ /// # Examples ++ /// ++ /// ++ /// ``` ++ /// # use tokio::io::{AsyncRead, AsyncWrite}; ++ /// # use h2::server::*; ++ /// # ++ /// # fn doc(my_io: T) ++ /// # -> Handshake ++ /// # { ++ /// // `server_fut` is a future representing the completion of the HTTP/2 ++ /// // handshake. ++ /// let server_fut = Builder::new() ++ /// .max_pending_accept_reset_streams(100) ++ /// .handshake(my_io); ++ /// # server_fut ++ /// # } ++ /// # ++ /// # pub fn main() {} ++ /// ``` ++ pub fn max_pending_accept_reset_streams(&mut self, max: usize) -> &mut Self { ++ self.pending_accept_reset_stream_max = max; ++ self ++ } ++ + /// Sets the maximum number of concurrent locally reset streams. + /// + /// When a stream is explicitly reset by either calling +@@ -1269,6 +1324,7 @@ where + initial_max_send_streams: 0, + reset_stream_duration: self.builder.reset_stream_duration, + reset_stream_max: self.builder.reset_stream_max, ++ remote_reset_stream_max: self.builder.pending_accept_reset_stream_max, + settings: self.builder.settings.clone(), + }, + ); +-- +2.25.1 + diff --git a/SPECS/rpm-ostree/rpm-ostree.spec b/SPECS/rpm-ostree/rpm-ostree.spec index 5f01463b97..91848e1ef2 100644 --- a/SPECS/rpm-ostree/rpm-ostree.spec +++ b/SPECS/rpm-ostree/rpm-ostree.spec @@ -1,7 +1,7 @@ Summary: Commit RPMs to an OSTree repository Name: rpm-ostree Version: 2022.1 -Release: 6%{?dist} +Release: 7%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Patch1: rpm-ostree-disable-selinux.patch Patch2: CVE-2022-31394.patch Patch3: rpm-ostree-drop-lint-which-treats-warning-as-error.patch Patch4: CVE-2022-47085.patch +Patch5: CVE-2023-26964.patch BuildRequires: attr-devel BuildRequires: autoconf BuildRequires: autogen @@ -157,6 +158,9 @@ make check %{_datadir}/gir-1.0/*-1.0.gir %changelog +* Thu Aug 22 2024 Sumedh Sharma - 2022.1-7 +- Add patch to resolve CVE-2023-26964 in vendored 'h2' sources + * Thu Sep 07 2023 Daniel McIlvaney - 2022.1-6 - Bump package to rebuild with rust 1.72.0 From 959bf5a56863b10639768e6c634e67e5a63f276e Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:42:47 -0700 Subject: [PATCH 42/43] [AUTO-CHERRYPICK] Add patch for CVE-2023-33976 in tensorflow - branch main (#10213) Co-authored-by: aadhar-agarwal <108542189+aadhar-agarwal@users.noreply.github.com> --- SPECS/tensorflow/CVE-2023-33976.patch | 177 ++++++++++++++++++++++++++ SPECS/tensorflow/tensorflow.spec | 6 +- 2 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 SPECS/tensorflow/CVE-2023-33976.patch diff --git a/SPECS/tensorflow/CVE-2023-33976.patch b/SPECS/tensorflow/CVE-2023-33976.patch new file mode 100644 index 0000000000..936750be65 --- /dev/null +++ b/SPECS/tensorflow/CVE-2023-33976.patch @@ -0,0 +1,177 @@ +From 915884fdf5df34aaedd00fc6ace33a2cfdefa586 Mon Sep 17 00:00:00 2001 +From: Cesar Crusius +Date: Mon, 27 Feb 2023 10:14:05 -0800 +Subject: [PATCH] Check for correct `values` rank in UpperBound and LowerBound. + +The shape function in array_ops.cc for those ops requires that +argument to have rank 2, but that function is bypassed when switching +between graph and eager modes, allowing for invalid arguments to +pass through and, in the test case, cause a segfault. + +PiperOrigin-RevId: 512661338 +--- + tensorflow/core/kernels/searchsorted_op.cc | 32 ++++++++++--- + tensorflow/python/ops/array_ops_test.py | 54 ++++++++++++++++++---- + 2 files changed, 71 insertions(+), 15 deletions(-) + +diff --git a/tensorflow/core/kernels/searchsorted_op.cc b/tensorflow/core/kernels/searchsorted_op.cc +index 94d18708a6a..8fc3d0da91c 100644 +--- a/tensorflow/core/kernels/searchsorted_op.cc ++++ b/tensorflow/core/kernels/searchsorted_op.cc +@@ -101,10 +101,20 @@ class UpperBoundOp : public OpKernel { + const Tensor& sorted_inputs_t = ctx->input(0); + const Tensor& values_t = ctx->input(1); + +- // inputs must be at least a matrix ++ // Inputs must be a matrix ++ // This replicates the shape requirements for the op in array_ops.cc + OP_REQUIRES( +- ctx, sorted_inputs_t.shape().dims() >= 2, +- errors::InvalidArgument("sorted input argument must be a matrix")); ++ ctx, sorted_inputs_t.shape().dims() == 2, ++ errors::InvalidArgument(absl::StrCat( ++ "Shape must be rank 2 but is rank ", sorted_inputs_t.shape().dims(), ++ " for " ++ "`sorted_inputs` argument"))); ++ // Values must be a matrix ++ // This replicates the shape requirements for the op in array_ops.cc ++ OP_REQUIRES(ctx, values_t.shape().dims() == 2, ++ errors::InvalidArgument(absl::StrCat( ++ "Shape must be rank 2 but is rank ", ++ values_t.shape().dims(), " for `values` argument"))); + // must have same batch dim_size for both + OP_REQUIRES(ctx, sorted_inputs_t.dim_size(0) == values_t.dim_size(0), + Status(error::INVALID_ARGUMENT, +@@ -154,10 +164,20 @@ class LowerBoundOp : public OpKernel { + const Tensor& sorted_inputs_t = ctx->input(0); + const Tensor& values_t = ctx->input(1); + +- // inputs must be at least a matrix ++ // Inputs must be a matrix ++ // This replicates the shape requirements for the op in array_ops.cc + OP_REQUIRES( +- ctx, sorted_inputs_t.shape().dims() >= 2, +- errors::InvalidArgument("sorted input argument must be a matrix")); ++ ctx, sorted_inputs_t.shape().dims() == 2, ++ errors::InvalidArgument(absl::StrCat( ++ "Shape must be rank 2 but is rank ", sorted_inputs_t.shape().dims(), ++ " for " ++ "`sorted_inputs` argument"))); ++ // Values must be a matrix ++ // This replicates the shape requirements for the op in array_ops.cc ++ OP_REQUIRES(ctx, values_t.shape().dims() == 2, ++ errors::InvalidArgument(absl::StrCat( ++ "Shape must be rank 2 but is rank ", ++ values_t.shape().dims(), " for `values` argument"))); + // must have same batch dim_size for both + OP_REQUIRES(ctx, sorted_inputs_t.dim_size(0) == values_t.dim_size(0), + Status(error::INVALID_ARGUMENT, +diff --git a/tensorflow/python/ops/array_ops_test.py b/tensorflow/python/ops/array_ops_test.py +index 0c82f5ac098..4cf619d4739 100644 +--- a/tensorflow/python/ops/array_ops_test.py ++++ b/tensorflow/python/ops/array_ops_test.py +@@ -20,6 +20,7 @@ from tensorflow.python.framework import dtypes + from tensorflow.python.framework import tensor_spec + from tensorflow.python.framework import test_util + from tensorflow.python.ops import array_ops ++from tensorflow.python.ops import gen_array_ops + from tensorflow.python.ops import math_ops + from tensorflow.python.ops import random_ops + from tensorflow.python.platform import test +@@ -31,9 +32,8 @@ class ArrayOpTest(test.TestCase): + # Create a tensor with an unknown dim 1. + x = random_ops.random_normal([4, 10, 10]) + x = array_ops.gather( +- x, +- array_ops.reshape(array_ops.where_v2(x[0, :, 0] > 0.5), [-1]), +- axis=1) ++ x, array_ops.reshape(array_ops.where_v2(x[0, :, 0] > 0.5), [-1]), axis=1 ++ ) + x.shape.assert_is_compatible_with([4, None, 10]) + + with backprop.GradientTape() as tape: +@@ -54,9 +54,8 @@ class ArrayOpTest(test.TestCase): + # Create a tensor with an unknown dim 1. + x = random_ops.random_normal([4, 10, 10]) + x = array_ops.gather( +- x, +- array_ops.reshape(array_ops.where_v2(x[0, :, 0] > 0.5), [-1]), +- axis=1) ++ x, array_ops.reshape(array_ops.where_v2(x[0, :, 0] > 0.5), [-1]), axis=1 ++ ) + x.shape.assert_is_compatible_with([4, None, 10]) + a = array_ops.reshape(x, array_ops.shape(x)) + a.shape.assert_is_compatible_with([4, None, 10]) +@@ -68,14 +67,15 @@ class ArrayOpTest(test.TestCase): + c = array_ops.reshape( + x, + math_ops.cast( +- math_ops.cast(array_ops.shape(x), dtypes.float32), dtypes.int32)) ++ math_ops.cast(array_ops.shape(x), dtypes.float32), dtypes.int32 ++ ), ++ ) + c.shape.assert_is_compatible_with([None, None, None]) + + def testEmptyMeshgrid(self): + self.assertEqual(array_ops.meshgrid(), []) + + def testSlicedPartialShapeInference(self): +- + @def_function.function(autograph=False) + def g(x): + return array_ops.zeros([array_ops.shape(x)[0]]) +@@ -84,7 +84,6 @@ class ArrayOpTest(test.TestCase): + self.assertAllEqual(conc.output_shapes.as_list(), [10]) + + def testIdentityOnSlicedPartialShapeInference(self): +- + @def_function.function(autograph=False) + def g(x): + return array_ops.zeros([array_ops.identity(array_ops.shape(x)[0])]) +@@ -106,6 +105,43 @@ class ArrayOpTest(test.TestCase): + ): + func() + ++ @test_util.run_in_graph_and_eager_modes ++ def testUpperBoundValuesWrongRank(self): ++ # Used to cause a segfault, b/266336058 ++ arg0 = array_ops.zeros([2, 3], dtype=dtypes.float32) ++ arg1 = array_ops.zeros([2, 1, 0], dtype=dtypes.float32) ++ with self.assertRaisesRegex( ++ Exception, "Shape must be rank 2 but is rank 3" ++ ): ++ gen_array_ops.upper_bound(arg0, arg1) ++ ++ def testLowerBoundValuesWrongRank(self): ++ # Used to cause a segfault, b/266336058 ++ arg0 = array_ops.zeros([2, 3], dtype=dtypes.float32) ++ arg1 = array_ops.zeros([2, 1, 0], dtype=dtypes.float32) ++ with self.assertRaisesRegex( ++ Exception, "Shape must be rank 2 but is rank 3" ++ ): ++ gen_array_ops.lower_bound(arg0, arg1) ++ ++ def testUpperBoundInputsWrongRank(self): ++ # Used to cause a segfault, b/266336058 ++ arg0 = array_ops.zeros([2, 1, 0], dtype=dtypes.float32) ++ arg1 = array_ops.zeros([2, 3], dtype=dtypes.float32) ++ with self.assertRaisesRegex( ++ Exception, "Shape must be rank 2 but is rank 3" ++ ): ++ gen_array_ops.upper_bound(arg0, arg1) ++ ++ def testLowerBoundInputsWrongRank(self): ++ # Used to cause a segfault, b/266336058 ++ arg0 = array_ops.zeros([2, 1, 0], dtype=dtypes.float32) ++ arg1 = array_ops.zeros([2, 3], dtype=dtypes.float32) ++ with self.assertRaisesRegex( ++ Exception, "Shape must be rank 2 but is rank 3" ++ ): ++ gen_array_ops.lower_bound(arg0, arg1) ++ + + if __name__ == "__main__": + test.main() +-- +2.34.1 + diff --git a/SPECS/tensorflow/tensorflow.spec b/SPECS/tensorflow/tensorflow.spec index e7cb4a5468..9522723520 100644 --- a/SPECS/tensorflow/tensorflow.spec +++ b/SPECS/tensorflow/tensorflow.spec @@ -1,7 +1,7 @@ Summary: TensorFlow is an open source machine learning framework for everyone. Name: tensorflow Version: 2.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: https://www.tensorflow.org/ Source0: https://github.com/tensorflow/tensorflow/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-cache.tar.gz +Patch0: CVE-2023-33976.patch BuildRequires: bazel BuildRequires: binutils BuildRequires: build-essential @@ -147,6 +148,9 @@ bazel --batch build --verbose_explanations //tensorflow/tools/pip_package:build %changelog +* Thu Aug 15 2024 Aadhar Agarwal - 2.11.1-2 +- Add a patch for CVE-2023-33976 + * Wed Oct 11 2023 Mitch Zhu - 2.11.1-1 - Update to 2.11.1 to fix CVEs From 52e54efc1d1c0c4a042cb204a3a0be72b2c3b1ec Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:44:24 -0700 Subject: [PATCH 43/43] [AUTO-CHERRYPICK] frr: CVE-2024-44070 (mariner 2) - branch main (#10235) Co-authored-by: bfjelds Co-authored-by: Pawel Winogrodzki --- SPECS/frr/CVE-2024-44070.patch | 48 ++++++++++++++++++++++++++++++++++ SPECS/frr/frr.spec | 6 ++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 SPECS/frr/CVE-2024-44070.patch diff --git a/SPECS/frr/CVE-2024-44070.patch b/SPECS/frr/CVE-2024-44070.patch new file mode 100644 index 0000000000..89ebf9e7ef --- /dev/null +++ b/SPECS/frr/CVE-2024-44070.patch @@ -0,0 +1,48 @@ +From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 31 Jul 2024 08:35:14 +0300 +Subject: [PATCH] bgpd: Check the actual remaining stream length before taking + TLV value + +``` + 0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11) + 4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17 + 5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13 + 6 0xe0d12c83712c in abort stdlib/abort.c:79:7 + 7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2 + 8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3 + 9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3 + 10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10 + 11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20 + 12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11 + 13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3 +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 2ed49935e52b..ac5d08b6fe6e 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) + args->total); + } + ++ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) { ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu", ++ sublength, STREAM_READABLE(BGP_INPUT(peer))); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); ++ } ++ + /* alloc and copy sub-tlv */ + /* TBD make sure these are freed when attributes are released */ + tlv = XCALLOC(MTYPE_ENCAP_TLV, diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec index dbb9f83a9e..6477537e8e 100644 --- a/SPECS/frr/frr.spec +++ b/SPECS/frr/frr.spec @@ -3,7 +3,7 @@ Summary: Routing daemon Name: frr Version: 8.5.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Mariner @@ -16,6 +16,7 @@ Patch1: 0001-enable-openssl.patch Patch2: 0002-disable-eigrp-crypto.patch Patch3: 0003-fips-mode.patch Patch4: 0004-remove-grpc-test.patch +Patch5: CVE-2024-44070.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -197,6 +198,9 @@ rm tests/lib/*grpc* %{_sysusersdir}/%{name}.conf %changelog +* Wed Aug 21 2024 Brian Fjeldstad - 8.5.5-2 +- Patch CVE-2024-44070 + * Tue Aug 06 2024 Sumedh Sharma - 8.5.5-1 - Bump version to fix CVE-2024-31950 & CVE-2024-31951 - Remove patches present in sources