From a5364520b1aa1061155f1ad7ad0527c2a0055b47 Mon Sep 17 00:00:00 2001 From: Andrew Phelps Date: Tue, 22 Oct 2024 12:05:25 -0700 Subject: [PATCH 1/3] =?UTF-8?q?Revert=20"libarchive:=20Upgrade=20to=203.7.?= =?UTF-8?q?7=20to=20fix=20CVE-2024-48957,=20CVE-2024-=E2=80=A6=20(#10807)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SPECS/libarchive/CVE-2024-26256.patch | 23 +++ SPECS/libarchive/CVE-2024-37407.patch | 24 +++ SPECS/libarchive/libarchive.signatures.json | 6 +- SPECS/libarchive/libarchive.spec | 13 +- ...date-appledouble-support-directories.patch | 189 ++++++++++++++++++ cgmanifest.json | 4 +- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 6 +- .../manifests/package/toolchain_x86_64.txt | 6 +- 10 files changed, 258 insertions(+), 21 deletions(-) create mode 100644 SPECS/libarchive/CVE-2024-26256.patch create mode 100644 SPECS/libarchive/CVE-2024-37407.patch create mode 100644 SPECS/libarchive/update-appledouble-support-directories.patch diff --git a/SPECS/libarchive/CVE-2024-26256.patch b/SPECS/libarchive/CVE-2024-26256.patch new file mode 100644 index 00000000000..20c8e9ff2e9 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-26256.patch @@ -0,0 +1,23 @@ +From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 22 Apr 2024 01:55:41 +0900 +Subject: [PATCH] fix: OOB in rar e8 filter (#2135) + +This patch fixes an out-of-bound error in rar e8 filter. +--- + libarchive/archive_read_support_format_rar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 99a11d1700..266d0ee995 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz + uint32_t filesize = 0x1000000; + uint32_t i; + +- if (length > PROGRAM_WORK_SIZE || length < 4) ++ if (length > PROGRAM_WORK_SIZE || length <= 4) + return 0; + + for (i = 0; i <= length - 5; i++) diff --git a/SPECS/libarchive/CVE-2024-37407.patch b/SPECS/libarchive/CVE-2024-37407.patch new file mode 100644 index 00000000000..43db7a1c548 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-37407.patch @@ -0,0 +1,24 @@ +From b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 25 Apr 2024 09:18:30 +0000 +Subject: [PATCH] zip: Fix out of boundary access (#2145) + +If a ZIP file contains a file with an empty name and mac-ext option is +set, then a check accesses memory out of bound of `name`. +--- + libarchive/archive_read_support_format_zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index d7b6f082ee..7552a1a1a2 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -4089,7 +4089,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + * as the actual resource fork doesn't end with '/'. + */ + size_t tmp_length = filename_length; +- if (name[tmp_length - 1] == '/') { ++ if (tmp_length > 0 && name[tmp_length - 1] == '/') { + tmp_length--; + r = rsrc_basename(name, tmp_length); + } diff --git a/SPECS/libarchive/libarchive.signatures.json b/SPECS/libarchive/libarchive.signatures.json index f32783f4e68..b4c15926c53 100644 --- a/SPECS/libarchive/libarchive.signatures.json +++ b/SPECS/libarchive/libarchive.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff" - } + "Signatures": { + "libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0" + } } diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec index 99ce351dcfe..25d8a39b371 100644 --- a/SPECS/libarchive/libarchive.spec +++ b/SPECS/libarchive/libarchive.spec @@ -1,13 +1,18 @@ Summary: Multi-format archive and compression library Name: libarchive -Version: 3.7.7 -Release: 1%{?dist} +Version: 3.7.1 +Release: 2%{?dist} # Certain files have individual licenses. For more details see contents of "COPYING". License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.libarchive.org/ Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2024-26256.patch +# https://github.com/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB (CVE-2024-37407) patch) +# Please remove when upgrading to v3.7.4 and above +Patch1: update-appledouble-support-directories.patch +Patch2: CVE-2024-37407.patch Provides: bsdtar = %{version}-%{release} BuildRequires: xz-libs @@ -60,10 +65,6 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog -* Tue Oct 15 2024 Nan Liu - 3.7.7-1 -- Upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696 -- Remove unused patches - * Tue Jun 25 2024 Neha Agarwal - 3.7.1-2 - Patch CVE-2024-26256 and CVE-2024-37407 diff --git a/SPECS/libarchive/update-appledouble-support-directories.patch b/SPECS/libarchive/update-appledouble-support-directories.patch new file mode 100644 index 00000000000..6e41ea4c6ce --- /dev/null +++ b/SPECS/libarchive/update-appledouble-support-directories.patch @@ -0,0 +1,189 @@ +From 91f27004a5c88589658e38d68e46d223da6b75ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Matu=C5=A1ka?= +Date: Sun, 21 Apr 2024 05:23:22 +0200 +Subject: [PATCH] Update AppleDouble support for directories (#2108) + +This is a clone of the reverted pull request #2100. Due to the latest +circumstances we should require a more deep review of each new PR. + +--------- + +Co-authored-by: Justin Vreeland +--- + libarchive/archive_read_support_format_zip.c | 13 ++- + libarchive/archive_write_disk_posix.c | 3 +- + libarchive/test/test_write_disk_appledouble.c | 84 +++++++++++++++++++ + .../test_write_disk_appledouble_zip.zip.uu | 27 ++++++ + 4 files changed, 125 insertions(+), 2 deletions(-) + create mode 100644 libarchive/test/test_write_disk_appledouble_zip.zip.uu + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 212bfff9fa..d7b6f082ee 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -4083,6 +4083,17 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + } else { + /* Generate resource fork name to find its + * resource file at zip->tree_rsrc. */ ++ ++ /* If this is an entry ending with slash, ++ * make the resource for name slash-less ++ * as the actual resource fork doesn't end with '/'. ++ */ ++ size_t tmp_length = filename_length; ++ if (name[tmp_length - 1] == '/') { ++ tmp_length--; ++ r = rsrc_basename(name, tmp_length); ++ } ++ + archive_strcpy(&(zip_entry->rsrcname), + "__MACOSX/"); + archive_strncat(&(zip_entry->rsrcname), +@@ -4090,7 +4101,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + archive_strcat(&(zip_entry->rsrcname), "._"); + archive_strncat(&(zip_entry->rsrcname), + name + (r - name), +- filename_length - (r - name)); ++ tmp_length - (r - name)); + /* Register an entry to RB tree to sort it by + * file offset. */ + __archive_rb_tree_insert_node(&zip->tree, +diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +index 58265ee0dc..92db4ff05b 100644 +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -4427,7 +4427,8 @@ fixup_appledouble(struct archive_write_disk *a, const char *pathname) + #else + la_stat(datafork.s, &st) == -1 || + #endif +- (st.st_mode & AE_IFMT) != AE_IFREG) ++ (((st.st_mode & AE_IFMT) != AE_IFREG) && ++ ((st.st_mode & AE_IFMT) != AE_IFDIR))) + goto skip_appledouble; + + /* +diff --git a/libarchive/test/test_write_disk_appledouble.c b/libarchive/test/test_write_disk_appledouble.c +index 3265a94d2f..8de6c8b504 100644 +--- a/libarchive/test/test_write_disk_appledouble.c ++++ b/libarchive/test/test_write_disk_appledouble.c +@@ -236,3 +236,87 @@ DEFINE_TEST(test_write_disk_appledouble) + assertEqualFile("hfscmp/file3", "nocmp/file3"); + #endif + } ++ ++/* Test writing apple doubles to disk from zip format */ ++DEFINE_TEST(test_write_disk_appledouble_zip) ++{ ++#if !defined(__APPLE__) || !defined(UF_COMPRESSED) || !defined(HAVE_SYS_XATTR_H)\ ++ || !defined(HAVE_ZLIB_H) ++ skipping("MacOS-specific AppleDouble test"); ++#else ++ const char *refname = "test_write_disk_appledouble_zip.zip"; ++ struct archive *ad, *a; ++ struct archive_entry *ae; ++ struct stat st; ++ ++ extract_reference_file(refname); ++ ++ /* ++ * Extract an archive to disk. ++ */ ++ assert((ad = archive_write_disk_new()) != NULL); ++ assertEqualIntA(ad, ARCHIVE_OK, ++ archive_write_disk_set_standard_lookup(ad)); ++ assertEqualIntA(ad, ARCHIVE_OK, ++ archive_write_disk_set_options(ad, ++ ARCHIVE_EXTRACT_TIME | ++ ARCHIVE_EXTRACT_SECURE_SYMLINKS | ++ ARCHIVE_EXTRACT_SECURE_NODOTDOT)); ++ ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, ++ refname, 512 * 20)); ++ ++ /* Skip The top level directory */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/", archive_entry_pathname(ae)); ++ ++ /* Extract apple_double_test */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/apple_double_dir_test/", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract ._apple_double_dir_test which will be merged into apple_double_dir_test as metadata. */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/._apple_double_dir_test", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract test_file */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/test_file", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract ._test_file which will be merged into test_file as metadata. */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/._test_file", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++ assertEqualIntA(ad, ARCHIVE_OK, archive_write_free(ad)); ++ ++ /* Test test_file */ ++ assertEqualInt(0, stat("apple_double_dir/test_file", &st)); ++ assertFileSize("apple_double_dir/test_file", 5); ++ failure("'%s' should have Resource Fork", "test_file"); ++ assertEqualInt(1, has_xattr("apple_double_dir/test_file", "com.apple.ResourceFork")); ++ ++ /* Test apple_double_dir_test */ ++ failure("'%s' should have quarantine xattr", "apple_double_dir_test"); ++ assertEqualInt(1, has_xattr("apple_double_dir/apple_double_dir_test", "com.apple.quarantine")); ++ ++ /* Test ._test_file. */ ++ failure("'apple_double_dir/._test_file' should be merged and removed"); ++ assertFileNotExists("apple_double_dir/._test_file"); ++ ++ /* Test ._apple_double_dir_test */ ++ failure("'apple_double_dir/._._apple_double_dir_test' should be merged and removed"); ++ assertFileNotExists("apple_double_dir/._apple_double_dir_test"); ++ ++ assertChdir(".."); ++ ++#endif ++} +diff --git a/libarchive/test/test_write_disk_appledouble_zip.zip.uu b/libarchive/test/test_write_disk_appledouble_zip.zip.uu +new file mode 100644 +index 0000000000..5ab67533d5 +--- /dev/null ++++ b/libarchive/test/test_write_disk_appledouble_zip.zip.uu +@@ -0,0 +1,27 @@ ++begin 644 test_write_disk_appledouble_zip.zip ++M4$L#!`H```````MM?%@````````````````1`!``87!P;&5?9&]U8FQE7V1I ++M Date: Tue, 22 Oct 2024 15:45:39 -0700 Subject: [PATCH 2/3] symcrypt: upgrade to 103.5.1 (#10806) --- ...to-prevent-stripping-and-post-proces.patch | 49 ++++++---- SPECS/SymCrypt/SymCrypt.signatures.json | 5 +- SPECS/SymCrypt/SymCrypt.spec | 14 +-- ...sion-script-to-print-the-commit-info.patch | 74 +++++++++++++++ SPECS/SymCrypt/generate-env-file.sh | 89 +++++++++++++++++++ ...pt-build-environment-variables-v103.5.1.sh | 5 ++ cgmanifest.json | 4 +- 7 files changed, 214 insertions(+), 26 deletions(-) create mode 100644 SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch create mode 100755 SPECS/SymCrypt/generate-env-file.sh create mode 100644 SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh diff --git a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch b/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch index 1019dbb44d0..3706904d559 100644 --- a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch +++ b/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch @@ -1,8 +1,23 @@ -From a91f9a55e6b8b01511538827005a6e948ccf6e27 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Sat, 12 Oct 2024 02:06:21 +0000 -Subject: [PATCH] add build flags to prevent stripping and post processing +From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 15 Oct 2024 16:21:27 +0000 +Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and + post processing +## Description: +Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems. + +---- +#### AI description (iteration 1) +#### PR Classification +New feature + +#### PR Summary +This pull request introduces build flags to control binary stripping and FIPS postprocessing. +- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`. +- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options. +- `BUILD.md`: Updated documentation to include the new build options. +- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing. --- BUILD.md | 2 ++ CMakeLists.txt | 14 ++++++++++++++ @@ -11,10 +26,10 @@ Subject: [PATCH] add build flags to prevent stripping and post processing 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/BUILD.md b/BUILD.md -index e7f0618..a4984da 100644 +index f6c781d..e8eaa88 100644 --- a/BUILD.md +++ b/BUILD.md -@@ -63,6 +63,8 @@ and building the Linux modules with FIPS integrity checks. +@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks. * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake` * `-DSYMCRYPT_USE_ASM=` to choose whether to use assembly optimizations. Defaults to `ON`. * `-DSYMCRYPT_FIPS_BUILD=` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds. @@ -24,11 +39,11 @@ index e7f0618..a4984da 100644 1. `cmake --build bin` * Optionally, for a release build on Windows, specify `--config Release` diff --git a/CMakeLists.txt b/CMakeLists.txt -index 6da485d..1533e9d 100644 +index cd9aa15..9e0c599 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -54,6 +54,18 @@ if(SYMCRYPT_FIPS_BUILD) - add_compile_options(-DSYMCRYPT_DO_FIPS_SELFTESTS=1) +@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD) + add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1) endif() +option( @@ -46,20 +61,20 @@ index 6da485d..1533e9d 100644 option( SYMCRYPT_TEST_LEGACY_IMPL "When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy -@@ -94,6 +106,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}") +@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}") message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}") message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}") message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}") +message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}") +message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}") - # Set output directories binaries - # Note: we use a generator expression because "Multi-configuration generators [e.g. Visual Studio] + # Validate compiler versions + if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake -index ced60ac..7d626c0 100644 +index e6db214..fbe1421 100644 --- a/modules/linux/common/ModuleCommon.cmake +++ b/modules/linux/common/ModuleCommon.cmake -@@ -57,7 +57,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION}) +@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION}) set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR}) @@ -68,7 +83,7 @@ index ced60ac..7d626c0 100644 add_custom_command( TARGET ${TARGET_NAME} POST_BUILD -@@ -69,7 +69,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") +@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") ) endif() @@ -78,7 +93,7 @@ index ced60ac..7d626c0 100644 TARGET ${TARGET_NAME} POST_BUILD diff --git a/scripts/build.py b/scripts/build.py -index bbf0c89..48a7146 100755 +index af9b0bc..3a70b84 100755 --- a/scripts/build.py +++ b/scripts/build.py @@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None: @@ -94,7 +109,7 @@ index bbf0c89..48a7146 100755 if args.test_legacy_impl: cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON") -@@ -215,6 +221,8 @@ def main() -> None: +@@ -218,6 +224,8 @@ def main() -> None: parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.") parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True) parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True) diff --git a/SPECS/SymCrypt/SymCrypt.signatures.json b/SPECS/SymCrypt/SymCrypt.signatures.json index fda91f59fc9..ac72e9252ed 100644 --- a/SPECS/SymCrypt/SymCrypt.signatures.json +++ b/SPECS/SymCrypt/SymCrypt.signatures.json @@ -1,7 +1,8 @@ { "Signatures": { - "SymCrypt-103.4.2.tar.gz": "7cbcee7625fd1d99286e393a727504189dab4d407c6c3474bd2532d5ee231921", + "SymCrypt-103.5.1.tar.gz": "1c4d41972f7683cb2c053ddc58452d6f4b56c1b556b7499f9fedbd7706ccd0fe", "find-debuginfo": "356800f19b755879993103c121c83fb4cc97d0e8656ea34d051daa310f54cedf", - "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487" + "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487", + "symcrypt-build-environment-variables-v103.5.1.sh": "6f6e162011e8203de66be6af59c0b4511992b731370a152044b028e8075578a7" } } \ No newline at end of file diff --git a/SPECS/SymCrypt/SymCrypt.spec b/SPECS/SymCrypt/SymCrypt.spec index 827a80bfdf8..07543a0bc28 100644 --- a/SPECS/SymCrypt/SymCrypt.spec +++ b/SPECS/SymCrypt/SymCrypt.spec @@ -1,7 +1,7 @@ Summary: A core cryptographic library written by Microsoft Name: SymCrypt -Version: 103.4.2 -Release: 2%{?dist} +Version: 103.5.1 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,9 @@ URL: https://github.com/microsoft/SymCrypt Source0: https://github.com/microsoft/SymCrypt/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz#/jitterentropy-library-3.3.1.tar.gz Source2: find-debuginfo +# Use ./generate-env-file.sh --release-tag to generate this. For example: +# ./generate-env-file.sh --release-tag v103.5.1 +Source3: symcrypt-build-environment-variables-v%{version}.sh Patch1: 0001-add-build-flags-to-prevent-stripping-and-post-proces.patch Patch2: 0001-add-parameter-to-process_fips_module-to-specify-the-.patch BuildRequires: cmake @@ -48,9 +51,7 @@ rm -rf 3rdparty/jitterentropy-library ln -s ../jitterentropy-library-3.3.1 3rdparty/jitterentropy-library %build -SYMCRYPT_BRANCH=main \ -SYMCRYPT_COMMIT_HASH=a84ffe1 \ -SYMCRYPT_COMMIT_TIMESTAMP=2024-01-26T22:00:47-08:00 \ +source %{SOURCE3} cmake -S . -B bin \ -DSYMCRYPT_TARGET_ARCH=%{symcrypt_arch} \ -DSYMCRYPT_STRIP_BINARY=OFF \ @@ -104,6 +105,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version} %{_includedir}/* %changelog +* Mon Oct 21 2024 Tobias Brick - 103.5.1-1 +- Update 103.5.1 + * Mon Oct 14 2024 Tobias Brick - 103.4.2-2 - Add debuginfo package diff --git a/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch b/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch new file mode 100644 index 00000000000..560123550cf --- /dev/null +++ b/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch @@ -0,0 +1,74 @@ +From 1425f9e27cb1bae39e0b22e25fce50daa47618ca Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 15 Oct 2024 22:59:08 +0000 +Subject: [PATCH] Merged PR 11618838: add parameter to version script to print + the commit info environment variables + +Add parameter to version script to print the commit info environment variables. This makes it easier to get those right for builds based on the source tarball rather than from a git clone. + +---- +#### AI description (iteration 1) +#### PR Classification +New feature + +#### PR Summary +Added a new parameter to the version script to print commit information as environment variables. +- `scripts/version.py`: Introduced `--commit-info` argument to print commit hash and timestamp as environment variables. Added `print_commit_info` function to handle this new feature. +--- + scripts/version.py | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/scripts/version.py b/scripts/version.py +index 49edf9b..4ac1862 100644 +--- a/scripts/version.py ++++ b/scripts/version.py +@@ -180,27 +180,43 @@ def print_devops_vars(version_info: SymCryptVersion) -> None: + set_task_variable("VER_MINOR", version_info.minor) + set_task_variable("VER_PATCH", version_info.patch) + ++def print_commit_info(version_info: SymCryptVersion) -> None: ++ """ ++ Prints the commit information as environment variables that would override the commit hash and timestamp. ++ """ ++ ++ print("export {}={}".format(ENV_SYMCRYPT_BRANCH, version_info.branch)) ++ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_HASH, version_info.commit_hash)) ++ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_TIMESTAMP, version_info.commit_timestamp.isoformat(timespec = "seconds"))) ++ + def main() -> None: + """ + Entrypoint + """ + + parser = argparse.ArgumentParser(description = "Versioning helper script for SymCrypt.") ++ parser.add_argument("--no-print-version-number", dest = "print_version_number", help = "Do not print the version number", action = "store_false", default = True) + group = parser.add_mutually_exclusive_group() + group.add_argument("-b", "--build-info", help = "Generate buildInfo.h", action = "store_true") + group.add_argument("--devops", help = "Format output to set Azure DevOps variables", action = "store_true") ++ group.add_argument("--commit-info", ++ help = "Format commit info as environment variables that would override the commit hash and timestamp, which can then be used when building from the source tarball rather than a git clone.", ++ action = "store_true") + + args = parser.parse_args() + + # Parse the version information from the SymCrypt headers + version_info = get_version_info() + +- print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) ++ if args.print_version_number: ++ print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) + + if args.build_info: + generate_build_info(version_info) + elif args.devops: + print_devops_vars(version_info) ++ elif args.commit_info: ++ print_commit_info(version_info) + + if __name__ == "__main__": +- main() +\ No newline at end of file ++ main() +-- +2.39.4 + diff --git a/SPECS/SymCrypt/generate-env-file.sh b/SPECS/SymCrypt/generate-env-file.sh new file mode 100755 index 00000000000..fd3864727cb --- /dev/null +++ b/SPECS/SymCrypt/generate-env-file.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# Fail out if anything fails. +set -e + +SYMCRYPT_REPO='https://github.com/microsoft/SymCrypt.git' +SYMCRYPT_DIR='./SymCrypt' + +CURRENT_DIR=$(pwd) +RELEASE_TAG= + +function show_help() { + echo "Usage: $0 [--release-tag ]" + echo + echo "Options:" + echo " --release-tag The release tag to use for the build, e.g.: v103.5.1" + echo " --debug Enable debug output, which is just 'set -x'" + echo " --help Display this help message" + echo + echo "Generates a sourceable script file that sets git-related environment variables for the SymCrypt build." + echo "The script file will be named 'symcrypt-build-environment-variables-.sh" +} + +while [[ "$#" -gt 0 ]]; do + case $1 in + -h|--help) + show_help + exit 0 + ;; + -t|--tag|--release-tag) + RELEASE_TAG="$2" + shift + ;; + -d|--debug) + set -x + ;; + *) + echo "Unknown parameter passed: $1" + exit 1 + ;; + esac + shift +done + +if [ -z "${RELEASE_TAG}" ]; then + echo "release tag is required" >> /dev/stderr + show_help + exit 1 +fi + +echo "generating env file for release tag: '${RELEASE_TAG}'" + +# Create a temporary directory to clone the git repo +TEMP_DIR=$(mktemp -d) +if [[ ! "$TEMP_DIR" || ! -d "$TEMP_DIR" ]]; then + echo "Could not create temp dir to clone git repo" >> /dev/stderr + exit 1 +fi + +# Clone into the temp directory +pushd "${TEMP_DIR}" > /dev/null +echo "Cloning SymCrypt repo '${SYMCRYPT_REPO}' into temp directory '${TEMP_DIR}" +git clone "${SYMCRYPT_REPO}" + +# The version script uses the current git branch, which want to main but at the commit for the release tag. +echo "Getting to the commit for release tag '${RELEASE_TAG}'" +cd "${SYMCRYPT_DIR}" +TAG_COMMIT=$(git rev-parse --verify "${RELEASE_TAG}") +if [[ ! "$TAG_COMMIT" ]]; then + echo "Could not find commit for release tag '${RELEASE_TAG}'" + exit 1 +fi +echo "Tag commit is '${TAG_COMMIT}'" +git reset --hard "${TAG_COMMIT}" + +# Patching the version script; will be unneeded as of v103.5.2 +git apply "${CURRENT_DIR}/add-parameter-to-version-script-to-print-the-commit-info.patch" + +# Call the version script to get the properly formmatted git info +ENV_SCRIPT_FILE_NAME="symcrypt-build-environment-variables-${RELEASE_TAG}.sh" +echo "#!/bin/bash" > "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "# Generated by 'generate-env-file.sh'" >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "Running version script" +python3 scripts/version.py --no-print-version-number --commit-info >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "Generated '${ENV_SCRIPT_FILE_NAME}'" + +# Clean up the temp directory +popd > /dev/null +rm -rf "${TEMP_DIR}" diff --git a/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh new file mode 100644 index 00000000000..d454862c5c5 --- /dev/null +++ b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# Generated by 'generate-env-file.sh' +export SYMCRYPT_BRANCH=main +export SYMCRYPT_COMMIT_HASH=907622c +export SYMCRYPT_COMMIT_TIMESTAMP=2024-09-18T20:38:10+00:00 diff --git a/cgmanifest.json b/cgmanifest.json index 4cbae68d84d..5553bf330f2 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -28216,8 +28216,8 @@ "type": "other", "other": { "name": "SymCrypt", - "version": "103.4.2", - "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.4.2.tar.gz" + "version": "103.5.1", + "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.5.1.tar.gz" } } }, From ffb74a2feb70ec7b06d4264b04905931a75719ea Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 24 Oct 2024 14:52:57 -0400 Subject: [PATCH 3/3] [AUTOPATCHER-CORE] Upgrade mysql to 8.0.40 Fix multiple CVEs (#10785) Co-authored-by: Sudipta Pandit --- SPECS/mysql/mysql.signatures.json | 4 ++-- SPECS/mysql/mysql.spec | 10 +++++++++- cgmanifest.json | 4 ++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json index 531b9d7eb76..c15e83c7f22 100644 --- a/SPECS/mysql/mysql.signatures.json +++ b/SPECS/mysql/mysql.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d" + "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9" } -} \ No newline at end of file +} diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 11e29f1fcf9..480665946a4 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,6 +1,6 @@ Summary: MySQL. Name: mysql -Version: 8.0.36 +Version: 8.0.40 Release: 1%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation @@ -83,6 +83,14 @@ make test %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Fri Oct 18 2024 CBL-Mariner Servicing Account - 8.0.40-1 +- Auto-upgrade to 8.0.40 - Fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, + CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134, + CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237, + CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198, + CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096, + CVE-2024-21171, CVE-2024-21165, CVE-2023-46219 + * Thu Feb 22 2024 CBL-Mariner Servicing Account - 8.0.36-1 - Auto-upgrade to 8.0.36 diff --git a/cgmanifest.json b/cgmanifest.json index 5553bf330f2..ef7b02a9099 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13502,8 +13502,8 @@ "type": "other", "other": { "name": "mysql", - "version": "8.0.36", - "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz" + "version": "8.0.40", + "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz" } } },