Skip to content

Commit

Permalink
Merge branch 'fasttrack/3.0' into bala/fix_CVE-2024-6345_python-pip
Browse files Browse the repository at this point in the history
  • Loading branch information
jslobodzian authored Oct 24, 2024
2 parents 6ac954b + ffb74a2 commit 6f556b5
Show file tree
Hide file tree
Showing 18 changed files with 485 additions and 52 deletions.
Original file line number Diff line number Diff line change
@@ -1,8 +1,23 @@
From a91f9a55e6b8b01511538827005a6e948ccf6e27 Mon Sep 17 00:00:00 2001
From: Tobias Brick <[email protected]>
Date: Sat, 12 Oct 2024 02:06:21 +0000
Subject: [PATCH] add build flags to prevent stripping and post processing
From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001
From: Tobias Brick <[email protected]>
Date: Tue, 15 Oct 2024 16:21:27 +0000
Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and
post processing

## Description:
Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems.

----
#### AI description (iteration 1)
#### PR Classification
New feature

#### PR Summary
This pull request introduces build flags to control binary stripping and FIPS postprocessing.
- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`.
- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options.
- `BUILD.md`: Updated documentation to include the new build options.
- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing.
---
BUILD.md | 2 ++
CMakeLists.txt | 14 ++++++++++++++
Expand All @@ -11,10 +26,10 @@ Subject: [PATCH] add build flags to prevent stripping and post processing
4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/BUILD.md b/BUILD.md
index e7f0618..a4984da 100644
index f6c781d..e8eaa88 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -63,6 +63,8 @@ and building the Linux modules with FIPS integrity checks.
@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks.
* To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake`
* `-DSYMCRYPT_USE_ASM=<ON|OFF>` to choose whether to use assembly optimizations. Defaults to `ON`.
* `-DSYMCRYPT_FIPS_BUILD=<ON|OFF>` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds.
Expand All @@ -24,11 +39,11 @@ index e7f0618..a4984da 100644
1. `cmake --build bin`
* Optionally, for a release build on Windows, specify `--config Release`
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6da485d..1533e9d 100644
index cd9aa15..9e0c599 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -54,6 +54,18 @@ if(SYMCRYPT_FIPS_BUILD)
add_compile_options(-DSYMCRYPT_DO_FIPS_SELFTESTS=1)
@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD)
add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1)
endif()

+option(
Expand All @@ -46,20 +61,20 @@ index 6da485d..1533e9d 100644
option(
SYMCRYPT_TEST_LEGACY_IMPL
"When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy
@@ -94,6 +106,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}")
message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}")
message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}")
+message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}")
+message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}")

# Set output directories binaries
# Note: we use a generator expression because "Multi-configuration generators [e.g. Visual Studio]
# Validate compiler versions
if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU")
diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake
index ced60ac..7d626c0 100644
index e6db214..fbe1421 100644
--- a/modules/linux/common/ModuleCommon.cmake
+++ b/modules/linux/common/ModuleCommon.cmake
@@ -57,7 +57,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION})
@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION})
set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR})


Expand All @@ -68,7 +83,7 @@ index ced60ac..7d626c0 100644
add_custom_command(
TARGET ${TARGET_NAME}
POST_BUILD
@@ -69,7 +69,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
)
endif()

Expand All @@ -78,7 +93,7 @@ index ced60ac..7d626c0 100644
TARGET ${TARGET_NAME}
POST_BUILD
diff --git a/scripts/build.py b/scripts/build.py
index bbf0c89..48a7146 100755
index af9b0bc..3a70b84 100755
--- a/scripts/build.py
+++ b/scripts/build.py
@@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None:
Expand All @@ -94,7 +109,7 @@ index bbf0c89..48a7146 100755
if args.test_legacy_impl:
cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON")

@@ -215,6 +221,8 @@ def main() -> None:
@@ -218,6 +224,8 @@ def main() -> None:
parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.")
parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True)
parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True)
Expand Down
5 changes: 3 additions & 2 deletions SPECS/SymCrypt/SymCrypt.signatures.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
{
"Signatures": {
"SymCrypt-103.4.2.tar.gz": "7cbcee7625fd1d99286e393a727504189dab4d407c6c3474bd2532d5ee231921",
"SymCrypt-103.5.1.tar.gz": "1c4d41972f7683cb2c053ddc58452d6f4b56c1b556b7499f9fedbd7706ccd0fe",
"find-debuginfo": "356800f19b755879993103c121c83fb4cc97d0e8656ea34d051daa310f54cedf",
"jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487"
"jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487",
"symcrypt-build-environment-variables-v103.5.1.sh": "6f6e162011e8203de66be6af59c0b4511992b731370a152044b028e8075578a7"
}
}
14 changes: 9 additions & 5 deletions SPECS/SymCrypt/SymCrypt.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: A core cryptographic library written by Microsoft
Name: SymCrypt
Version: 103.4.2
Release: 2%{?dist}
Version: 103.5.1
Release: 1%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -10,6 +10,9 @@ URL: https://github.com/microsoft/SymCrypt
Source0: https://github.com/microsoft/SymCrypt/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz#/jitterentropy-library-3.3.1.tar.gz
Source2: find-debuginfo
# Use ./generate-env-file.sh --release-tag <git-version-tag> to generate this. For example:
# ./generate-env-file.sh --release-tag v103.5.1
Source3: symcrypt-build-environment-variables-v%{version}.sh
Patch1: 0001-add-build-flags-to-prevent-stripping-and-post-proces.patch
Patch2: 0001-add-parameter-to-process_fips_module-to-specify-the-.patch
BuildRequires: cmake
Expand Down Expand Up @@ -48,9 +51,7 @@ rm -rf 3rdparty/jitterentropy-library
ln -s ../jitterentropy-library-3.3.1 3rdparty/jitterentropy-library

%build
SYMCRYPT_BRANCH=main \
SYMCRYPT_COMMIT_HASH=a84ffe1 \
SYMCRYPT_COMMIT_TIMESTAMP=2024-01-26T22:00:47-08:00 \
source %{SOURCE3}
cmake -S . -B bin \
-DSYMCRYPT_TARGET_ARCH=%{symcrypt_arch} \
-DSYMCRYPT_STRIP_BINARY=OFF \
Expand Down Expand Up @@ -104,6 +105,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version}
%{_includedir}/*

%changelog
* Mon Oct 21 2024 Tobias Brick <[email protected]> - 103.5.1-1
- Update 103.5.1

* Mon Oct 14 2024 Tobias Brick <[email protected]> - 103.4.2-2
- Add debuginfo package

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
From 1425f9e27cb1bae39e0b22e25fce50daa47618ca Mon Sep 17 00:00:00 2001
From: Tobias Brick <[email protected]>
Date: Tue, 15 Oct 2024 22:59:08 +0000
Subject: [PATCH] Merged PR 11618838: add parameter to version script to print
the commit info environment variables

Add parameter to version script to print the commit info environment variables. This makes it easier to get those right for builds based on the source tarball rather than from a git clone.

----
#### AI description (iteration 1)
#### PR Classification
New feature

#### PR Summary
Added a new parameter to the version script to print commit information as environment variables.
- `scripts/version.py`: Introduced `--commit-info` argument to print commit hash and timestamp as environment variables. Added `print_commit_info` function to handle this new feature.
---
scripts/version.py | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/scripts/version.py b/scripts/version.py
index 49edf9b..4ac1862 100644
--- a/scripts/version.py
+++ b/scripts/version.py
@@ -180,27 +180,43 @@ def print_devops_vars(version_info: SymCryptVersion) -> None:
set_task_variable("VER_MINOR", version_info.minor)
set_task_variable("VER_PATCH", version_info.patch)

+def print_commit_info(version_info: SymCryptVersion) -> None:
+ """
+ Prints the commit information as environment variables that would override the commit hash and timestamp.
+ """
+
+ print("export {}={}".format(ENV_SYMCRYPT_BRANCH, version_info.branch))
+ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_HASH, version_info.commit_hash))
+ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_TIMESTAMP, version_info.commit_timestamp.isoformat(timespec = "seconds")))
+
def main() -> None:
"""
Entrypoint
"""

parser = argparse.ArgumentParser(description = "Versioning helper script for SymCrypt.")
+ parser.add_argument("--no-print-version-number", dest = "print_version_number", help = "Do not print the version number", action = "store_false", default = True)
group = parser.add_mutually_exclusive_group()
group.add_argument("-b", "--build-info", help = "Generate buildInfo.h", action = "store_true")
group.add_argument("--devops", help = "Format output to set Azure DevOps variables", action = "store_true")
+ group.add_argument("--commit-info",
+ help = "Format commit info as environment variables that would override the commit hash and timestamp, which can then be used when building from the source tarball rather than a git clone.",
+ action = "store_true")

args = parser.parse_args()

# Parse the version information from the SymCrypt headers
version_info = get_version_info()

- print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch))
+ if args.print_version_number:
+ print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch))

if args.build_info:
generate_build_info(version_info)
elif args.devops:
print_devops_vars(version_info)
+ elif args.commit_info:
+ print_commit_info(version_info)

if __name__ == "__main__":
- main()
\ No newline at end of file
+ main()
--
2.39.4

89 changes: 89 additions & 0 deletions SPECS/SymCrypt/generate-env-file.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
#!/bin/bash

# Fail out if anything fails.
set -e

SYMCRYPT_REPO='https://github.com/microsoft/SymCrypt.git'
SYMCRYPT_DIR='./SymCrypt'

CURRENT_DIR=$(pwd)
RELEASE_TAG=

function show_help() {
echo "Usage: $0 [--release-tag <tag>]"
echo
echo "Options:"
echo " --release-tag <tag> The release tag to use for the build, e.g.: v103.5.1"
echo " --debug Enable debug output, which is just 'set -x'"
echo " --help Display this help message"
echo
echo "Generates a sourceable script file that sets git-related environment variables for the SymCrypt build."
echo "The script file will be named 'symcrypt-build-environment-variables-<release-tag>.sh"
}

while [[ "$#" -gt 0 ]]; do
case $1 in
-h|--help)
show_help
exit 0
;;
-t|--tag|--release-tag)
RELEASE_TAG="$2"
shift
;;
-d|--debug)
set -x
;;
*)
echo "Unknown parameter passed: $1"
exit 1
;;
esac
shift
done

if [ -z "${RELEASE_TAG}" ]; then
echo "release tag is required" >> /dev/stderr
show_help
exit 1
fi

echo "generating env file for release tag: '${RELEASE_TAG}'"

# Create a temporary directory to clone the git repo
TEMP_DIR=$(mktemp -d)
if [[ ! "$TEMP_DIR" || ! -d "$TEMP_DIR" ]]; then
echo "Could not create temp dir to clone git repo" >> /dev/stderr
exit 1
fi

# Clone into the temp directory
pushd "${TEMP_DIR}" > /dev/null
echo "Cloning SymCrypt repo '${SYMCRYPT_REPO}' into temp directory '${TEMP_DIR}"
git clone "${SYMCRYPT_REPO}"

# The version script uses the current git branch, which want to main but at the commit for the release tag.
echo "Getting to the commit for release tag '${RELEASE_TAG}'"
cd "${SYMCRYPT_DIR}"
TAG_COMMIT=$(git rev-parse --verify "${RELEASE_TAG}")
if [[ ! "$TAG_COMMIT" ]]; then
echo "Could not find commit for release tag '${RELEASE_TAG}'"
exit 1
fi
echo "Tag commit is '${TAG_COMMIT}'"
git reset --hard "${TAG_COMMIT}"

# Patching the version script; will be unneeded as of v103.5.2
git apply "${CURRENT_DIR}/add-parameter-to-version-script-to-print-the-commit-info.patch"

# Call the version script to get the properly formmatted git info
ENV_SCRIPT_FILE_NAME="symcrypt-build-environment-variables-${RELEASE_TAG}.sh"
echo "#!/bin/bash" > "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
echo "# Generated by 'generate-env-file.sh'" >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
echo "Running version script"
python3 scripts/version.py --no-print-version-number --commit-info >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
echo "Generated '${ENV_SCRIPT_FILE_NAME}'"

# Clean up the temp directory
popd > /dev/null
rm -rf "${TEMP_DIR}"
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# Generated by 'generate-env-file.sh'
export SYMCRYPT_BRANCH=main
export SYMCRYPT_COMMIT_HASH=907622c
export SYMCRYPT_COMMIT_TIMESTAMP=2024-09-18T20:38:10+00:00
23 changes: 23 additions & 0 deletions SPECS/libarchive/CVE-2024-26256.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <[email protected]>
Date: Mon, 22 Apr 2024 01:55:41 +0900
Subject: [PATCH] fix: OOB in rar e8 filter (#2135)

This patch fixes an out-of-bound error in rar e8 filter.
---
libarchive/archive_read_support_format_rar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 99a11d1700..266d0ee995 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
uint32_t filesize = 0x1000000;
uint32_t i;

- if (length > PROGRAM_WORK_SIZE || length < 4)
+ if (length > PROGRAM_WORK_SIZE || length <= 4)
return 0;

for (i = 0; i <= length - 5; i++)
24 changes: 24 additions & 0 deletions SPECS/libarchive/CVE-2024-37407.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
From b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <[email protected]>
Date: Thu, 25 Apr 2024 09:18:30 +0000
Subject: [PATCH] zip: Fix out of boundary access (#2145)

If a ZIP file contains a file with an empty name and mac-ext option is
set, then a check accesses memory out of bound of `name`.
---
libarchive/archive_read_support_format_zip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index d7b6f082ee..7552a1a1a2 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -4089,7 +4089,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry,
* as the actual resource fork doesn't end with '/'.
*/
size_t tmp_length = filename_length;
- if (name[tmp_length - 1] == '/') {
+ if (tmp_length > 0 && name[tmp_length - 1] == '/') {
tmp_length--;
r = rsrc_basename(name, tmp_length);
}
6 changes: 3 additions & 3 deletions SPECS/libarchive/libarchive.signatures.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"Signatures": {
"libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff"
}
"Signatures": {
"libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0"
}
}
Loading

0 comments on commit 6f556b5

Please sign in to comment.