From eb39904fae19523b5b989ba4d1f2227d2fadb648 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:38:52 -0400 Subject: [PATCH 01/21] [AUTO-CHERRYPICK] Upgrade python-pip to fix CVE-2024-6345 - branch 3.0-dev (#10837) Co-authored-by: Bala --- SPECS/python-pip/CVE-2024-3651.patch | 3858 ----------------- SPECS/python-pip/python-pip.signatures.json | 4 +- SPECS/python-pip/python-pip.spec | 16 +- cgmanifest.json | 4 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- 6 files changed, 16 insertions(+), 3870 deletions(-) delete mode 100644 SPECS/python-pip/CVE-2024-3651.patch diff --git a/SPECS/python-pip/CVE-2024-3651.patch b/SPECS/python-pip/CVE-2024-3651.patch deleted file mode 100644 index 802db7ebab5..00000000000 --- a/SPECS/python-pip/CVE-2024-3651.patch +++ /dev/null @@ -1,3858 +0,0 @@ -From 9cdb89916b56c99ddd55c80a30ce1e7513ffc111 Mon Sep 17 00:00:00 2001 -From: Rachel Menge -Date: Wed, 28 Aug 2024 16:57:08 -0400 -Subject: [PATCH] Update vendor idna to 3.7 - -CVE-2024-3651 requires python-idna 3.7. Therefore update to this -version. - -This commit is a combination of 2 upstream commits: -[d83c9e3] Upgrade idna to 3.6 -[cba5b13] Upgrade idna to 3.7 ---- - news/idna.vendor.rst | 1 + - src/pip/_vendor/idna/LICENSE.md | 36 +- - src/pip/_vendor/idna/codec.py | 34 +- - src/pip/_vendor/idna/core.py | 33 +- - src/pip/_vendor/idna/idnadata.py | 2206 +++++++++++++++++++++++++- - src/pip/_vendor/idna/package_data.py | 2 +- - src/pip/_vendor/idna/uts46data.py | 454 +++--- - src/pip/_vendor/vendor.txt | 2 +- - 8 files changed, 2432 insertions(+), 336 deletions(-) - create mode 100644 news/idna.vendor.rst - -diff --git a/news/idna.vendor.rst b/news/idna.vendor.rst -new file mode 100644 -index 0000000..1b8f743 ---- /dev/null -+++ b/news/idna.vendor.rst -@@ -0,0 +1 @@ -+Upgrade idna to 3.7 -diff --git a/src/pip/_vendor/idna/LICENSE.md b/src/pip/_vendor/idna/LICENSE.md -index b6f8732..19b6b45 100644 ---- a/src/pip/_vendor/idna/LICENSE.md -+++ b/src/pip/_vendor/idna/LICENSE.md -@@ -1,29 +1,31 @@ - BSD 3-Clause License - --Copyright (c) 2013-2021, Kim Davies -+Copyright (c) 2013-2024, Kim Davies and contributors. - All rights reserved. - - Redistribution and use in source and binary forms, with or without --modification, are permitted provided that the following conditions are met: -+modification, are permitted provided that the following conditions are -+met: - --1. Redistributions of source code must retain the above copyright notice, this -- list of conditions and the following disclaimer. -+1. Redistributions of source code must retain the above copyright -+ notice, this list of conditions and the following disclaimer. - --2. Redistributions in binary form must reproduce the above copyright notice, -- this list of conditions and the following disclaimer in the documentation -- and/or other materials provided with the distribution. -+2. Redistributions in binary form must reproduce the above copyright -+ notice, this list of conditions and the following disclaimer in the -+ documentation and/or other materials provided with the distribution. - - 3. Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - --THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" --AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE --IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE --DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE --FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL --DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR --SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER --CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, --OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE --OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -diff --git a/src/pip/_vendor/idna/codec.py b/src/pip/_vendor/idna/codec.py -index 1ca9ba6..c855a4d 100644 ---- a/src/pip/_vendor/idna/codec.py -+++ b/src/pip/_vendor/idna/codec.py -@@ -1,7 +1,7 @@ - from .core import encode, decode, alabel, ulabel, IDNAError - import codecs - import re --from typing import Tuple, Optional -+from typing import Any, Tuple, Optional - - _unicode_dots_re = re.compile('[\u002e\u3002\uff0e\uff61]') - -@@ -26,24 +26,24 @@ class Codec(codecs.Codec): - return decode(data), len(data) - - class IncrementalEncoder(codecs.BufferedIncrementalEncoder): -- def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[str, int]: # type: ignore -+ def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[bytes, int]: - if errors != 'strict': - raise IDNAError('Unsupported error handling \"{}\"'.format(errors)) - - if not data: -- return "", 0 -+ return b'', 0 - - labels = _unicode_dots_re.split(data) -- trailing_dot = '' -+ trailing_dot = b'' - if labels: - if not labels[-1]: -- trailing_dot = '.' -+ trailing_dot = b'.' - del labels[-1] - elif not final: - # Keep potentially unfinished label until the next call - del labels[-1] - if labels: -- trailing_dot = '.' -+ trailing_dot = b'.' - - result = [] - size = 0 -@@ -54,18 +54,21 @@ class IncrementalEncoder(codecs.BufferedIncrementalEncoder): - size += len(label) - - # Join with U+002E -- result_str = '.'.join(result) + trailing_dot # type: ignore -+ result_bytes = b'.'.join(result) + trailing_dot - size += len(trailing_dot) -- return result_str, size -+ return result_bytes, size - - class IncrementalDecoder(codecs.BufferedIncrementalDecoder): -- def _buffer_decode(self, data: str, errors: str, final: bool) -> Tuple[str, int]: # type: ignore -+ def _buffer_decode(self, data: Any, errors: str, final: bool) -> Tuple[str, int]: - if errors != 'strict': - raise IDNAError('Unsupported error handling \"{}\"'.format(errors)) - - if not data: - return ('', 0) - -+ if not isinstance(data, str): -+ data = str(data, 'ascii') -+ - labels = _unicode_dots_re.split(data) - trailing_dot = '' - if labels: -@@ -99,14 +102,17 @@ class StreamReader(Codec, codecs.StreamReader): - pass - - --def getregentry() -> codecs.CodecInfo: -- # Compatibility as a search_function for codecs.register() -+def search_function(name: str) -> Optional[codecs.CodecInfo]: -+ if name != 'idna2008': -+ return None - return codecs.CodecInfo( -- name='idna', -- encode=Codec().encode, # type: ignore -- decode=Codec().decode, # type: ignore -+ name=name, -+ encode=Codec().encode, -+ decode=Codec().decode, - incrementalencoder=IncrementalEncoder, - incrementaldecoder=IncrementalDecoder, - streamwriter=StreamWriter, - streamreader=StreamReader, - ) -+ -+codecs.register(search_function) -diff --git a/src/pip/_vendor/idna/core.py b/src/pip/_vendor/idna/core.py -index 4f30037..0dae61a 100644 ---- a/src/pip/_vendor/idna/core.py -+++ b/src/pip/_vendor/idna/core.py -@@ -150,9 +150,11 @@ def valid_contextj(label: str, pos: int) -> bool: - joining_type = idnadata.joining_types.get(ord(label[i])) - if joining_type == ord('T'): - continue -- if joining_type in [ord('L'), ord('D')]: -+ elif joining_type in [ord('L'), ord('D')]: - ok = True - break -+ else: -+ break - - if not ok: - return False -@@ -162,9 +164,11 @@ def valid_contextj(label: str, pos: int) -> bool: - joining_type = idnadata.joining_types.get(ord(label[i])) - if joining_type == ord('T'): - continue -- if joining_type in [ord('R'), ord('D')]: -+ elif joining_type in [ord('R'), ord('D')]: - ok = True - break -+ else: -+ break - return ok - - if cp_value == 0x200d: -@@ -236,12 +240,8 @@ def check_label(label: Union[str, bytes, bytearray]) -> None: - if intranges_contain(cp_value, idnadata.codepoint_classes['PVALID']): - continue - elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTJ']): -- try: -- if not valid_contextj(label, pos): -- raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format( -- _unot(cp_value), pos+1, repr(label))) -- except ValueError: -- raise IDNAError('Unknown codepoint adjacent to joiner {} at position {} in {}'.format( -+ if not valid_contextj(label, pos): -+ raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format( - _unot(cp_value), pos+1, repr(label))) - elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTO']): - if not valid_contexto(label, pos): -@@ -262,13 +262,8 @@ def alabel(label: str) -> bytes: - except UnicodeEncodeError: - pass - -- if not label: -- raise IDNAError('No Input') -- -- label = str(label) - check_label(label) -- label_bytes = _punycode(label) -- label_bytes = _alabel_prefix + label_bytes -+ label_bytes = _alabel_prefix + _punycode(label) - - if not valid_label_length(label_bytes): - raise IDNAError('Label too long') -@@ -318,7 +313,7 @@ def uts46_remap(domain: str, std3_rules: bool = True, transitional: bool = False - status = uts46row[1] - replacement = None # type: Optional[str] - if len(uts46row) == 3: -- replacement = uts46row[2] # type: ignore -+ replacement = uts46row[2] - if (status == 'V' or - (status == 'D' and not transitional) or - (status == '3' and not std3_rules and replacement is None)): -@@ -338,9 +333,9 @@ def uts46_remap(domain: str, std3_rules: bool = True, transitional: bool = False - - - def encode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False, transitional: bool = False) -> bytes: -- if isinstance(s, (bytes, bytearray)): -+ if not isinstance(s, str): - try: -- s = s.decode('ascii') -+ s = str(s, 'ascii') - except UnicodeDecodeError: - raise IDNAError('should pass a unicode string to the function rather than a byte string.') - if uts46: -@@ -372,8 +367,8 @@ def encode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = - - def decode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False) -> str: - try: -- if isinstance(s, (bytes, bytearray)): -- s = s.decode('ascii') -+ if not isinstance(s, str): -+ s = str(s, 'ascii') - except UnicodeDecodeError: - raise IDNAError('Invalid ASCII in A-label') - if uts46: -diff --git a/src/pip/_vendor/idna/idnadata.py b/src/pip/_vendor/idna/idnadata.py -index 67db462..c61dcf9 100644 ---- a/src/pip/_vendor/idna/idnadata.py -+++ b/src/pip/_vendor/idna/idnadata.py -@@ -1,6 +1,6 @@ - # This file is automatically generated by tools/idna-data - --__version__ = '15.0.0' -+__version__ = '15.1.0' - scripts = { - 'Greek': ( - 0x37000000374, -@@ -59,6 +59,7 @@ scripts = { - 0x2b7400002b81e, - 0x2b8200002cea2, - 0x2ceb00002ebe1, -+ 0x2ebf00002ee5e, - 0x2f8000002fa1e, - 0x300000003134b, - 0x31350000323b0, -@@ -100,16 +101,190 @@ scripts = { - ), - } - joining_types = { -- 0x600: 85, -- 0x601: 85, -- 0x602: 85, -- 0x603: 85, -- 0x604: 85, -- 0x605: 85, -- 0x608: 85, -- 0x60b: 85, -+ 0xad: 84, -+ 0x300: 84, -+ 0x301: 84, -+ 0x302: 84, -+ 0x303: 84, -+ 0x304: 84, -+ 0x305: 84, -+ 0x306: 84, -+ 0x307: 84, -+ 0x308: 84, -+ 0x309: 84, -+ 0x30a: 84, -+ 0x30b: 84, -+ 0x30c: 84, -+ 0x30d: 84, -+ 0x30e: 84, -+ 0x30f: 84, -+ 0x310: 84, -+ 0x311: 84, -+ 0x312: 84, -+ 0x313: 84, -+ 0x314: 84, -+ 0x315: 84, -+ 0x316: 84, -+ 0x317: 84, -+ 0x318: 84, -+ 0x319: 84, -+ 0x31a: 84, -+ 0x31b: 84, -+ 0x31c: 84, -+ 0x31d: 84, -+ 0x31e: 84, -+ 0x31f: 84, -+ 0x320: 84, -+ 0x321: 84, -+ 0x322: 84, -+ 0x323: 84, -+ 0x324: 84, -+ 0x325: 84, -+ 0x326: 84, -+ 0x327: 84, -+ 0x328: 84, -+ 0x329: 84, -+ 0x32a: 84, -+ 0x32b: 84, -+ 0x32c: 84, -+ 0x32d: 84, -+ 0x32e: 84, -+ 0x32f: 84, -+ 0x330: 84, -+ 0x331: 84, -+ 0x332: 84, -+ 0x333: 84, -+ 0x334: 84, -+ 0x335: 84, -+ 0x336: 84, -+ 0x337: 84, -+ 0x338: 84, -+ 0x339: 84, -+ 0x33a: 84, -+ 0x33b: 84, -+ 0x33c: 84, -+ 0x33d: 84, -+ 0x33e: 84, -+ 0x33f: 84, -+ 0x340: 84, -+ 0x341: 84, -+ 0x342: 84, -+ 0x343: 84, -+ 0x344: 84, -+ 0x345: 84, -+ 0x346: 84, -+ 0x347: 84, -+ 0x348: 84, -+ 0x349: 84, -+ 0x34a: 84, -+ 0x34b: 84, -+ 0x34c: 84, -+ 0x34d: 84, -+ 0x34e: 84, -+ 0x34f: 84, -+ 0x350: 84, -+ 0x351: 84, -+ 0x352: 84, -+ 0x353: 84, -+ 0x354: 84, -+ 0x355: 84, -+ 0x356: 84, -+ 0x357: 84, -+ 0x358: 84, -+ 0x359: 84, -+ 0x35a: 84, -+ 0x35b: 84, -+ 0x35c: 84, -+ 0x35d: 84, -+ 0x35e: 84, -+ 0x35f: 84, -+ 0x360: 84, -+ 0x361: 84, -+ 0x362: 84, -+ 0x363: 84, -+ 0x364: 84, -+ 0x365: 84, -+ 0x366: 84, -+ 0x367: 84, -+ 0x368: 84, -+ 0x369: 84, -+ 0x36a: 84, -+ 0x36b: 84, -+ 0x36c: 84, -+ 0x36d: 84, -+ 0x36e: 84, -+ 0x36f: 84, -+ 0x483: 84, -+ 0x484: 84, -+ 0x485: 84, -+ 0x486: 84, -+ 0x487: 84, -+ 0x488: 84, -+ 0x489: 84, -+ 0x591: 84, -+ 0x592: 84, -+ 0x593: 84, -+ 0x594: 84, -+ 0x595: 84, -+ 0x596: 84, -+ 0x597: 84, -+ 0x598: 84, -+ 0x599: 84, -+ 0x59a: 84, -+ 0x59b: 84, -+ 0x59c: 84, -+ 0x59d: 84, -+ 0x59e: 84, -+ 0x59f: 84, -+ 0x5a0: 84, -+ 0x5a1: 84, -+ 0x5a2: 84, -+ 0x5a3: 84, -+ 0x5a4: 84, -+ 0x5a5: 84, -+ 0x5a6: 84, -+ 0x5a7: 84, -+ 0x5a8: 84, -+ 0x5a9: 84, -+ 0x5aa: 84, -+ 0x5ab: 84, -+ 0x5ac: 84, -+ 0x5ad: 84, -+ 0x5ae: 84, -+ 0x5af: 84, -+ 0x5b0: 84, -+ 0x5b1: 84, -+ 0x5b2: 84, -+ 0x5b3: 84, -+ 0x5b4: 84, -+ 0x5b5: 84, -+ 0x5b6: 84, -+ 0x5b7: 84, -+ 0x5b8: 84, -+ 0x5b9: 84, -+ 0x5ba: 84, -+ 0x5bb: 84, -+ 0x5bc: 84, -+ 0x5bd: 84, -+ 0x5bf: 84, -+ 0x5c1: 84, -+ 0x5c2: 84, -+ 0x5c4: 84, -+ 0x5c5: 84, -+ 0x5c7: 84, -+ 0x610: 84, -+ 0x611: 84, -+ 0x612: 84, -+ 0x613: 84, -+ 0x614: 84, -+ 0x615: 84, -+ 0x616: 84, -+ 0x617: 84, -+ 0x618: 84, -+ 0x619: 84, -+ 0x61a: 84, -+ 0x61c: 84, - 0x620: 68, -- 0x621: 85, - 0x622: 82, - 0x623: 82, - 0x624: 82, -@@ -151,12 +326,33 @@ joining_types = { - 0x648: 82, - 0x649: 68, - 0x64a: 68, -+ 0x64b: 84, -+ 0x64c: 84, -+ 0x64d: 84, -+ 0x64e: 84, -+ 0x64f: 84, -+ 0x650: 84, -+ 0x651: 84, -+ 0x652: 84, -+ 0x653: 84, -+ 0x654: 84, -+ 0x655: 84, -+ 0x656: 84, -+ 0x657: 84, -+ 0x658: 84, -+ 0x659: 84, -+ 0x65a: 84, -+ 0x65b: 84, -+ 0x65c: 84, -+ 0x65d: 84, -+ 0x65e: 84, -+ 0x65f: 84, - 0x66e: 68, - 0x66f: 68, -+ 0x670: 84, - 0x671: 82, - 0x672: 82, - 0x673: 82, -- 0x674: 85, - 0x675: 82, - 0x676: 82, - 0x677: 82, -@@ -253,7 +449,25 @@ joining_types = { - 0x6d2: 82, - 0x6d3: 82, - 0x6d5: 82, -- 0x6dd: 85, -+ 0x6d6: 84, -+ 0x6d7: 84, -+ 0x6d8: 84, -+ 0x6d9: 84, -+ 0x6da: 84, -+ 0x6db: 84, -+ 0x6dc: 84, -+ 0x6df: 84, -+ 0x6e0: 84, -+ 0x6e1: 84, -+ 0x6e2: 84, -+ 0x6e3: 84, -+ 0x6e4: 84, -+ 0x6e7: 84, -+ 0x6e8: 84, -+ 0x6ea: 84, -+ 0x6eb: 84, -+ 0x6ec: 84, -+ 0x6ed: 84, - 0x6ee: 82, - 0x6ef: 82, - 0x6fa: 68, -@@ -262,6 +476,7 @@ joining_types = { - 0x6ff: 68, - 0x70f: 84, - 0x710: 82, -+ 0x711: 84, - 0x712: 68, - 0x713: 68, - 0x714: 68, -@@ -292,6 +507,33 @@ joining_types = { - 0x72d: 68, - 0x72e: 68, - 0x72f: 82, -+ 0x730: 84, -+ 0x731: 84, -+ 0x732: 84, -+ 0x733: 84, -+ 0x734: 84, -+ 0x735: 84, -+ 0x736: 84, -+ 0x737: 84, -+ 0x738: 84, -+ 0x739: 84, -+ 0x73a: 84, -+ 0x73b: 84, -+ 0x73c: 84, -+ 0x73d: 84, -+ 0x73e: 84, -+ 0x73f: 84, -+ 0x740: 84, -+ 0x741: 84, -+ 0x742: 84, -+ 0x743: 84, -+ 0x744: 84, -+ 0x745: 84, -+ 0x746: 84, -+ 0x747: 84, -+ 0x748: 84, -+ 0x749: 84, -+ 0x74a: 84, - 0x74d: 82, - 0x74e: 68, - 0x74f: 68, -@@ -343,6 +585,17 @@ joining_types = { - 0x77d: 68, - 0x77e: 68, - 0x77f: 68, -+ 0x7a6: 84, -+ 0x7a7: 84, -+ 0x7a8: 84, -+ 0x7a9: 84, -+ 0x7aa: 84, -+ 0x7ab: 84, -+ 0x7ac: 84, -+ 0x7ad: 84, -+ 0x7ae: 84, -+ 0x7af: 84, -+ 0x7b0: 84, - 0x7ca: 68, - 0x7cb: 68, - 0x7cc: 68, -@@ -376,7 +629,38 @@ joining_types = { - 0x7e8: 68, - 0x7e9: 68, - 0x7ea: 68, -+ 0x7eb: 84, -+ 0x7ec: 84, -+ 0x7ed: 84, -+ 0x7ee: 84, -+ 0x7ef: 84, -+ 0x7f0: 84, -+ 0x7f1: 84, -+ 0x7f2: 84, -+ 0x7f3: 84, - 0x7fa: 67, -+ 0x7fd: 84, -+ 0x816: 84, -+ 0x817: 84, -+ 0x818: 84, -+ 0x819: 84, -+ 0x81b: 84, -+ 0x81c: 84, -+ 0x81d: 84, -+ 0x81e: 84, -+ 0x81f: 84, -+ 0x820: 84, -+ 0x821: 84, -+ 0x822: 84, -+ 0x823: 84, -+ 0x825: 84, -+ 0x826: 84, -+ 0x827: 84, -+ 0x829: 84, -+ 0x82a: 84, -+ 0x82b: 84, -+ 0x82c: 84, -+ 0x82d: 84, - 0x840: 82, - 0x841: 68, - 0x842: 68, -@@ -402,13 +686,14 @@ joining_types = { - 0x856: 82, - 0x857: 82, - 0x858: 82, -+ 0x859: 84, -+ 0x85a: 84, -+ 0x85b: 84, - 0x860: 68, -- 0x861: 85, - 0x862: 68, - 0x863: 68, - 0x864: 68, - 0x865: 68, -- 0x866: 85, - 0x867: 82, - 0x868: 68, - 0x869: 82, -@@ -436,16 +721,20 @@ joining_types = { - 0x884: 67, - 0x885: 67, - 0x886: 68, -- 0x887: 85, -- 0x888: 85, - 0x889: 68, - 0x88a: 68, - 0x88b: 68, - 0x88c: 68, - 0x88d: 68, - 0x88e: 82, -- 0x890: 85, -- 0x891: 85, -+ 0x898: 84, -+ 0x899: 84, -+ 0x89a: 84, -+ 0x89b: 84, -+ 0x89c: 84, -+ 0x89d: 84, -+ 0x89e: 84, -+ 0x89f: 84, - 0x8a0: 68, - 0x8a1: 68, - 0x8a2: 68, -@@ -459,7 +748,6 @@ joining_types = { - 0x8aa: 82, - 0x8ab: 82, - 0x8ac: 82, -- 0x8ad: 85, - 0x8ae: 82, - 0x8af: 68, - 0x8b0: 68, -@@ -487,11 +775,357 @@ joining_types = { - 0x8c6: 68, - 0x8c7: 68, - 0x8c8: 68, -- 0x8e2: 85, -- 0x1806: 85, -+ 0x8ca: 84, -+ 0x8cb: 84, -+ 0x8cc: 84, -+ 0x8cd: 84, -+ 0x8ce: 84, -+ 0x8cf: 84, -+ 0x8d0: 84, -+ 0x8d1: 84, -+ 0x8d2: 84, -+ 0x8d3: 84, -+ 0x8d4: 84, -+ 0x8d5: 84, -+ 0x8d6: 84, -+ 0x8d7: 84, -+ 0x8d8: 84, -+ 0x8d9: 84, -+ 0x8da: 84, -+ 0x8db: 84, -+ 0x8dc: 84, -+ 0x8dd: 84, -+ 0x8de: 84, -+ 0x8df: 84, -+ 0x8e0: 84, -+ 0x8e1: 84, -+ 0x8e3: 84, -+ 0x8e4: 84, -+ 0x8e5: 84, -+ 0x8e6: 84, -+ 0x8e7: 84, -+ 0x8e8: 84, -+ 0x8e9: 84, -+ 0x8ea: 84, -+ 0x8eb: 84, -+ 0x8ec: 84, -+ 0x8ed: 84, -+ 0x8ee: 84, -+ 0x8ef: 84, -+ 0x8f0: 84, -+ 0x8f1: 84, -+ 0x8f2: 84, -+ 0x8f3: 84, -+ 0x8f4: 84, -+ 0x8f5: 84, -+ 0x8f6: 84, -+ 0x8f7: 84, -+ 0x8f8: 84, -+ 0x8f9: 84, -+ 0x8fa: 84, -+ 0x8fb: 84, -+ 0x8fc: 84, -+ 0x8fd: 84, -+ 0x8fe: 84, -+ 0x8ff: 84, -+ 0x900: 84, -+ 0x901: 84, -+ 0x902: 84, -+ 0x93a: 84, -+ 0x93c: 84, -+ 0x941: 84, -+ 0x942: 84, -+ 0x943: 84, -+ 0x944: 84, -+ 0x945: 84, -+ 0x946: 84, -+ 0x947: 84, -+ 0x948: 84, -+ 0x94d: 84, -+ 0x951: 84, -+ 0x952: 84, -+ 0x953: 84, -+ 0x954: 84, -+ 0x955: 84, -+ 0x956: 84, -+ 0x957: 84, -+ 0x962: 84, -+ 0x963: 84, -+ 0x981: 84, -+ 0x9bc: 84, -+ 0x9c1: 84, -+ 0x9c2: 84, -+ 0x9c3: 84, -+ 0x9c4: 84, -+ 0x9cd: 84, -+ 0x9e2: 84, -+ 0x9e3: 84, -+ 0x9fe: 84, -+ 0xa01: 84, -+ 0xa02: 84, -+ 0xa3c: 84, -+ 0xa41: 84, -+ 0xa42: 84, -+ 0xa47: 84, -+ 0xa48: 84, -+ 0xa4b: 84, -+ 0xa4c: 84, -+ 0xa4d: 84, -+ 0xa51: 84, -+ 0xa70: 84, -+ 0xa71: 84, -+ 0xa75: 84, -+ 0xa81: 84, -+ 0xa82: 84, -+ 0xabc: 84, -+ 0xac1: 84, -+ 0xac2: 84, -+ 0xac3: 84, -+ 0xac4: 84, -+ 0xac5: 84, -+ 0xac7: 84, -+ 0xac8: 84, -+ 0xacd: 84, -+ 0xae2: 84, -+ 0xae3: 84, -+ 0xafa: 84, -+ 0xafb: 84, -+ 0xafc: 84, -+ 0xafd: 84, -+ 0xafe: 84, -+ 0xaff: 84, -+ 0xb01: 84, -+ 0xb3c: 84, -+ 0xb3f: 84, -+ 0xb41: 84, -+ 0xb42: 84, -+ 0xb43: 84, -+ 0xb44: 84, -+ 0xb4d: 84, -+ 0xb55: 84, -+ 0xb56: 84, -+ 0xb62: 84, -+ 0xb63: 84, -+ 0xb82: 84, -+ 0xbc0: 84, -+ 0xbcd: 84, -+ 0xc00: 84, -+ 0xc04: 84, -+ 0xc3c: 84, -+ 0xc3e: 84, -+ 0xc3f: 84, -+ 0xc40: 84, -+ 0xc46: 84, -+ 0xc47: 84, -+ 0xc48: 84, -+ 0xc4a: 84, -+ 0xc4b: 84, -+ 0xc4c: 84, -+ 0xc4d: 84, -+ 0xc55: 84, -+ 0xc56: 84, -+ 0xc62: 84, -+ 0xc63: 84, -+ 0xc81: 84, -+ 0xcbc: 84, -+ 0xcbf: 84, -+ 0xcc6: 84, -+ 0xccc: 84, -+ 0xccd: 84, -+ 0xce2: 84, -+ 0xce3: 84, -+ 0xd00: 84, -+ 0xd01: 84, -+ 0xd3b: 84, -+ 0xd3c: 84, -+ 0xd41: 84, -+ 0xd42: 84, -+ 0xd43: 84, -+ 0xd44: 84, -+ 0xd4d: 84, -+ 0xd62: 84, -+ 0xd63: 84, -+ 0xd81: 84, -+ 0xdca: 84, -+ 0xdd2: 84, -+ 0xdd3: 84, -+ 0xdd4: 84, -+ 0xdd6: 84, -+ 0xe31: 84, -+ 0xe34: 84, -+ 0xe35: 84, -+ 0xe36: 84, -+ 0xe37: 84, -+ 0xe38: 84, -+ 0xe39: 84, -+ 0xe3a: 84, -+ 0xe47: 84, -+ 0xe48: 84, -+ 0xe49: 84, -+ 0xe4a: 84, -+ 0xe4b: 84, -+ 0xe4c: 84, -+ 0xe4d: 84, -+ 0xe4e: 84, -+ 0xeb1: 84, -+ 0xeb4: 84, -+ 0xeb5: 84, -+ 0xeb6: 84, -+ 0xeb7: 84, -+ 0xeb8: 84, -+ 0xeb9: 84, -+ 0xeba: 84, -+ 0xebb: 84, -+ 0xebc: 84, -+ 0xec8: 84, -+ 0xec9: 84, -+ 0xeca: 84, -+ 0xecb: 84, -+ 0xecc: 84, -+ 0xecd: 84, -+ 0xece: 84, -+ 0xf18: 84, -+ 0xf19: 84, -+ 0xf35: 84, -+ 0xf37: 84, -+ 0xf39: 84, -+ 0xf71: 84, -+ 0xf72: 84, -+ 0xf73: 84, -+ 0xf74: 84, -+ 0xf75: 84, -+ 0xf76: 84, -+ 0xf77: 84, -+ 0xf78: 84, -+ 0xf79: 84, -+ 0xf7a: 84, -+ 0xf7b: 84, -+ 0xf7c: 84, -+ 0xf7d: 84, -+ 0xf7e: 84, -+ 0xf80: 84, -+ 0xf81: 84, -+ 0xf82: 84, -+ 0xf83: 84, -+ 0xf84: 84, -+ 0xf86: 84, -+ 0xf87: 84, -+ 0xf8d: 84, -+ 0xf8e: 84, -+ 0xf8f: 84, -+ 0xf90: 84, -+ 0xf91: 84, -+ 0xf92: 84, -+ 0xf93: 84, -+ 0xf94: 84, -+ 0xf95: 84, -+ 0xf96: 84, -+ 0xf97: 84, -+ 0xf99: 84, -+ 0xf9a: 84, -+ 0xf9b: 84, -+ 0xf9c: 84, -+ 0xf9d: 84, -+ 0xf9e: 84, -+ 0xf9f: 84, -+ 0xfa0: 84, -+ 0xfa1: 84, -+ 0xfa2: 84, -+ 0xfa3: 84, -+ 0xfa4: 84, -+ 0xfa5: 84, -+ 0xfa6: 84, -+ 0xfa7: 84, -+ 0xfa8: 84, -+ 0xfa9: 84, -+ 0xfaa: 84, -+ 0xfab: 84, -+ 0xfac: 84, -+ 0xfad: 84, -+ 0xfae: 84, -+ 0xfaf: 84, -+ 0xfb0: 84, -+ 0xfb1: 84, -+ 0xfb2: 84, -+ 0xfb3: 84, -+ 0xfb4: 84, -+ 0xfb5: 84, -+ 0xfb6: 84, -+ 0xfb7: 84, -+ 0xfb8: 84, -+ 0xfb9: 84, -+ 0xfba: 84, -+ 0xfbb: 84, -+ 0xfbc: 84, -+ 0xfc6: 84, -+ 0x102d: 84, -+ 0x102e: 84, -+ 0x102f: 84, -+ 0x1030: 84, -+ 0x1032: 84, -+ 0x1033: 84, -+ 0x1034: 84, -+ 0x1035: 84, -+ 0x1036: 84, -+ 0x1037: 84, -+ 0x1039: 84, -+ 0x103a: 84, -+ 0x103d: 84, -+ 0x103e: 84, -+ 0x1058: 84, -+ 0x1059: 84, -+ 0x105e: 84, -+ 0x105f: 84, -+ 0x1060: 84, -+ 0x1071: 84, -+ 0x1072: 84, -+ 0x1073: 84, -+ 0x1074: 84, -+ 0x1082: 84, -+ 0x1085: 84, -+ 0x1086: 84, -+ 0x108d: 84, -+ 0x109d: 84, -+ 0x135d: 84, -+ 0x135e: 84, -+ 0x135f: 84, -+ 0x1712: 84, -+ 0x1713: 84, -+ 0x1714: 84, -+ 0x1732: 84, -+ 0x1733: 84, -+ 0x1752: 84, -+ 0x1753: 84, -+ 0x1772: 84, -+ 0x1773: 84, -+ 0x17b4: 84, -+ 0x17b5: 84, -+ 0x17b7: 84, -+ 0x17b8: 84, -+ 0x17b9: 84, -+ 0x17ba: 84, -+ 0x17bb: 84, -+ 0x17bc: 84, -+ 0x17bd: 84, -+ 0x17c6: 84, -+ 0x17c9: 84, -+ 0x17ca: 84, -+ 0x17cb: 84, -+ 0x17cc: 84, -+ 0x17cd: 84, -+ 0x17ce: 84, -+ 0x17cf: 84, -+ 0x17d0: 84, -+ 0x17d1: 84, -+ 0x17d2: 84, -+ 0x17d3: 84, -+ 0x17dd: 84, - 0x1807: 68, - 0x180a: 67, -- 0x180e: 85, -+ 0x180b: 84, -+ 0x180c: 84, -+ 0x180d: 84, -+ 0x180f: 84, - 0x1820: 68, - 0x1821: 68, - 0x1822: 68, -@@ -581,11 +1215,6 @@ joining_types = { - 0x1876: 68, - 0x1877: 68, - 0x1878: 68, -- 0x1880: 85, -- 0x1881: 85, -- 0x1882: 85, -- 0x1883: 85, -- 0x1884: 85, - 0x1885: 84, - 0x1886: 84, - 0x1887: 68, -@@ -622,14 +1251,339 @@ joining_types = { - 0x18a6: 68, - 0x18a7: 68, - 0x18a8: 68, -+ 0x18a9: 84, - 0x18aa: 68, -- 0x200c: 85, -+ 0x1920: 84, -+ 0x1921: 84, -+ 0x1922: 84, -+ 0x1927: 84, -+ 0x1928: 84, -+ 0x1932: 84, -+ 0x1939: 84, -+ 0x193a: 84, -+ 0x193b: 84, -+ 0x1a17: 84, -+ 0x1a18: 84, -+ 0x1a1b: 84, -+ 0x1a56: 84, -+ 0x1a58: 84, -+ 0x1a59: 84, -+ 0x1a5a: 84, -+ 0x1a5b: 84, -+ 0x1a5c: 84, -+ 0x1a5d: 84, -+ 0x1a5e: 84, -+ 0x1a60: 84, -+ 0x1a62: 84, -+ 0x1a65: 84, -+ 0x1a66: 84, -+ 0x1a67: 84, -+ 0x1a68: 84, -+ 0x1a69: 84, -+ 0x1a6a: 84, -+ 0x1a6b: 84, -+ 0x1a6c: 84, -+ 0x1a73: 84, -+ 0x1a74: 84, -+ 0x1a75: 84, -+ 0x1a76: 84, -+ 0x1a77: 84, -+ 0x1a78: 84, -+ 0x1a79: 84, -+ 0x1a7a: 84, -+ 0x1a7b: 84, -+ 0x1a7c: 84, -+ 0x1a7f: 84, -+ 0x1ab0: 84, -+ 0x1ab1: 84, -+ 0x1ab2: 84, -+ 0x1ab3: 84, -+ 0x1ab4: 84, -+ 0x1ab5: 84, -+ 0x1ab6: 84, -+ 0x1ab7: 84, -+ 0x1ab8: 84, -+ 0x1ab9: 84, -+ 0x1aba: 84, -+ 0x1abb: 84, -+ 0x1abc: 84, -+ 0x1abd: 84, -+ 0x1abe: 84, -+ 0x1abf: 84, -+ 0x1ac0: 84, -+ 0x1ac1: 84, -+ 0x1ac2: 84, -+ 0x1ac3: 84, -+ 0x1ac4: 84, -+ 0x1ac5: 84, -+ 0x1ac6: 84, -+ 0x1ac7: 84, -+ 0x1ac8: 84, -+ 0x1ac9: 84, -+ 0x1aca: 84, -+ 0x1acb: 84, -+ 0x1acc: 84, -+ 0x1acd: 84, -+ 0x1ace: 84, -+ 0x1b00: 84, -+ 0x1b01: 84, -+ 0x1b02: 84, -+ 0x1b03: 84, -+ 0x1b34: 84, -+ 0x1b36: 84, -+ 0x1b37: 84, -+ 0x1b38: 84, -+ 0x1b39: 84, -+ 0x1b3a: 84, -+ 0x1b3c: 84, -+ 0x1b42: 84, -+ 0x1b6b: 84, -+ 0x1b6c: 84, -+ 0x1b6d: 84, -+ 0x1b6e: 84, -+ 0x1b6f: 84, -+ 0x1b70: 84, -+ 0x1b71: 84, -+ 0x1b72: 84, -+ 0x1b73: 84, -+ 0x1b80: 84, -+ 0x1b81: 84, -+ 0x1ba2: 84, -+ 0x1ba3: 84, -+ 0x1ba4: 84, -+ 0x1ba5: 84, -+ 0x1ba8: 84, -+ 0x1ba9: 84, -+ 0x1bab: 84, -+ 0x1bac: 84, -+ 0x1bad: 84, -+ 0x1be6: 84, -+ 0x1be8: 84, -+ 0x1be9: 84, -+ 0x1bed: 84, -+ 0x1bef: 84, -+ 0x1bf0: 84, -+ 0x1bf1: 84, -+ 0x1c2c: 84, -+ 0x1c2d: 84, -+ 0x1c2e: 84, -+ 0x1c2f: 84, -+ 0x1c30: 84, -+ 0x1c31: 84, -+ 0x1c32: 84, -+ 0x1c33: 84, -+ 0x1c36: 84, -+ 0x1c37: 84, -+ 0x1cd0: 84, -+ 0x1cd1: 84, -+ 0x1cd2: 84, -+ 0x1cd4: 84, -+ 0x1cd5: 84, -+ 0x1cd6: 84, -+ 0x1cd7: 84, -+ 0x1cd8: 84, -+ 0x1cd9: 84, -+ 0x1cda: 84, -+ 0x1cdb: 84, -+ 0x1cdc: 84, -+ 0x1cdd: 84, -+ 0x1cde: 84, -+ 0x1cdf: 84, -+ 0x1ce0: 84, -+ 0x1ce2: 84, -+ 0x1ce3: 84, -+ 0x1ce4: 84, -+ 0x1ce5: 84, -+ 0x1ce6: 84, -+ 0x1ce7: 84, -+ 0x1ce8: 84, -+ 0x1ced: 84, -+ 0x1cf4: 84, -+ 0x1cf8: 84, -+ 0x1cf9: 84, -+ 0x1dc0: 84, -+ 0x1dc1: 84, -+ 0x1dc2: 84, -+ 0x1dc3: 84, -+ 0x1dc4: 84, -+ 0x1dc5: 84, -+ 0x1dc6: 84, -+ 0x1dc7: 84, -+ 0x1dc8: 84, -+ 0x1dc9: 84, -+ 0x1dca: 84, -+ 0x1dcb: 84, -+ 0x1dcc: 84, -+ 0x1dcd: 84, -+ 0x1dce: 84, -+ 0x1dcf: 84, -+ 0x1dd0: 84, -+ 0x1dd1: 84, -+ 0x1dd2: 84, -+ 0x1dd3: 84, -+ 0x1dd4: 84, -+ 0x1dd5: 84, -+ 0x1dd6: 84, -+ 0x1dd7: 84, -+ 0x1dd8: 84, -+ 0x1dd9: 84, -+ 0x1dda: 84, -+ 0x1ddb: 84, -+ 0x1ddc: 84, -+ 0x1ddd: 84, -+ 0x1dde: 84, -+ 0x1ddf: 84, -+ 0x1de0: 84, -+ 0x1de1: 84, -+ 0x1de2: 84, -+ 0x1de3: 84, -+ 0x1de4: 84, -+ 0x1de5: 84, -+ 0x1de6: 84, -+ 0x1de7: 84, -+ 0x1de8: 84, -+ 0x1de9: 84, -+ 0x1dea: 84, -+ 0x1deb: 84, -+ 0x1dec: 84, -+ 0x1ded: 84, -+ 0x1dee: 84, -+ 0x1def: 84, -+ 0x1df0: 84, -+ 0x1df1: 84, -+ 0x1df2: 84, -+ 0x1df3: 84, -+ 0x1df4: 84, -+ 0x1df5: 84, -+ 0x1df6: 84, -+ 0x1df7: 84, -+ 0x1df8: 84, -+ 0x1df9: 84, -+ 0x1dfa: 84, -+ 0x1dfb: 84, -+ 0x1dfc: 84, -+ 0x1dfd: 84, -+ 0x1dfe: 84, -+ 0x1dff: 84, -+ 0x200b: 84, - 0x200d: 67, -- 0x202f: 85, -- 0x2066: 85, -- 0x2067: 85, -- 0x2068: 85, -- 0x2069: 85, -+ 0x200e: 84, -+ 0x200f: 84, -+ 0x202a: 84, -+ 0x202b: 84, -+ 0x202c: 84, -+ 0x202d: 84, -+ 0x202e: 84, -+ 0x2060: 84, -+ 0x2061: 84, -+ 0x2062: 84, -+ 0x2063: 84, -+ 0x2064: 84, -+ 0x206a: 84, -+ 0x206b: 84, -+ 0x206c: 84, -+ 0x206d: 84, -+ 0x206e: 84, -+ 0x206f: 84, -+ 0x20d0: 84, -+ 0x20d1: 84, -+ 0x20d2: 84, -+ 0x20d3: 84, -+ 0x20d4: 84, -+ 0x20d5: 84, -+ 0x20d6: 84, -+ 0x20d7: 84, -+ 0x20d8: 84, -+ 0x20d9: 84, -+ 0x20da: 84, -+ 0x20db: 84, -+ 0x20dc: 84, -+ 0x20dd: 84, -+ 0x20de: 84, -+ 0x20df: 84, -+ 0x20e0: 84, -+ 0x20e1: 84, -+ 0x20e2: 84, -+ 0x20e3: 84, -+ 0x20e4: 84, -+ 0x20e5: 84, -+ 0x20e6: 84, -+ 0x20e7: 84, -+ 0x20e8: 84, -+ 0x20e9: 84, -+ 0x20ea: 84, -+ 0x20eb: 84, -+ 0x20ec: 84, -+ 0x20ed: 84, -+ 0x20ee: 84, -+ 0x20ef: 84, -+ 0x20f0: 84, -+ 0x2cef: 84, -+ 0x2cf0: 84, -+ 0x2cf1: 84, -+ 0x2d7f: 84, -+ 0x2de0: 84, -+ 0x2de1: 84, -+ 0x2de2: 84, -+ 0x2de3: 84, -+ 0x2de4: 84, -+ 0x2de5: 84, -+ 0x2de6: 84, -+ 0x2de7: 84, -+ 0x2de8: 84, -+ 0x2de9: 84, -+ 0x2dea: 84, -+ 0x2deb: 84, -+ 0x2dec: 84, -+ 0x2ded: 84, -+ 0x2dee: 84, -+ 0x2def: 84, -+ 0x2df0: 84, -+ 0x2df1: 84, -+ 0x2df2: 84, -+ 0x2df3: 84, -+ 0x2df4: 84, -+ 0x2df5: 84, -+ 0x2df6: 84, -+ 0x2df7: 84, -+ 0x2df8: 84, -+ 0x2df9: 84, -+ 0x2dfa: 84, -+ 0x2dfb: 84, -+ 0x2dfc: 84, -+ 0x2dfd: 84, -+ 0x2dfe: 84, -+ 0x2dff: 84, -+ 0x302a: 84, -+ 0x302b: 84, -+ 0x302c: 84, -+ 0x302d: 84, -+ 0x3099: 84, -+ 0x309a: 84, -+ 0xa66f: 84, -+ 0xa670: 84, -+ 0xa671: 84, -+ 0xa672: 84, -+ 0xa674: 84, -+ 0xa675: 84, -+ 0xa676: 84, -+ 0xa677: 84, -+ 0xa678: 84, -+ 0xa679: 84, -+ 0xa67a: 84, -+ 0xa67b: 84, -+ 0xa67c: 84, -+ 0xa67d: 84, -+ 0xa69e: 84, -+ 0xa69f: 84, -+ 0xa6f0: 84, -+ 0xa6f1: 84, -+ 0xa802: 84, -+ 0xa806: 84, -+ 0xa80b: 84, -+ 0xa825: 84, -+ 0xa826: 84, -+ 0xa82c: 84, - 0xa840: 68, - 0xa841: 68, - 0xa842: 68, -@@ -681,20 +1635,151 @@ joining_types = { - 0xa870: 68, - 0xa871: 68, - 0xa872: 76, -- 0xa873: 85, -+ 0xa8c4: 84, -+ 0xa8c5: 84, -+ 0xa8e0: 84, -+ 0xa8e1: 84, -+ 0xa8e2: 84, -+ 0xa8e3: 84, -+ 0xa8e4: 84, -+ 0xa8e5: 84, -+ 0xa8e6: 84, -+ 0xa8e7: 84, -+ 0xa8e8: 84, -+ 0xa8e9: 84, -+ 0xa8ea: 84, -+ 0xa8eb: 84, -+ 0xa8ec: 84, -+ 0xa8ed: 84, -+ 0xa8ee: 84, -+ 0xa8ef: 84, -+ 0xa8f0: 84, -+ 0xa8f1: 84, -+ 0xa8ff: 84, -+ 0xa926: 84, -+ 0xa927: 84, -+ 0xa928: 84, -+ 0xa929: 84, -+ 0xa92a: 84, -+ 0xa92b: 84, -+ 0xa92c: 84, -+ 0xa92d: 84, -+ 0xa947: 84, -+ 0xa948: 84, -+ 0xa949: 84, -+ 0xa94a: 84, -+ 0xa94b: 84, -+ 0xa94c: 84, -+ 0xa94d: 84, -+ 0xa94e: 84, -+ 0xa94f: 84, -+ 0xa950: 84, -+ 0xa951: 84, -+ 0xa980: 84, -+ 0xa981: 84, -+ 0xa982: 84, -+ 0xa9b3: 84, -+ 0xa9b6: 84, -+ 0xa9b7: 84, -+ 0xa9b8: 84, -+ 0xa9b9: 84, -+ 0xa9bc: 84, -+ 0xa9bd: 84, -+ 0xa9e5: 84, -+ 0xaa29: 84, -+ 0xaa2a: 84, -+ 0xaa2b: 84, -+ 0xaa2c: 84, -+ 0xaa2d: 84, -+ 0xaa2e: 84, -+ 0xaa31: 84, -+ 0xaa32: 84, -+ 0xaa35: 84, -+ 0xaa36: 84, -+ 0xaa43: 84, -+ 0xaa4c: 84, -+ 0xaa7c: 84, -+ 0xaab0: 84, -+ 0xaab2: 84, -+ 0xaab3: 84, -+ 0xaab4: 84, -+ 0xaab7: 84, -+ 0xaab8: 84, -+ 0xaabe: 84, -+ 0xaabf: 84, -+ 0xaac1: 84, -+ 0xaaec: 84, -+ 0xaaed: 84, -+ 0xaaf6: 84, -+ 0xabe5: 84, -+ 0xabe8: 84, -+ 0xabed: 84, -+ 0xfb1e: 84, -+ 0xfe00: 84, -+ 0xfe01: 84, -+ 0xfe02: 84, -+ 0xfe03: 84, -+ 0xfe04: 84, -+ 0xfe05: 84, -+ 0xfe06: 84, -+ 0xfe07: 84, -+ 0xfe08: 84, -+ 0xfe09: 84, -+ 0xfe0a: 84, -+ 0xfe0b: 84, -+ 0xfe0c: 84, -+ 0xfe0d: 84, -+ 0xfe0e: 84, -+ 0xfe0f: 84, -+ 0xfe20: 84, -+ 0xfe21: 84, -+ 0xfe22: 84, -+ 0xfe23: 84, -+ 0xfe24: 84, -+ 0xfe25: 84, -+ 0xfe26: 84, -+ 0xfe27: 84, -+ 0xfe28: 84, -+ 0xfe29: 84, -+ 0xfe2a: 84, -+ 0xfe2b: 84, -+ 0xfe2c: 84, -+ 0xfe2d: 84, -+ 0xfe2e: 84, -+ 0xfe2f: 84, -+ 0xfeff: 84, -+ 0xfff9: 84, -+ 0xfffa: 84, -+ 0xfffb: 84, -+ 0x101fd: 84, -+ 0x102e0: 84, -+ 0x10376: 84, -+ 0x10377: 84, -+ 0x10378: 84, -+ 0x10379: 84, -+ 0x1037a: 84, -+ 0x10a01: 84, -+ 0x10a02: 84, -+ 0x10a03: 84, -+ 0x10a05: 84, -+ 0x10a06: 84, -+ 0x10a0c: 84, -+ 0x10a0d: 84, -+ 0x10a0e: 84, -+ 0x10a0f: 84, -+ 0x10a38: 84, -+ 0x10a39: 84, -+ 0x10a3a: 84, -+ 0x10a3f: 84, - 0x10ac0: 68, - 0x10ac1: 68, - 0x10ac2: 68, - 0x10ac3: 68, - 0x10ac4: 68, - 0x10ac5: 82, -- 0x10ac6: 85, - 0x10ac7: 82, -- 0x10ac8: 85, - 0x10ac9: 82, - 0x10aca: 82, -- 0x10acb: 85, -- 0x10acc: 85, - 0x10acd: 76, - 0x10ace: 82, - 0x10acf: 82, -@@ -716,9 +1801,9 @@ joining_types = { - 0x10adf: 68, - 0x10ae0: 68, - 0x10ae1: 82, -- 0x10ae2: 85, -- 0x10ae3: 85, - 0x10ae4: 82, -+ 0x10ae5: 84, -+ 0x10ae6: 84, - 0x10aeb: 68, - 0x10aec: 68, - 0x10aed: 68, -@@ -748,7 +1833,6 @@ joining_types = { - 0x10bac: 82, - 0x10bad: 68, - 0x10bae: 68, -- 0x10baf: 85, - 0x10d00: 76, - 0x10d01: 68, - 0x10d02: 68, -@@ -785,6 +1869,15 @@ joining_types = { - 0x10d21: 68, - 0x10d22: 82, - 0x10d23: 68, -+ 0x10d24: 84, -+ 0x10d25: 84, -+ 0x10d26: 84, -+ 0x10d27: 84, -+ 0x10eab: 84, -+ 0x10eac: 84, -+ 0x10efd: 84, -+ 0x10efe: 84, -+ 0x10eff: 84, - 0x10f30: 68, - 0x10f31: 68, - 0x10f32: 68, -@@ -806,7 +1899,17 @@ joining_types = { - 0x10f42: 68, - 0x10f43: 68, - 0x10f44: 68, -- 0x10f45: 85, -+ 0x10f46: 84, -+ 0x10f47: 84, -+ 0x10f48: 84, -+ 0x10f49: 84, -+ 0x10f4a: 84, -+ 0x10f4b: 84, -+ 0x10f4c: 84, -+ 0x10f4d: 84, -+ 0x10f4e: 84, -+ 0x10f4f: 84, -+ 0x10f50: 84, - 0x10f51: 68, - 0x10f52: 68, - 0x10f53: 68, -@@ -829,14 +1932,16 @@ joining_types = { - 0x10f7f: 68, - 0x10f80: 68, - 0x10f81: 68, -+ 0x10f82: 84, -+ 0x10f83: 84, -+ 0x10f84: 84, -+ 0x10f85: 84, - 0x10fb0: 68, -- 0x10fb1: 85, - 0x10fb2: 68, - 0x10fb3: 68, - 0x10fb4: 82, - 0x10fb5: 82, - 0x10fb6: 82, -- 0x10fb7: 85, - 0x10fb8: 68, - 0x10fb9: 82, - 0x10fba: 82, -@@ -845,20 +1950,668 @@ joining_types = { - 0x10fbd: 82, - 0x10fbe: 68, - 0x10fbf: 68, -- 0x10fc0: 85, - 0x10fc1: 68, - 0x10fc2: 82, - 0x10fc3: 82, - 0x10fc4: 68, -- 0x10fc5: 85, -- 0x10fc6: 85, -- 0x10fc7: 85, -- 0x10fc8: 85, - 0x10fc9: 82, - 0x10fca: 68, - 0x10fcb: 76, -- 0x110bd: 85, -- 0x110cd: 85, -+ 0x11001: 84, -+ 0x11038: 84, -+ 0x11039: 84, -+ 0x1103a: 84, -+ 0x1103b: 84, -+ 0x1103c: 84, -+ 0x1103d: 84, -+ 0x1103e: 84, -+ 0x1103f: 84, -+ 0x11040: 84, -+ 0x11041: 84, -+ 0x11042: 84, -+ 0x11043: 84, -+ 0x11044: 84, -+ 0x11045: 84, -+ 0x11046: 84, -+ 0x11070: 84, -+ 0x11073: 84, -+ 0x11074: 84, -+ 0x1107f: 84, -+ 0x11080: 84, -+ 0x11081: 84, -+ 0x110b3: 84, -+ 0x110b4: 84, -+ 0x110b5: 84, -+ 0x110b6: 84, -+ 0x110b9: 84, -+ 0x110ba: 84, -+ 0x110c2: 84, -+ 0x11100: 84, -+ 0x11101: 84, -+ 0x11102: 84, -+ 0x11127: 84, -+ 0x11128: 84, -+ 0x11129: 84, -+ 0x1112a: 84, -+ 0x1112b: 84, -+ 0x1112d: 84, -+ 0x1112e: 84, -+ 0x1112f: 84, -+ 0x11130: 84, -+ 0x11131: 84, -+ 0x11132: 84, -+ 0x11133: 84, -+ 0x11134: 84, -+ 0x11173: 84, -+ 0x11180: 84, -+ 0x11181: 84, -+ 0x111b6: 84, -+ 0x111b7: 84, -+ 0x111b8: 84, -+ 0x111b9: 84, -+ 0x111ba: 84, -+ 0x111bb: 84, -+ 0x111bc: 84, -+ 0x111bd: 84, -+ 0x111be: 84, -+ 0x111c9: 84, -+ 0x111ca: 84, -+ 0x111cb: 84, -+ 0x111cc: 84, -+ 0x111cf: 84, -+ 0x1122f: 84, -+ 0x11230: 84, -+ 0x11231: 84, -+ 0x11234: 84, -+ 0x11236: 84, -+ 0x11237: 84, -+ 0x1123e: 84, -+ 0x11241: 84, -+ 0x112df: 84, -+ 0x112e3: 84, -+ 0x112e4: 84, -+ 0x112e5: 84, -+ 0x112e6: 84, -+ 0x112e7: 84, -+ 0x112e8: 84, -+ 0x112e9: 84, -+ 0x112ea: 84, -+ 0x11300: 84, -+ 0x11301: 84, -+ 0x1133b: 84, -+ 0x1133c: 84, -+ 0x11340: 84, -+ 0x11366: 84, -+ 0x11367: 84, -+ 0x11368: 84, -+ 0x11369: 84, -+ 0x1136a: 84, -+ 0x1136b: 84, -+ 0x1136c: 84, -+ 0x11370: 84, -+ 0x11371: 84, -+ 0x11372: 84, -+ 0x11373: 84, -+ 0x11374: 84, -+ 0x11438: 84, -+ 0x11439: 84, -+ 0x1143a: 84, -+ 0x1143b: 84, -+ 0x1143c: 84, -+ 0x1143d: 84, -+ 0x1143e: 84, -+ 0x1143f: 84, -+ 0x11442: 84, -+ 0x11443: 84, -+ 0x11444: 84, -+ 0x11446: 84, -+ 0x1145e: 84, -+ 0x114b3: 84, -+ 0x114b4: 84, -+ 0x114b5: 84, -+ 0x114b6: 84, -+ 0x114b7: 84, -+ 0x114b8: 84, -+ 0x114ba: 84, -+ 0x114bf: 84, -+ 0x114c0: 84, -+ 0x114c2: 84, -+ 0x114c3: 84, -+ 0x115b2: 84, -+ 0x115b3: 84, -+ 0x115b4: 84, -+ 0x115b5: 84, -+ 0x115bc: 84, -+ 0x115bd: 84, -+ 0x115bf: 84, -+ 0x115c0: 84, -+ 0x115dc: 84, -+ 0x115dd: 84, -+ 0x11633: 84, -+ 0x11634: 84, -+ 0x11635: 84, -+ 0x11636: 84, -+ 0x11637: 84, -+ 0x11638: 84, -+ 0x11639: 84, -+ 0x1163a: 84, -+ 0x1163d: 84, -+ 0x1163f: 84, -+ 0x11640: 84, -+ 0x116ab: 84, -+ 0x116ad: 84, -+ 0x116b0: 84, -+ 0x116b1: 84, -+ 0x116b2: 84, -+ 0x116b3: 84, -+ 0x116b4: 84, -+ 0x116b5: 84, -+ 0x116b7: 84, -+ 0x1171d: 84, -+ 0x1171e: 84, -+ 0x1171f: 84, -+ 0x11722: 84, -+ 0x11723: 84, -+ 0x11724: 84, -+ 0x11725: 84, -+ 0x11727: 84, -+ 0x11728: 84, -+ 0x11729: 84, -+ 0x1172a: 84, -+ 0x1172b: 84, -+ 0x1182f: 84, -+ 0x11830: 84, -+ 0x11831: 84, -+ 0x11832: 84, -+ 0x11833: 84, -+ 0x11834: 84, -+ 0x11835: 84, -+ 0x11836: 84, -+ 0x11837: 84, -+ 0x11839: 84, -+ 0x1183a: 84, -+ 0x1193b: 84, -+ 0x1193c: 84, -+ 0x1193e: 84, -+ 0x11943: 84, -+ 0x119d4: 84, -+ 0x119d5: 84, -+ 0x119d6: 84, -+ 0x119d7: 84, -+ 0x119da: 84, -+ 0x119db: 84, -+ 0x119e0: 84, -+ 0x11a01: 84, -+ 0x11a02: 84, -+ 0x11a03: 84, -+ 0x11a04: 84, -+ 0x11a05: 84, -+ 0x11a06: 84, -+ 0x11a07: 84, -+ 0x11a08: 84, -+ 0x11a09: 84, -+ 0x11a0a: 84, -+ 0x11a33: 84, -+ 0x11a34: 84, -+ 0x11a35: 84, -+ 0x11a36: 84, -+ 0x11a37: 84, -+ 0x11a38: 84, -+ 0x11a3b: 84, -+ 0x11a3c: 84, -+ 0x11a3d: 84, -+ 0x11a3e: 84, -+ 0x11a47: 84, -+ 0x11a51: 84, -+ 0x11a52: 84, -+ 0x11a53: 84, -+ 0x11a54: 84, -+ 0x11a55: 84, -+ 0x11a56: 84, -+ 0x11a59: 84, -+ 0x11a5a: 84, -+ 0x11a5b: 84, -+ 0x11a8a: 84, -+ 0x11a8b: 84, -+ 0x11a8c: 84, -+ 0x11a8d: 84, -+ 0x11a8e: 84, -+ 0x11a8f: 84, -+ 0x11a90: 84, -+ 0x11a91: 84, -+ 0x11a92: 84, -+ 0x11a93: 84, -+ 0x11a94: 84, -+ 0x11a95: 84, -+ 0x11a96: 84, -+ 0x11a98: 84, -+ 0x11a99: 84, -+ 0x11c30: 84, -+ 0x11c31: 84, -+ 0x11c32: 84, -+ 0x11c33: 84, -+ 0x11c34: 84, -+ 0x11c35: 84, -+ 0x11c36: 84, -+ 0x11c38: 84, -+ 0x11c39: 84, -+ 0x11c3a: 84, -+ 0x11c3b: 84, -+ 0x11c3c: 84, -+ 0x11c3d: 84, -+ 0x11c3f: 84, -+ 0x11c92: 84, -+ 0x11c93: 84, -+ 0x11c94: 84, -+ 0x11c95: 84, -+ 0x11c96: 84, -+ 0x11c97: 84, -+ 0x11c98: 84, -+ 0x11c99: 84, -+ 0x11c9a: 84, -+ 0x11c9b: 84, -+ 0x11c9c: 84, -+ 0x11c9d: 84, -+ 0x11c9e: 84, -+ 0x11c9f: 84, -+ 0x11ca0: 84, -+ 0x11ca1: 84, -+ 0x11ca2: 84, -+ 0x11ca3: 84, -+ 0x11ca4: 84, -+ 0x11ca5: 84, -+ 0x11ca6: 84, -+ 0x11ca7: 84, -+ 0x11caa: 84, -+ 0x11cab: 84, -+ 0x11cac: 84, -+ 0x11cad: 84, -+ 0x11cae: 84, -+ 0x11caf: 84, -+ 0x11cb0: 84, -+ 0x11cb2: 84, -+ 0x11cb3: 84, -+ 0x11cb5: 84, -+ 0x11cb6: 84, -+ 0x11d31: 84, -+ 0x11d32: 84, -+ 0x11d33: 84, -+ 0x11d34: 84, -+ 0x11d35: 84, -+ 0x11d36: 84, -+ 0x11d3a: 84, -+ 0x11d3c: 84, -+ 0x11d3d: 84, -+ 0x11d3f: 84, -+ 0x11d40: 84, -+ 0x11d41: 84, -+ 0x11d42: 84, -+ 0x11d43: 84, -+ 0x11d44: 84, -+ 0x11d45: 84, -+ 0x11d47: 84, -+ 0x11d90: 84, -+ 0x11d91: 84, -+ 0x11d95: 84, -+ 0x11d97: 84, -+ 0x11ef3: 84, -+ 0x11ef4: 84, -+ 0x11f00: 84, -+ 0x11f01: 84, -+ 0x11f36: 84, -+ 0x11f37: 84, -+ 0x11f38: 84, -+ 0x11f39: 84, -+ 0x11f3a: 84, -+ 0x11f40: 84, -+ 0x11f42: 84, -+ 0x13430: 84, -+ 0x13431: 84, -+ 0x13432: 84, -+ 0x13433: 84, -+ 0x13434: 84, -+ 0x13435: 84, -+ 0x13436: 84, -+ 0x13437: 84, -+ 0x13438: 84, -+ 0x13439: 84, -+ 0x1343a: 84, -+ 0x1343b: 84, -+ 0x1343c: 84, -+ 0x1343d: 84, -+ 0x1343e: 84, -+ 0x1343f: 84, -+ 0x13440: 84, -+ 0x13447: 84, -+ 0x13448: 84, -+ 0x13449: 84, -+ 0x1344a: 84, -+ 0x1344b: 84, -+ 0x1344c: 84, -+ 0x1344d: 84, -+ 0x1344e: 84, -+ 0x1344f: 84, -+ 0x13450: 84, -+ 0x13451: 84, -+ 0x13452: 84, -+ 0x13453: 84, -+ 0x13454: 84, -+ 0x13455: 84, -+ 0x16af0: 84, -+ 0x16af1: 84, -+ 0x16af2: 84, -+ 0x16af3: 84, -+ 0x16af4: 84, -+ 0x16b30: 84, -+ 0x16b31: 84, -+ 0x16b32: 84, -+ 0x16b33: 84, -+ 0x16b34: 84, -+ 0x16b35: 84, -+ 0x16b36: 84, -+ 0x16f4f: 84, -+ 0x16f8f: 84, -+ 0x16f90: 84, -+ 0x16f91: 84, -+ 0x16f92: 84, -+ 0x16fe4: 84, -+ 0x1bc9d: 84, -+ 0x1bc9e: 84, -+ 0x1bca0: 84, -+ 0x1bca1: 84, -+ 0x1bca2: 84, -+ 0x1bca3: 84, -+ 0x1cf00: 84, -+ 0x1cf01: 84, -+ 0x1cf02: 84, -+ 0x1cf03: 84, -+ 0x1cf04: 84, -+ 0x1cf05: 84, -+ 0x1cf06: 84, -+ 0x1cf07: 84, -+ 0x1cf08: 84, -+ 0x1cf09: 84, -+ 0x1cf0a: 84, -+ 0x1cf0b: 84, -+ 0x1cf0c: 84, -+ 0x1cf0d: 84, -+ 0x1cf0e: 84, -+ 0x1cf0f: 84, -+ 0x1cf10: 84, -+ 0x1cf11: 84, -+ 0x1cf12: 84, -+ 0x1cf13: 84, -+ 0x1cf14: 84, -+ 0x1cf15: 84, -+ 0x1cf16: 84, -+ 0x1cf17: 84, -+ 0x1cf18: 84, -+ 0x1cf19: 84, -+ 0x1cf1a: 84, -+ 0x1cf1b: 84, -+ 0x1cf1c: 84, -+ 0x1cf1d: 84, -+ 0x1cf1e: 84, -+ 0x1cf1f: 84, -+ 0x1cf20: 84, -+ 0x1cf21: 84, -+ 0x1cf22: 84, -+ 0x1cf23: 84, -+ 0x1cf24: 84, -+ 0x1cf25: 84, -+ 0x1cf26: 84, -+ 0x1cf27: 84, -+ 0x1cf28: 84, -+ 0x1cf29: 84, -+ 0x1cf2a: 84, -+ 0x1cf2b: 84, -+ 0x1cf2c: 84, -+ 0x1cf2d: 84, -+ 0x1cf30: 84, -+ 0x1cf31: 84, -+ 0x1cf32: 84, -+ 0x1cf33: 84, -+ 0x1cf34: 84, -+ 0x1cf35: 84, -+ 0x1cf36: 84, -+ 0x1cf37: 84, -+ 0x1cf38: 84, -+ 0x1cf39: 84, -+ 0x1cf3a: 84, -+ 0x1cf3b: 84, -+ 0x1cf3c: 84, -+ 0x1cf3d: 84, -+ 0x1cf3e: 84, -+ 0x1cf3f: 84, -+ 0x1cf40: 84, -+ 0x1cf41: 84, -+ 0x1cf42: 84, -+ 0x1cf43: 84, -+ 0x1cf44: 84, -+ 0x1cf45: 84, -+ 0x1cf46: 84, -+ 0x1d167: 84, -+ 0x1d168: 84, -+ 0x1d169: 84, -+ 0x1d173: 84, -+ 0x1d174: 84, -+ 0x1d175: 84, -+ 0x1d176: 84, -+ 0x1d177: 84, -+ 0x1d178: 84, -+ 0x1d179: 84, -+ 0x1d17a: 84, -+ 0x1d17b: 84, -+ 0x1d17c: 84, -+ 0x1d17d: 84, -+ 0x1d17e: 84, -+ 0x1d17f: 84, -+ 0x1d180: 84, -+ 0x1d181: 84, -+ 0x1d182: 84, -+ 0x1d185: 84, -+ 0x1d186: 84, -+ 0x1d187: 84, -+ 0x1d188: 84, -+ 0x1d189: 84, -+ 0x1d18a: 84, -+ 0x1d18b: 84, -+ 0x1d1aa: 84, -+ 0x1d1ab: 84, -+ 0x1d1ac: 84, -+ 0x1d1ad: 84, -+ 0x1d242: 84, -+ 0x1d243: 84, -+ 0x1d244: 84, -+ 0x1da00: 84, -+ 0x1da01: 84, -+ 0x1da02: 84, -+ 0x1da03: 84, -+ 0x1da04: 84, -+ 0x1da05: 84, -+ 0x1da06: 84, -+ 0x1da07: 84, -+ 0x1da08: 84, -+ 0x1da09: 84, -+ 0x1da0a: 84, -+ 0x1da0b: 84, -+ 0x1da0c: 84, -+ 0x1da0d: 84, -+ 0x1da0e: 84, -+ 0x1da0f: 84, -+ 0x1da10: 84, -+ 0x1da11: 84, -+ 0x1da12: 84, -+ 0x1da13: 84, -+ 0x1da14: 84, -+ 0x1da15: 84, -+ 0x1da16: 84, -+ 0x1da17: 84, -+ 0x1da18: 84, -+ 0x1da19: 84, -+ 0x1da1a: 84, -+ 0x1da1b: 84, -+ 0x1da1c: 84, -+ 0x1da1d: 84, -+ 0x1da1e: 84, -+ 0x1da1f: 84, -+ 0x1da20: 84, -+ 0x1da21: 84, -+ 0x1da22: 84, -+ 0x1da23: 84, -+ 0x1da24: 84, -+ 0x1da25: 84, -+ 0x1da26: 84, -+ 0x1da27: 84, -+ 0x1da28: 84, -+ 0x1da29: 84, -+ 0x1da2a: 84, -+ 0x1da2b: 84, -+ 0x1da2c: 84, -+ 0x1da2d: 84, -+ 0x1da2e: 84, -+ 0x1da2f: 84, -+ 0x1da30: 84, -+ 0x1da31: 84, -+ 0x1da32: 84, -+ 0x1da33: 84, -+ 0x1da34: 84, -+ 0x1da35: 84, -+ 0x1da36: 84, -+ 0x1da3b: 84, -+ 0x1da3c: 84, -+ 0x1da3d: 84, -+ 0x1da3e: 84, -+ 0x1da3f: 84, -+ 0x1da40: 84, -+ 0x1da41: 84, -+ 0x1da42: 84, -+ 0x1da43: 84, -+ 0x1da44: 84, -+ 0x1da45: 84, -+ 0x1da46: 84, -+ 0x1da47: 84, -+ 0x1da48: 84, -+ 0x1da49: 84, -+ 0x1da4a: 84, -+ 0x1da4b: 84, -+ 0x1da4c: 84, -+ 0x1da4d: 84, -+ 0x1da4e: 84, -+ 0x1da4f: 84, -+ 0x1da50: 84, -+ 0x1da51: 84, -+ 0x1da52: 84, -+ 0x1da53: 84, -+ 0x1da54: 84, -+ 0x1da55: 84, -+ 0x1da56: 84, -+ 0x1da57: 84, -+ 0x1da58: 84, -+ 0x1da59: 84, -+ 0x1da5a: 84, -+ 0x1da5b: 84, -+ 0x1da5c: 84, -+ 0x1da5d: 84, -+ 0x1da5e: 84, -+ 0x1da5f: 84, -+ 0x1da60: 84, -+ 0x1da61: 84, -+ 0x1da62: 84, -+ 0x1da63: 84, -+ 0x1da64: 84, -+ 0x1da65: 84, -+ 0x1da66: 84, -+ 0x1da67: 84, -+ 0x1da68: 84, -+ 0x1da69: 84, -+ 0x1da6a: 84, -+ 0x1da6b: 84, -+ 0x1da6c: 84, -+ 0x1da75: 84, -+ 0x1da84: 84, -+ 0x1da9b: 84, -+ 0x1da9c: 84, -+ 0x1da9d: 84, -+ 0x1da9e: 84, -+ 0x1da9f: 84, -+ 0x1daa1: 84, -+ 0x1daa2: 84, -+ 0x1daa3: 84, -+ 0x1daa4: 84, -+ 0x1daa5: 84, -+ 0x1daa6: 84, -+ 0x1daa7: 84, -+ 0x1daa8: 84, -+ 0x1daa9: 84, -+ 0x1daaa: 84, -+ 0x1daab: 84, -+ 0x1daac: 84, -+ 0x1daad: 84, -+ 0x1daae: 84, -+ 0x1daaf: 84, -+ 0x1e000: 84, -+ 0x1e001: 84, -+ 0x1e002: 84, -+ 0x1e003: 84, -+ 0x1e004: 84, -+ 0x1e005: 84, -+ 0x1e006: 84, -+ 0x1e008: 84, -+ 0x1e009: 84, -+ 0x1e00a: 84, -+ 0x1e00b: 84, -+ 0x1e00c: 84, -+ 0x1e00d: 84, -+ 0x1e00e: 84, -+ 0x1e00f: 84, -+ 0x1e010: 84, -+ 0x1e011: 84, -+ 0x1e012: 84, -+ 0x1e013: 84, -+ 0x1e014: 84, -+ 0x1e015: 84, -+ 0x1e016: 84, -+ 0x1e017: 84, -+ 0x1e018: 84, -+ 0x1e01b: 84, -+ 0x1e01c: 84, -+ 0x1e01d: 84, -+ 0x1e01e: 84, -+ 0x1e01f: 84, -+ 0x1e020: 84, -+ 0x1e021: 84, -+ 0x1e023: 84, -+ 0x1e024: 84, -+ 0x1e026: 84, -+ 0x1e027: 84, -+ 0x1e028: 84, -+ 0x1e029: 84, -+ 0x1e02a: 84, -+ 0x1e08f: 84, -+ 0x1e130: 84, -+ 0x1e131: 84, -+ 0x1e132: 84, -+ 0x1e133: 84, -+ 0x1e134: 84, -+ 0x1e135: 84, -+ 0x1e136: 84, -+ 0x1e2ae: 84, -+ 0x1e2ec: 84, -+ 0x1e2ed: 84, -+ 0x1e2ee: 84, -+ 0x1e2ef: 84, -+ 0x1e4ec: 84, -+ 0x1e4ed: 84, -+ 0x1e4ee: 84, -+ 0x1e4ef: 84, -+ 0x1e8d0: 84, -+ 0x1e8d1: 84, -+ 0x1e8d2: 84, -+ 0x1e8d3: 84, -+ 0x1e8d4: 84, -+ 0x1e8d5: 84, -+ 0x1e8d6: 84, - 0x1e900: 68, - 0x1e901: 68, - 0x1e902: 68, -@@ -927,7 +2680,351 @@ joining_types = { - 0x1e941: 68, - 0x1e942: 68, - 0x1e943: 68, -+ 0x1e944: 84, -+ 0x1e945: 84, -+ 0x1e946: 84, -+ 0x1e947: 84, -+ 0x1e948: 84, -+ 0x1e949: 84, -+ 0x1e94a: 84, - 0x1e94b: 84, -+ 0xe0001: 84, -+ 0xe0020: 84, -+ 0xe0021: 84, -+ 0xe0022: 84, -+ 0xe0023: 84, -+ 0xe0024: 84, -+ 0xe0025: 84, -+ 0xe0026: 84, -+ 0xe0027: 84, -+ 0xe0028: 84, -+ 0xe0029: 84, -+ 0xe002a: 84, -+ 0xe002b: 84, -+ 0xe002c: 84, -+ 0xe002d: 84, -+ 0xe002e: 84, -+ 0xe002f: 84, -+ 0xe0030: 84, -+ 0xe0031: 84, -+ 0xe0032: 84, -+ 0xe0033: 84, -+ 0xe0034: 84, -+ 0xe0035: 84, -+ 0xe0036: 84, -+ 0xe0037: 84, -+ 0xe0038: 84, -+ 0xe0039: 84, -+ 0xe003a: 84, -+ 0xe003b: 84, -+ 0xe003c: 84, -+ 0xe003d: 84, -+ 0xe003e: 84, -+ 0xe003f: 84, -+ 0xe0040: 84, -+ 0xe0041: 84, -+ 0xe0042: 84, -+ 0xe0043: 84, -+ 0xe0044: 84, -+ 0xe0045: 84, -+ 0xe0046: 84, -+ 0xe0047: 84, -+ 0xe0048: 84, -+ 0xe0049: 84, -+ 0xe004a: 84, -+ 0xe004b: 84, -+ 0xe004c: 84, -+ 0xe004d: 84, -+ 0xe004e: 84, -+ 0xe004f: 84, -+ 0xe0050: 84, -+ 0xe0051: 84, -+ 0xe0052: 84, -+ 0xe0053: 84, -+ 0xe0054: 84, -+ 0xe0055: 84, -+ 0xe0056: 84, -+ 0xe0057: 84, -+ 0xe0058: 84, -+ 0xe0059: 84, -+ 0xe005a: 84, -+ 0xe005b: 84, -+ 0xe005c: 84, -+ 0xe005d: 84, -+ 0xe005e: 84, -+ 0xe005f: 84, -+ 0xe0060: 84, -+ 0xe0061: 84, -+ 0xe0062: 84, -+ 0xe0063: 84, -+ 0xe0064: 84, -+ 0xe0065: 84, -+ 0xe0066: 84, -+ 0xe0067: 84, -+ 0xe0068: 84, -+ 0xe0069: 84, -+ 0xe006a: 84, -+ 0xe006b: 84, -+ 0xe006c: 84, -+ 0xe006d: 84, -+ 0xe006e: 84, -+ 0xe006f: 84, -+ 0xe0070: 84, -+ 0xe0071: 84, -+ 0xe0072: 84, -+ 0xe0073: 84, -+ 0xe0074: 84, -+ 0xe0075: 84, -+ 0xe0076: 84, -+ 0xe0077: 84, -+ 0xe0078: 84, -+ 0xe0079: 84, -+ 0xe007a: 84, -+ 0xe007b: 84, -+ 0xe007c: 84, -+ 0xe007d: 84, -+ 0xe007e: 84, -+ 0xe007f: 84, -+ 0xe0100: 84, -+ 0xe0101: 84, -+ 0xe0102: 84, -+ 0xe0103: 84, -+ 0xe0104: 84, -+ 0xe0105: 84, -+ 0xe0106: 84, -+ 0xe0107: 84, -+ 0xe0108: 84, -+ 0xe0109: 84, -+ 0xe010a: 84, -+ 0xe010b: 84, -+ 0xe010c: 84, -+ 0xe010d: 84, -+ 0xe010e: 84, -+ 0xe010f: 84, -+ 0xe0110: 84, -+ 0xe0111: 84, -+ 0xe0112: 84, -+ 0xe0113: 84, -+ 0xe0114: 84, -+ 0xe0115: 84, -+ 0xe0116: 84, -+ 0xe0117: 84, -+ 0xe0118: 84, -+ 0xe0119: 84, -+ 0xe011a: 84, -+ 0xe011b: 84, -+ 0xe011c: 84, -+ 0xe011d: 84, -+ 0xe011e: 84, -+ 0xe011f: 84, -+ 0xe0120: 84, -+ 0xe0121: 84, -+ 0xe0122: 84, -+ 0xe0123: 84, -+ 0xe0124: 84, -+ 0xe0125: 84, -+ 0xe0126: 84, -+ 0xe0127: 84, -+ 0xe0128: 84, -+ 0xe0129: 84, -+ 0xe012a: 84, -+ 0xe012b: 84, -+ 0xe012c: 84, -+ 0xe012d: 84, -+ 0xe012e: 84, -+ 0xe012f: 84, -+ 0xe0130: 84, -+ 0xe0131: 84, -+ 0xe0132: 84, -+ 0xe0133: 84, -+ 0xe0134: 84, -+ 0xe0135: 84, -+ 0xe0136: 84, -+ 0xe0137: 84, -+ 0xe0138: 84, -+ 0xe0139: 84, -+ 0xe013a: 84, -+ 0xe013b: 84, -+ 0xe013c: 84, -+ 0xe013d: 84, -+ 0xe013e: 84, -+ 0xe013f: 84, -+ 0xe0140: 84, -+ 0xe0141: 84, -+ 0xe0142: 84, -+ 0xe0143: 84, -+ 0xe0144: 84, -+ 0xe0145: 84, -+ 0xe0146: 84, -+ 0xe0147: 84, -+ 0xe0148: 84, -+ 0xe0149: 84, -+ 0xe014a: 84, -+ 0xe014b: 84, -+ 0xe014c: 84, -+ 0xe014d: 84, -+ 0xe014e: 84, -+ 0xe014f: 84, -+ 0xe0150: 84, -+ 0xe0151: 84, -+ 0xe0152: 84, -+ 0xe0153: 84, -+ 0xe0154: 84, -+ 0xe0155: 84, -+ 0xe0156: 84, -+ 0xe0157: 84, -+ 0xe0158: 84, -+ 0xe0159: 84, -+ 0xe015a: 84, -+ 0xe015b: 84, -+ 0xe015c: 84, -+ 0xe015d: 84, -+ 0xe015e: 84, -+ 0xe015f: 84, -+ 0xe0160: 84, -+ 0xe0161: 84, -+ 0xe0162: 84, -+ 0xe0163: 84, -+ 0xe0164: 84, -+ 0xe0165: 84, -+ 0xe0166: 84, -+ 0xe0167: 84, -+ 0xe0168: 84, -+ 0xe0169: 84, -+ 0xe016a: 84, -+ 0xe016b: 84, -+ 0xe016c: 84, -+ 0xe016d: 84, -+ 0xe016e: 84, -+ 0xe016f: 84, -+ 0xe0170: 84, -+ 0xe0171: 84, -+ 0xe0172: 84, -+ 0xe0173: 84, -+ 0xe0174: 84, -+ 0xe0175: 84, -+ 0xe0176: 84, -+ 0xe0177: 84, -+ 0xe0178: 84, -+ 0xe0179: 84, -+ 0xe017a: 84, -+ 0xe017b: 84, -+ 0xe017c: 84, -+ 0xe017d: 84, -+ 0xe017e: 84, -+ 0xe017f: 84, -+ 0xe0180: 84, -+ 0xe0181: 84, -+ 0xe0182: 84, -+ 0xe0183: 84, -+ 0xe0184: 84, -+ 0xe0185: 84, -+ 0xe0186: 84, -+ 0xe0187: 84, -+ 0xe0188: 84, -+ 0xe0189: 84, -+ 0xe018a: 84, -+ 0xe018b: 84, -+ 0xe018c: 84, -+ 0xe018d: 84, -+ 0xe018e: 84, -+ 0xe018f: 84, -+ 0xe0190: 84, -+ 0xe0191: 84, -+ 0xe0192: 84, -+ 0xe0193: 84, -+ 0xe0194: 84, -+ 0xe0195: 84, -+ 0xe0196: 84, -+ 0xe0197: 84, -+ 0xe0198: 84, -+ 0xe0199: 84, -+ 0xe019a: 84, -+ 0xe019b: 84, -+ 0xe019c: 84, -+ 0xe019d: 84, -+ 0xe019e: 84, -+ 0xe019f: 84, -+ 0xe01a0: 84, -+ 0xe01a1: 84, -+ 0xe01a2: 84, -+ 0xe01a3: 84, -+ 0xe01a4: 84, -+ 0xe01a5: 84, -+ 0xe01a6: 84, -+ 0xe01a7: 84, -+ 0xe01a8: 84, -+ 0xe01a9: 84, -+ 0xe01aa: 84, -+ 0xe01ab: 84, -+ 0xe01ac: 84, -+ 0xe01ad: 84, -+ 0xe01ae: 84, -+ 0xe01af: 84, -+ 0xe01b0: 84, -+ 0xe01b1: 84, -+ 0xe01b2: 84, -+ 0xe01b3: 84, -+ 0xe01b4: 84, -+ 0xe01b5: 84, -+ 0xe01b6: 84, -+ 0xe01b7: 84, -+ 0xe01b8: 84, -+ 0xe01b9: 84, -+ 0xe01ba: 84, -+ 0xe01bb: 84, -+ 0xe01bc: 84, -+ 0xe01bd: 84, -+ 0xe01be: 84, -+ 0xe01bf: 84, -+ 0xe01c0: 84, -+ 0xe01c1: 84, -+ 0xe01c2: 84, -+ 0xe01c3: 84, -+ 0xe01c4: 84, -+ 0xe01c5: 84, -+ 0xe01c6: 84, -+ 0xe01c7: 84, -+ 0xe01c8: 84, -+ 0xe01c9: 84, -+ 0xe01ca: 84, -+ 0xe01cb: 84, -+ 0xe01cc: 84, -+ 0xe01cd: 84, -+ 0xe01ce: 84, -+ 0xe01cf: 84, -+ 0xe01d0: 84, -+ 0xe01d1: 84, -+ 0xe01d2: 84, -+ 0xe01d3: 84, -+ 0xe01d4: 84, -+ 0xe01d5: 84, -+ 0xe01d6: 84, -+ 0xe01d7: 84, -+ 0xe01d8: 84, -+ 0xe01d9: 84, -+ 0xe01da: 84, -+ 0xe01db: 84, -+ 0xe01dc: 84, -+ 0xe01dd: 84, -+ 0xe01de: 84, -+ 0xe01df: 84, -+ 0xe01e0: 84, -+ 0xe01e1: 84, -+ 0xe01e2: 84, -+ 0xe01e3: 84, -+ 0xe01e4: 84, -+ 0xe01e5: 84, -+ 0xe01e6: 84, -+ 0xe01e7: 84, -+ 0xe01e8: 84, -+ 0xe01e9: 84, -+ 0xe01ea: 84, -+ 0xe01eb: 84, -+ 0xe01ec: 84, -+ 0xe01ed: 84, -+ 0xe01ee: 84, -+ 0xe01ef: 84, - } - codepoint_classes = { - 'PVALID': ( -@@ -1834,7 +3931,6 @@ codepoint_classes = { - 0xa7d50000a7d6, - 0xa7d70000a7d8, - 0xa7d90000a7da, -- 0xa7f20000a7f5, - 0xa7f60000a7f8, - 0xa7fa0000a828, - 0xa82c0000a82d, -@@ -1907,9 +4003,7 @@ codepoint_classes = { - 0x1060000010737, - 0x1074000010756, - 0x1076000010768, -- 0x1078000010786, -- 0x10787000107b1, -- 0x107b2000107bb, -+ 0x1078000010781, - 0x1080000010806, - 0x1080800010809, - 0x1080a00010836, -@@ -2112,7 +4206,6 @@ codepoint_classes = { - 0x1e01b0001e022, - 0x1e0230001e025, - 0x1e0260001e02b, -- 0x1e0300001e06e, - 0x1e08f0001e090, - 0x1e1000001e12d, - 0x1e1300001e13e, -@@ -2134,6 +4227,7 @@ codepoint_classes = { - 0x2b7400002b81e, - 0x2b8200002cea2, - 0x2ceb00002ebe1, -+ 0x2ebf00002ee5e, - 0x300000003134b, - 0x31350000323b0, - ), -diff --git a/src/pip/_vendor/idna/package_data.py b/src/pip/_vendor/idna/package_data.py -index 8501893..ed81113 100644 ---- a/src/pip/_vendor/idna/package_data.py -+++ b/src/pip/_vendor/idna/package_data.py -@@ -1,2 +1,2 @@ --__version__ = '3.4' -+__version__ = '3.7' - -diff --git a/src/pip/_vendor/idna/uts46data.py b/src/pip/_vendor/idna/uts46data.py -index 186796c..6a1eddb 100644 ---- a/src/pip/_vendor/idna/uts46data.py -+++ b/src/pip/_vendor/idna/uts46data.py -@@ -7,7 +7,7 @@ from typing import List, Tuple, Union - """IDNA Mapping Table from UTS46.""" - - --__version__ = '15.0.0' -+__version__ = '15.1.0' - def _seg_0() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ - (0x0, '3'), -@@ -1899,7 +1899,7 @@ def _seg_18() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1E9A, 'M', 'aʾ'), - (0x1E9B, 'M', 'ṡ'), - (0x1E9C, 'V'), -- (0x1E9E, 'M', 'ss'), -+ (0x1E9E, 'M', 'ß'), - (0x1E9F, 'V'), - (0x1EA0, 'M', 'ạ'), - (0x1EA1, 'V'), -@@ -2418,10 +2418,6 @@ def _seg_23() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x222F, 'M', '∮∮'), - (0x2230, 'M', '∮∮∮'), - (0x2231, 'V'), -- (0x2260, '3'), -- (0x2261, 'V'), -- (0x226E, '3'), -- (0x2270, 'V'), - (0x2329, 'M', '〈'), - (0x232A, 'M', '〉'), - (0x232B, 'V'), -@@ -2502,14 +2498,14 @@ def _seg_23() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x24BA, 'M', 'e'), - (0x24BB, 'M', 'f'), - (0x24BC, 'M', 'g'), -- ] -- --def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x24BD, 'M', 'h'), - (0x24BE, 'M', 'i'), - (0x24BF, 'M', 'j'), - (0x24C0, 'M', 'k'), -+ ] -+ -+def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x24C1, 'M', 'l'), - (0x24C2, 'M', 'm'), - (0x24C3, 'M', 'n'), -@@ -2606,14 +2602,14 @@ def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2C26, 'M', 'ⱖ'), - (0x2C27, 'M', 'ⱗ'), - (0x2C28, 'M', 'ⱘ'), -- ] -- --def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x2C29, 'M', 'ⱙ'), - (0x2C2A, 'M', 'ⱚ'), - (0x2C2B, 'M', 'ⱛ'), - (0x2C2C, 'M', 'ⱜ'), -+ ] -+ -+def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x2C2D, 'M', 'ⱝ'), - (0x2C2E, 'M', 'ⱞ'), - (0x2C2F, 'M', 'ⱟ'), -@@ -2710,14 +2706,14 @@ def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2CC0, 'M', 'ⳁ'), - (0x2CC1, 'V'), - (0x2CC2, 'M', 'ⳃ'), -- ] -- --def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x2CC3, 'V'), - (0x2CC4, 'M', 'ⳅ'), - (0x2CC5, 'V'), - (0x2CC6, 'M', 'ⳇ'), -+ ] -+ -+def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x2CC7, 'V'), - (0x2CC8, 'M', 'ⳉ'), - (0x2CC9, 'V'), -@@ -2814,14 +2810,14 @@ def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F13, 'M', '勹'), - (0x2F14, 'M', '匕'), - (0x2F15, 'M', '匚'), -- ] -- --def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x2F16, 'M', '匸'), - (0x2F17, 'M', '十'), - (0x2F18, 'M', '卜'), - (0x2F19, 'M', '卩'), -+ ] -+ -+def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x2F1A, 'M', '厂'), - (0x2F1B, 'M', '厶'), - (0x2F1C, 'M', '又'), -@@ -2918,14 +2914,14 @@ def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F77, 'M', '糸'), - (0x2F78, 'M', '缶'), - (0x2F79, 'M', '网'), -- ] -- --def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x2F7A, 'M', '羊'), - (0x2F7B, 'M', '羽'), - (0x2F7C, 'M', '老'), - (0x2F7D, 'M', '而'), -+ ] -+ -+def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x2F7E, 'M', '耒'), - (0x2F7F, 'M', '耳'), - (0x2F80, 'M', '聿'), -@@ -3022,14 +3018,14 @@ def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x3036, 'M', '〒'), - (0x3037, 'V'), - (0x3038, 'M', '十'), -- ] -- --def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x3039, 'M', '卄'), - (0x303A, 'M', '卅'), - (0x303B, 'V'), - (0x3040, 'X'), -+ ] -+ -+def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x3041, 'V'), - (0x3097, 'X'), - (0x3099, 'V'), -@@ -3126,14 +3122,14 @@ def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x3182, 'M', 'ᇱ'), - (0x3183, 'M', 'ᇲ'), - (0x3184, 'M', 'ᅗ'), -- ] -- --def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x3185, 'M', 'ᅘ'), - (0x3186, 'M', 'ᅙ'), - (0x3187, 'M', 'ᆄ'), - (0x3188, 'M', 'ᆅ'), -+ ] -+ -+def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x3189, 'M', 'ᆈ'), - (0x318A, 'M', 'ᆑ'), - (0x318B, 'M', 'ᆒ'), -@@ -3230,14 +3226,14 @@ def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x3244, 'M', '問'), - (0x3245, 'M', '幼'), - (0x3246, 'M', '文'), -- ] -- --def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x3247, 'M', '箏'), - (0x3248, 'V'), - (0x3250, 'M', 'pte'), - (0x3251, 'M', '21'), -+ ] -+ -+def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x3252, 'M', '22'), - (0x3253, 'M', '23'), - (0x3254, 'M', '24'), -@@ -3334,14 +3330,14 @@ def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x32AF, 'M', '協'), - (0x32B0, 'M', '夜'), - (0x32B1, 'M', '36'), -- ] -- --def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x32B2, 'M', '37'), - (0x32B3, 'M', '38'), - (0x32B4, 'M', '39'), - (0x32B5, 'M', '40'), -+ ] -+ -+def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x32B6, 'M', '41'), - (0x32B7, 'M', '42'), - (0x32B8, 'M', '43'), -@@ -3438,14 +3434,14 @@ def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x3313, 'M', 'ギルダー'), - (0x3314, 'M', 'キロ'), - (0x3315, 'M', 'キログラム'), -- ] -- --def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x3316, 'M', 'キロメートル'), - (0x3317, 'M', 'キロワット'), - (0x3318, 'M', 'グラム'), - (0x3319, 'M', 'グラムトン'), -+ ] -+ -+def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x331A, 'M', 'クルゼイロ'), - (0x331B, 'M', 'クローネ'), - (0x331C, 'M', 'ケース'), -@@ -3542,14 +3538,14 @@ def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x3377, 'M', 'dm'), - (0x3378, 'M', 'dm2'), - (0x3379, 'M', 'dm3'), -- ] -- --def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x337A, 'M', 'iu'), - (0x337B, 'M', '平成'), - (0x337C, 'M', '昭和'), - (0x337D, 'M', '大正'), -+ ] -+ -+def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x337E, 'M', '明治'), - (0x337F, 'M', '株式会社'), - (0x3380, 'M', 'pa'), -@@ -3646,14 +3642,14 @@ def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x33DB, 'M', 'sr'), - (0x33DC, 'M', 'sv'), - (0x33DD, 'M', 'wb'), -- ] -- --def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x33DE, 'M', 'v∕m'), - (0x33DF, 'M', 'a∕m'), - (0x33E0, 'M', '1日'), - (0x33E1, 'M', '2日'), -+ ] -+ -+def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x33E2, 'M', '3日'), - (0x33E3, 'M', '4日'), - (0x33E4, 'M', '5日'), -@@ -3750,14 +3746,14 @@ def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xA68B, 'V'), - (0xA68C, 'M', 'ꚍ'), - (0xA68D, 'V'), -- ] -- --def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xA68E, 'M', 'ꚏ'), - (0xA68F, 'V'), - (0xA690, 'M', 'ꚑ'), - (0xA691, 'V'), -+ ] -+ -+def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xA692, 'M', 'ꚓ'), - (0xA693, 'V'), - (0xA694, 'M', 'ꚕ'), -@@ -3854,14 +3850,14 @@ def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xA779, 'M', 'ꝺ'), - (0xA77A, 'V'), - (0xA77B, 'M', 'ꝼ'), -- ] -- --def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xA77C, 'V'), - (0xA77D, 'M', 'ᵹ'), - (0xA77E, 'M', 'ꝿ'), - (0xA77F, 'V'), -+ ] -+ -+def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xA780, 'M', 'ꞁ'), - (0xA781, 'V'), - (0xA782, 'M', 'ꞃ'), -@@ -3958,14 +3954,14 @@ def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xA878, 'X'), - (0xA880, 'V'), - (0xA8C6, 'X'), -- ] -- --def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xA8CE, 'V'), - (0xA8DA, 'X'), - (0xA8E0, 'V'), - (0xA954, 'X'), -+ ] -+ -+def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xA95F, 'V'), - (0xA97D, 'X'), - (0xA980, 'V'), -@@ -4062,14 +4058,14 @@ def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xABA8, 'M', 'Ꮨ'), - (0xABA9, 'M', 'Ꮩ'), - (0xABAA, 'M', 'Ꮪ'), -- ] -- --def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xABAB, 'M', 'Ꮫ'), - (0xABAC, 'M', 'Ꮬ'), - (0xABAD, 'M', 'Ꮭ'), - (0xABAE, 'M', 'Ꮮ'), -+ ] -+ -+def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xABAF, 'M', 'Ꮯ'), - (0xABB0, 'M', 'Ꮰ'), - (0xABB1, 'M', 'Ꮱ'), -@@ -4166,14 +4162,14 @@ def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xF943, 'M', '弄'), - (0xF944, 'M', '籠'), - (0xF945, 'M', '聾'), -- ] -- --def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xF946, 'M', '牢'), - (0xF947, 'M', '磊'), - (0xF948, 'M', '賂'), - (0xF949, 'M', '雷'), -+ ] -+ -+def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xF94A, 'M', '壘'), - (0xF94B, 'M', '屢'), - (0xF94C, 'M', '樓'), -@@ -4270,14 +4266,14 @@ def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xF9A7, 'M', '獵'), - (0xF9A8, 'M', '令'), - (0xF9A9, 'M', '囹'), -- ] -- --def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xF9AA, 'M', '寧'), - (0xF9AB, 'M', '嶺'), - (0xF9AC, 'M', '怜'), - (0xF9AD, 'M', '玲'), -+ ] -+ -+def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xF9AE, 'M', '瑩'), - (0xF9AF, 'M', '羚'), - (0xF9B0, 'M', '聆'), -@@ -4374,14 +4370,14 @@ def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFA0B, 'M', '廓'), - (0xFA0C, 'M', '兀'), - (0xFA0D, 'M', '嗀'), -- ] -- --def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFA0E, 'V'), - (0xFA10, 'M', '塚'), - (0xFA11, 'V'), - (0xFA12, 'M', '晴'), -+ ] -+ -+def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFA13, 'V'), - (0xFA15, 'M', '凞'), - (0xFA16, 'M', '猪'), -@@ -4478,14 +4474,14 @@ def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFA76, 'M', '勇'), - (0xFA77, 'M', '勺'), - (0xFA78, 'M', '喝'), -- ] -- --def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFA79, 'M', '啕'), - (0xFA7A, 'M', '喙'), - (0xFA7B, 'M', '嗢'), - (0xFA7C, 'M', '塚'), -+ ] -+ -+def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFA7D, 'M', '墳'), - (0xFA7E, 'M', '奄'), - (0xFA7F, 'M', '奔'), -@@ -4582,14 +4578,14 @@ def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFADA, 'X'), - (0xFB00, 'M', 'ff'), - (0xFB01, 'M', 'fi'), -- ] -- --def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFB02, 'M', 'fl'), - (0xFB03, 'M', 'ffi'), - (0xFB04, 'M', 'ffl'), - (0xFB05, 'M', 'st'), -+ ] -+ -+def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFB07, 'X'), - (0xFB13, 'M', 'մն'), - (0xFB14, 'M', 'մե'), -@@ -4686,14 +4682,14 @@ def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFBDB, 'M', 'ۈ'), - (0xFBDD, 'M', 'ۇٴ'), - (0xFBDE, 'M', 'ۋ'), -- ] -- --def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFBE0, 'M', 'ۅ'), - (0xFBE2, 'M', 'ۉ'), - (0xFBE4, 'M', 'ې'), - (0xFBE8, 'M', 'ى'), -+ ] -+ -+def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFBEA, 'M', 'ئا'), - (0xFBEC, 'M', 'ئە'), - (0xFBEE, 'M', 'ئو'), -@@ -4790,14 +4786,14 @@ def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFC54, 'M', 'هي'), - (0xFC55, 'M', 'يج'), - (0xFC56, 'M', 'يح'), -- ] -- --def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFC57, 'M', 'يخ'), - (0xFC58, 'M', 'يم'), - (0xFC59, 'M', 'يى'), - (0xFC5A, 'M', 'يي'), -+ ] -+ -+def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFC5B, 'M', 'ذٰ'), - (0xFC5C, 'M', 'رٰ'), - (0xFC5D, 'M', 'ىٰ'), -@@ -4894,14 +4890,14 @@ def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFCB8, 'M', 'طح'), - (0xFCB9, 'M', 'ظم'), - (0xFCBA, 'M', 'عج'), -- ] -- --def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFCBB, 'M', 'عم'), - (0xFCBC, 'M', 'غج'), - (0xFCBD, 'M', 'غم'), - (0xFCBE, 'M', 'فج'), -+ ] -+ -+def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFCBF, 'M', 'فح'), - (0xFCC0, 'M', 'فخ'), - (0xFCC1, 'M', 'فم'), -@@ -4998,14 +4994,14 @@ def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFD1C, 'M', 'حي'), - (0xFD1D, 'M', 'جى'), - (0xFD1E, 'M', 'جي'), -- ] -- --def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFD1F, 'M', 'خى'), - (0xFD20, 'M', 'خي'), - (0xFD21, 'M', 'صى'), - (0xFD22, 'M', 'صي'), -+ ] -+ -+def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFD23, 'M', 'ضى'), - (0xFD24, 'M', 'ضي'), - (0xFD25, 'M', 'شج'), -@@ -5102,14 +5098,14 @@ def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFDA4, 'M', 'تمى'), - (0xFDA5, 'M', 'جمي'), - (0xFDA6, 'M', 'جحى'), -- ] -- --def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFDA7, 'M', 'جمى'), - (0xFDA8, 'M', 'سخى'), - (0xFDA9, 'M', 'صحي'), - (0xFDAA, 'M', 'شحي'), -+ ] -+ -+def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFDAB, 'M', 'ضحي'), - (0xFDAC, 'M', 'لجي'), - (0xFDAD, 'M', 'لمي'), -@@ -5206,14 +5202,14 @@ def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFE5B, '3', '{'), - (0xFE5C, '3', '}'), - (0xFE5D, 'M', '〔'), -- ] -- --def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFE5E, 'M', '〕'), - (0xFE5F, '3', '#'), - (0xFE60, '3', '&'), - (0xFE61, '3', '*'), -+ ] -+ -+def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFE62, '3', '+'), - (0xFE63, 'M', '-'), - (0xFE64, '3', '<'), -@@ -5310,14 +5306,14 @@ def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFF18, 'M', '8'), - (0xFF19, 'M', '9'), - (0xFF1A, '3', ':'), -- ] -- --def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFF1B, '3', ';'), - (0xFF1C, '3', '<'), - (0xFF1D, '3', '='), - (0xFF1E, '3', '>'), -+ ] -+ -+def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFF1F, '3', '?'), - (0xFF20, '3', '@'), - (0xFF21, 'M', 'a'), -@@ -5414,14 +5410,14 @@ def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFF7C, 'M', 'シ'), - (0xFF7D, 'M', 'ス'), - (0xFF7E, 'M', 'セ'), -- ] -- --def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFF7F, 'M', 'ソ'), - (0xFF80, 'M', 'タ'), - (0xFF81, 'M', 'チ'), - (0xFF82, 'M', 'ツ'), -+ ] -+ -+def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFF83, 'M', 'テ'), - (0xFF84, 'M', 'ト'), - (0xFF85, 'M', 'ナ'), -@@ -5518,14 +5514,14 @@ def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0xFFE7, 'X'), - (0xFFE8, 'M', '│'), - (0xFFE9, 'M', '←'), -- ] -- --def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0xFFEA, 'M', '↑'), - (0xFFEB, 'M', '→'), - (0xFFEC, 'M', '↓'), - (0xFFED, 'M', '■'), -+ ] -+ -+def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0xFFEE, 'M', '○'), - (0xFFEF, 'X'), - (0x10000, 'V'), -@@ -5622,14 +5618,14 @@ def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x104B3, 'M', '𐓛'), - (0x104B4, 'M', '𐓜'), - (0x104B5, 'M', '𐓝'), -- ] -- --def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x104B6, 'M', '𐓞'), - (0x104B7, 'M', '𐓟'), - (0x104B8, 'M', '𐓠'), - (0x104B9, 'M', '𐓡'), -+ ] -+ -+def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x104BA, 'M', '𐓢'), - (0x104BB, 'M', '𐓣'), - (0x104BC, 'M', '𐓤'), -@@ -5726,14 +5722,14 @@ def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x10786, 'X'), - (0x10787, 'M', 'ʣ'), - (0x10788, 'M', 'ꭦ'), -- ] -- --def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x10789, 'M', 'ʥ'), - (0x1078A, 'M', 'ʤ'), - (0x1078B, 'M', 'ɖ'), - (0x1078C, 'M', 'ɗ'), -+ ] -+ -+def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1078D, 'M', 'ᶑ'), - (0x1078E, 'M', 'ɘ'), - (0x1078F, 'M', 'ɞ'), -@@ -5830,14 +5826,14 @@ def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x10A60, 'V'), - (0x10AA0, 'X'), - (0x10AC0, 'V'), -- ] -- --def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x10AE7, 'X'), - (0x10AEB, 'V'), - (0x10AF7, 'X'), - (0x10B00, 'V'), -+ ] -+ -+def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x10B36, 'X'), - (0x10B39, 'V'), - (0x10B56, 'X'), -@@ -5934,14 +5930,14 @@ def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1107F, 'V'), - (0x110BD, 'X'), - (0x110BE, 'V'), -- ] -- --def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x110C3, 'X'), - (0x110D0, 'V'), - (0x110E9, 'X'), - (0x110F0, 'V'), -+ ] -+ -+def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x110FA, 'X'), - (0x11100, 'V'), - (0x11135, 'X'), -@@ -6038,14 +6034,14 @@ def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x118A4, 'M', '𑣄'), - (0x118A5, 'M', '𑣅'), - (0x118A6, 'M', '𑣆'), -- ] -- --def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x118A7, 'M', '𑣇'), - (0x118A8, 'M', '𑣈'), - (0x118A9, 'M', '𑣉'), - (0x118AA, 'M', '𑣊'), -+ ] -+ -+def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x118AB, 'M', '𑣋'), - (0x118AC, 'M', '𑣌'), - (0x118AD, 'M', '𑣍'), -@@ -6142,14 +6138,14 @@ def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x11EE0, 'V'), - (0x11EF9, 'X'), - (0x11F00, 'V'), -- ] -- --def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x11F11, 'X'), - (0x11F12, 'V'), - (0x11F3B, 'X'), - (0x11F3E, 'V'), -+ ] -+ -+def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x11F5A, 'X'), - (0x11FB0, 'V'), - (0x11FB1, 'X'), -@@ -6246,14 +6242,14 @@ def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x18D00, 'V'), - (0x18D09, 'X'), - (0x1AFF0, 'V'), -- ] -- --def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1AFF4, 'X'), - (0x1AFF5, 'V'), - (0x1AFFC, 'X'), - (0x1AFFD, 'V'), -+ ] -+ -+def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1AFFF, 'X'), - (0x1B000, 'V'), - (0x1B123, 'X'), -@@ -6350,14 +6346,14 @@ def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D41E, 'M', 'e'), - (0x1D41F, 'M', 'f'), - (0x1D420, 'M', 'g'), -- ] -- --def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D421, 'M', 'h'), - (0x1D422, 'M', 'i'), - (0x1D423, 'M', 'j'), - (0x1D424, 'M', 'k'), -+ ] -+ -+def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D425, 'M', 'l'), - (0x1D426, 'M', 'm'), - (0x1D427, 'M', 'n'), -@@ -6454,14 +6450,14 @@ def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D482, 'M', 'a'), - (0x1D483, 'M', 'b'), - (0x1D484, 'M', 'c'), -- ] -- --def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D485, 'M', 'd'), - (0x1D486, 'M', 'e'), - (0x1D487, 'M', 'f'), - (0x1D488, 'M', 'g'), -+ ] -+ -+def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D489, 'M', 'h'), - (0x1D48A, 'M', 'i'), - (0x1D48B, 'M', 'j'), -@@ -6558,14 +6554,14 @@ def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D4E9, 'M', 'z'), - (0x1D4EA, 'M', 'a'), - (0x1D4EB, 'M', 'b'), -- ] -- --def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D4EC, 'M', 'c'), - (0x1D4ED, 'M', 'd'), - (0x1D4EE, 'M', 'e'), - (0x1D4EF, 'M', 'f'), -+ ] -+ -+def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D4F0, 'M', 'g'), - (0x1D4F1, 'M', 'h'), - (0x1D4F2, 'M', 'i'), -@@ -6662,14 +6658,14 @@ def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D550, 'M', 'y'), - (0x1D551, 'X'), - (0x1D552, 'M', 'a'), -- ] -- --def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D553, 'M', 'b'), - (0x1D554, 'M', 'c'), - (0x1D555, 'M', 'd'), - (0x1D556, 'M', 'e'), -+ ] -+ -+def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D557, 'M', 'f'), - (0x1D558, 'M', 'g'), - (0x1D559, 'M', 'h'), -@@ -6766,14 +6762,14 @@ def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D5B4, 'M', 'u'), - (0x1D5B5, 'M', 'v'), - (0x1D5B6, 'M', 'w'), -- ] -- --def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D5B7, 'M', 'x'), - (0x1D5B8, 'M', 'y'), - (0x1D5B9, 'M', 'z'), - (0x1D5BA, 'M', 'a'), -+ ] -+ -+def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D5BB, 'M', 'b'), - (0x1D5BC, 'M', 'c'), - (0x1D5BD, 'M', 'd'), -@@ -6870,14 +6866,14 @@ def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D618, 'M', 'q'), - (0x1D619, 'M', 'r'), - (0x1D61A, 'M', 's'), -- ] -- --def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D61B, 'M', 't'), - (0x1D61C, 'M', 'u'), - (0x1D61D, 'M', 'v'), - (0x1D61E, 'M', 'w'), -+ ] -+ -+def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D61F, 'M', 'x'), - (0x1D620, 'M', 'y'), - (0x1D621, 'M', 'z'), -@@ -6974,14 +6970,14 @@ def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D67C, 'M', 'm'), - (0x1D67D, 'M', 'n'), - (0x1D67E, 'M', 'o'), -- ] -- --def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D67F, 'M', 'p'), - (0x1D680, 'M', 'q'), - (0x1D681, 'M', 'r'), - (0x1D682, 'M', 's'), -+ ] -+ -+def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D683, 'M', 't'), - (0x1D684, 'M', 'u'), - (0x1D685, 'M', 'v'), -@@ -7078,14 +7074,14 @@ def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D6E2, 'M', 'α'), - (0x1D6E3, 'M', 'β'), - (0x1D6E4, 'M', 'γ'), -- ] -- --def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D6E5, 'M', 'δ'), - (0x1D6E6, 'M', 'ε'), - (0x1D6E7, 'M', 'ζ'), - (0x1D6E8, 'M', 'η'), -+ ] -+ -+def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D6E9, 'M', 'θ'), - (0x1D6EA, 'M', 'ι'), - (0x1D6EB, 'M', 'κ'), -@@ -7182,14 +7178,14 @@ def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D747, 'M', 'σ'), - (0x1D749, 'M', 'τ'), - (0x1D74A, 'M', 'υ'), -- ] -- --def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D74B, 'M', 'φ'), - (0x1D74C, 'M', 'χ'), - (0x1D74D, 'M', 'ψ'), - (0x1D74E, 'M', 'ω'), -+ ] -+ -+def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D74F, 'M', '∂'), - (0x1D750, 'M', 'ε'), - (0x1D751, 'M', 'θ'), -@@ -7286,14 +7282,14 @@ def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1D7AD, 'M', 'δ'), - (0x1D7AE, 'M', 'ε'), - (0x1D7AF, 'M', 'ζ'), -- ] -- --def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1D7B0, 'M', 'η'), - (0x1D7B1, 'M', 'θ'), - (0x1D7B2, 'M', 'ι'), - (0x1D7B3, 'M', 'κ'), -+ ] -+ -+def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1D7B4, 'M', 'λ'), - (0x1D7B5, 'M', 'μ'), - (0x1D7B6, 'M', 'ν'), -@@ -7390,14 +7386,14 @@ def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1E030, 'M', 'а'), - (0x1E031, 'M', 'б'), - (0x1E032, 'M', 'в'), -- ] -- --def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1E033, 'M', 'г'), - (0x1E034, 'M', 'д'), - (0x1E035, 'M', 'е'), - (0x1E036, 'M', 'ж'), -+ ] -+ -+def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1E037, 'M', 'з'), - (0x1E038, 'M', 'и'), - (0x1E039, 'M', 'к'), -@@ -7494,14 +7490,14 @@ def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1E907, 'M', '𞤩'), - (0x1E908, 'M', '𞤪'), - (0x1E909, 'M', '𞤫'), -- ] -- --def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1E90A, 'M', '𞤬'), - (0x1E90B, 'M', '𞤭'), - (0x1E90C, 'M', '𞤮'), - (0x1E90D, 'M', '𞤯'), -+ ] -+ -+def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1E90E, 'M', '𞤰'), - (0x1E90F, 'M', '𞤱'), - (0x1E910, 'M', '𞤲'), -@@ -7598,14 +7594,14 @@ def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1EE48, 'X'), - (0x1EE49, 'M', 'ي'), - (0x1EE4A, 'X'), -- ] -- --def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1EE4B, 'M', 'ل'), - (0x1EE4C, 'X'), - (0x1EE4D, 'M', 'ن'), - (0x1EE4E, 'M', 'س'), -+ ] -+ -+def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1EE4F, 'M', 'ع'), - (0x1EE50, 'X'), - (0x1EE51, 'M', 'ص'), -@@ -7702,14 +7698,14 @@ def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1EEB2, 'M', 'ق'), - (0x1EEB3, 'M', 'ر'), - (0x1EEB4, 'M', 'ش'), -- ] -- --def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1EEB5, 'M', 'ت'), - (0x1EEB6, 'M', 'ث'), - (0x1EEB7, 'M', 'خ'), - (0x1EEB8, 'M', 'ذ'), -+ ] -+ -+def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1EEB9, 'M', 'ض'), - (0x1EEBA, 'M', 'ظ'), - (0x1EEBB, 'M', 'غ'), -@@ -7806,14 +7802,14 @@ def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1F150, 'V'), - (0x1F16A, 'M', 'mc'), - (0x1F16B, 'M', 'md'), -- ] -- --def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1F16C, 'M', 'mr'), - (0x1F16D, 'V'), - (0x1F190, 'M', 'dj'), - (0x1F191, 'V'), -+ ] -+ -+def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1F1AE, 'X'), - (0x1F1E6, 'V'), - (0x1F200, 'M', 'ほか'), -@@ -7910,14 +7906,14 @@ def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x1FA54, 'X'), - (0x1FA60, 'V'), - (0x1FA6E, 'X'), -- ] -- --def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -- return [ - (0x1FA70, 'V'), - (0x1FA7D, 'X'), - (0x1FA80, 'V'), - (0x1FA89, 'X'), -+ ] -+ -+def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: -+ return [ - (0x1FA90, 'V'), - (0x1FABE, 'X'), - (0x1FABF, 'V'), -@@ -7953,6 +7949,8 @@ def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2CEA2, 'X'), - (0x2CEB0, 'V'), - (0x2EBE1, 'X'), -+ (0x2EBF0, 'V'), -+ (0x2EE5E, 'X'), - (0x2F800, 'M', '丽'), - (0x2F801, 'M', '丸'), - (0x2F802, 'M', '乁'), -@@ -8014,12 +8012,12 @@ def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F83C, 'M', '咞'), - (0x2F83D, 'M', '吸'), - (0x2F83E, 'M', '呈'), -+ (0x2F83F, 'M', '周'), -+ (0x2F840, 'M', '咢'), - ] - - def _seg_77() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ -- (0x2F83F, 'M', '周'), -- (0x2F840, 'M', '咢'), - (0x2F841, 'M', '哶'), - (0x2F842, 'M', '唐'), - (0x2F843, 'M', '啓'), -@@ -8118,12 +8116,12 @@ def _seg_77() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F8A4, 'M', '𢛔'), - (0x2F8A5, 'M', '惇'), - (0x2F8A6, 'M', '慈'), -+ (0x2F8A7, 'M', '慌'), -+ (0x2F8A8, 'M', '慎'), - ] - - def _seg_78() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ -- (0x2F8A7, 'M', '慌'), -- (0x2F8A8, 'M', '慎'), - (0x2F8A9, 'M', '慌'), - (0x2F8AA, 'M', '慺'), - (0x2F8AB, 'M', '憎'), -@@ -8222,12 +8220,12 @@ def _seg_78() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F908, 'M', '港'), - (0x2F909, 'M', '湮'), - (0x2F90A, 'M', '㴳'), -+ (0x2F90B, 'M', '滋'), -+ (0x2F90C, 'M', '滇'), - ] - - def _seg_79() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ -- (0x2F90B, 'M', '滋'), -- (0x2F90C, 'M', '滇'), - (0x2F90D, 'M', '𣻑'), - (0x2F90E, 'M', '淹'), - (0x2F90F, 'M', '潮'), -@@ -8326,12 +8324,12 @@ def _seg_79() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F96F, 'M', '縂'), - (0x2F970, 'M', '繅'), - (0x2F971, 'M', '䌴'), -+ (0x2F972, 'M', '𦈨'), -+ (0x2F973, 'M', '𦉇'), - ] - - def _seg_80() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ -- (0x2F972, 'M', '𦈨'), -- (0x2F973, 'M', '𦉇'), - (0x2F974, 'M', '䍙'), - (0x2F975, 'M', '𦋙'), - (0x2F976, 'M', '罺'), -@@ -8430,12 +8428,12 @@ def _seg_80() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - (0x2F9D3, 'M', '𧲨'), - (0x2F9D4, 'M', '貫'), - (0x2F9D5, 'M', '賁'), -+ (0x2F9D6, 'M', '贛'), -+ (0x2F9D7, 'M', '起'), - ] - - def _seg_81() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]: - return [ -- (0x2F9D6, 'M', '贛'), -- (0x2F9D7, 'M', '起'), - (0x2F9D8, 'M', '𧼯'), - (0x2F9D9, 'M', '𠠄'), - (0x2F9DA, 'M', '跋'), -diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt -index 5554c38..c5a8eba 100644 ---- a/src/pip/_vendor/vendor.txt -+++ b/src/pip/_vendor/vendor.txt -@@ -10,7 +10,7 @@ pyproject-hooks==1.0.0 - requests==2.31.0 - certifi==2023.7.22 - chardet==5.1.0 -- idna==3.4 -+ idna==3.7 - urllib3==1.26.17 - rich==13.4.2 - pygments==2.15.1 --- -2.34.1 - diff --git a/SPECS/python-pip/python-pip.signatures.json b/SPECS/python-pip/python-pip.signatures.json index 5178537e9ed..097d8fdf5c4 100644 --- a/SPECS/python-pip/python-pip.signatures.json +++ b/SPECS/python-pip/python-pip.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "pip-24.0.tar.gz": "ad0dfe75fb28092a8cbe18523391695ceb0c0d65a5c9a969349fcb13b12b84c7" + "pip-24.2.tar.gz": "e527f2366551b8483fa3a8ac2954aa79f2461e6600d917f3b6ae741d708cb982" } -} +} \ No newline at end of file diff --git a/SPECS/python-pip/python-pip.spec b/SPECS/python-pip/python-pip.spec index e09af894801..937f94d1e9b 100644 --- a/SPECS/python-pip/python-pip.spec +++ b/SPECS/python-pip/python-pip.spec @@ -4,15 +4,14 @@ A tool for installing and managing Python packages} Summary: A tool for installing and managing Python packages Name: python-pip -Version: 24.0 -Release: 2%{?dist} +Version: 24.2 +Release: 1%{?dist} License: MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause) Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Tools URL: https://pip.pypa.io/ Source0: https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz -Patch0: CVE-2024-3651.patch BuildArch: noarch @@ -40,11 +39,11 @@ BuildRequires: python3-wheel # NOTE: This is a NO-OP for the toolchain build. %{__python3} %{_libdir}/python%{python3_version}/ensurepip -%py3_build_wheel +%pyproject_wheel %install -pip3 install --no-cache-dir --no-index --ignore-installed --root %{buildroot} \ - --no-user --find-links dist pip +%pyproject_install +%pyproject_save_files %{srcname} %files -n python3-pip %defattr(-,root,root,755) @@ -52,6 +51,11 @@ pip3 install --no-cache-dir --no-index --ignore-installed --root %{buildroot} \ %{python3_sitelib}/pip* %changelog +* Wed Oct 23 2024 Bala - 24.2.1 +- Upgrade to 24.2 for fixing CVE-2024-6345 +- Update build and install steps for toml based build +- Remove CVE-2024-3651.patch as the fix is included in latest version + * Wed Aug 28 2024 Rachel Menge - 24.0-2 - Patch CVE-2024-3651.patch - Add python3-wheel BR to python3-pip subpackage diff --git a/cgmanifest.json b/cgmanifest.json index 80d7f38d2e3..9f2450a85a0 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -23563,8 +23563,8 @@ "type": "other", "other": { "name": "python-pip", - "version": "24.0", - "downloadUrl": "https://github.com/pypa/pip/archive/24.0/pip-24.0.tar.gz" + "version": "24.2", + "downloadUrl": "https://github.com/pypa/pip/archive/24.2/pip-24.2.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 18b29872929..c7a3b321b7e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -547,7 +547,7 @@ python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.aarch64.rpm python3-newt-0.52.23-1.azl3.aarch64.rpm python3-packaging-23.2-3.azl3.noarch.rpm -python3-pip-24.0-2.azl3.noarch.rpm +python3-pip-24.2-1.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.aarch64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 7114aef4104..3e545055954 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -553,7 +553,7 @@ python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.x86_64.rpm python3-newt-0.52.23-1.azl3.x86_64.rpm python3-packaging-23.2-3.azl3.noarch.rpm -python3-pip-24.0-2.azl3.noarch.rpm +python3-pip-24.2-1.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.x86_64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm From 03aefe9634f2d1335cc6aecc14a810fb16d554fb Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:39:20 -0400 Subject: [PATCH 02/21] [AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade mysql to 8.0.40 Fix multiple CVEs - branch 3.0-dev (#10836) --- SPECS/mysql/mysql.signatures.json | 4 ++-- SPECS/mysql/mysql.spec | 10 +++++++++- cgmanifest.json | 4 ++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json index 531b9d7eb76..c15e83c7f22 100644 --- a/SPECS/mysql/mysql.signatures.json +++ b/SPECS/mysql/mysql.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d" + "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9" } -} \ No newline at end of file +} diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 11e29f1fcf9..480665946a4 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,6 +1,6 @@ Summary: MySQL. Name: mysql -Version: 8.0.36 +Version: 8.0.40 Release: 1%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation @@ -83,6 +83,14 @@ make test %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Fri Oct 18 2024 CBL-Mariner Servicing Account - 8.0.40-1 +- Auto-upgrade to 8.0.40 - Fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, + CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134, + CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237, + CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198, + CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096, + CVE-2024-21171, CVE-2024-21165, CVE-2023-46219 + * Thu Feb 22 2024 CBL-Mariner Servicing Account - 8.0.36-1 - Auto-upgrade to 8.0.36 diff --git a/cgmanifest.json b/cgmanifest.json index 9f2450a85a0..9844b8f542f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13502,8 +13502,8 @@ "type": "other", "other": { "name": "mysql", - "version": "8.0.36", - "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz" + "version": "8.0.40", + "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz" } } }, From e4e12d0201e90c078771364162af8abb7442e6d6 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Fri, 25 Oct 2024 11:56:09 -0700 Subject: [PATCH 03/21] Toolkit: Add missing `flock` calls. (#10804) When making changes to partitions or filesystems, it is recommended to take a file lock over the disk block device as this informs the host OS that you are making changes and that it should avoid scanning or changing the device until you are done. While most of the relevant operations are covered, there a few places that are missing the lock. For example, when calling `mkfs` or `resize2fs`. --- toolkit/tools/imagegen/diskutils/diskutils.go | 17 +++++++++-------- .../pkg/imagecustomizerlib/shrinkfilesystems.go | 12 +++++++----- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go index 5e441206b4c..0beab227883 100644 --- a/toolkit/tools/imagegen/diskutils/diskutils.go +++ b/toolkit/tools/imagegen/diskutils/diskutils.go @@ -492,7 +492,7 @@ func CreatePartitions(diskDevPath string, disk configuration.Disk, rootEncryptio return partDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err } - partFsType, err := FormatSinglePartition(partDevPath, partition) + partFsType, err := formatSinglePartition(diskDevPath, partDevPath, partition) if err != nil { err = fmt.Errorf("failed to format partition:\n%w", err) return partDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err @@ -782,12 +782,13 @@ func setGptPartitionType(partition configuration.Partition, timeoutInSeconds, di return } -// FormatSinglePartition formats the given partition to the type specified in the partition configuration -func FormatSinglePartition(partDevPath string, partition configuration.Partition, +// formatSinglePartition formats the given partition to the type specified in the partition configuration +func formatSinglePartition(diskDevPath string, partDevPath string, partition configuration.Partition, ) (fsType string, err error) { const ( - totalAttempts = 5 - retryDuration = time.Second + totalAttempts = 5 + retryDuration = time.Second + timeoutInSeconds = "5" ) fsType = partition.FsType @@ -803,14 +804,14 @@ func FormatSinglePartition(partDevPath string, partition configuration.Partition fsType = "vfat" } - mkfsArgs := []string{"-t", fsType} + mkfsArgs := []string{"--timeout", timeoutInSeconds, diskDevPath, "mkfs", "-t", fsType} mkfsArgs = append(mkfsArgs, mkfsOptions...) mkfsArgs = append(mkfsArgs, partDevPath) err = retry.Run(func() error { - _, stderr, err := shell.Execute("mkfs", mkfsArgs...) + _, stderr, err := shell.Execute("flock", mkfsArgs...) if err != nil { - logger.Log.Warnf("Failed to format partition using mkfs: %v", stderr) + logger.Log.Warnf("Failed to format partition using mkfs (and flock): %v", stderr) return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go index aa058dcf422..f444de5a1b1 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go +++ b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go @@ -85,9 +85,10 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Shrink the file system with resize2fs -M - stdout, stderr, err := shell.Execute("resize2fs", "-M", partitionLoopDevice) + stdout, stderr, err := shell.Execute("flock", "--timeout", "5", imageLoopDevice, + "resize2fs", "-M", partitionLoopDevice) if err != nil { - return fmt.Errorf("failed to resize %s with resize2fs:\n%v", partitionLoopDevice, stderr) + return fmt.Errorf("failed to resize %s with resize2fs (and flock):\n%v", partitionLoopDevice, stderr) } // Find the new partition end value @@ -103,10 +104,11 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Resize the partition with parted resizepart - _, stderr, err = shell.ExecuteWithStdin("yes" /*stdin*/, "parted", "---pretend-input-tty", - imageLoopDevice, "resizepart", strconv.Itoa(partitionNumber), end) + _, stderr, err = shell.ExecuteWithStdin("yes" /*stdin*/, "flock", "--timeout", "5", imageLoopDevice, + "parted", "---pretend-input-tty", imageLoopDevice, "resizepart", + strconv.Itoa(partitionNumber), end) if err != nil { - return fmt.Errorf("failed to resizepart %s with parted:\n%v", partitionLoopDevice, stderr) + return fmt.Errorf("failed to resizepart %s with parted (and flock):\n%v", partitionLoopDevice, stderr) } // Re-read the partition table From 41ee355395e6ee4dfd463b66c818f0ecf3eb08ae Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Fri, 25 Oct 2024 11:56:22 -0700 Subject: [PATCH 04/21] Fix partition initialization bug. (#10702) After creating a partition, the toolkit must wait for the partition device to be created (under /dev). However, the naming scheme of partitions is inconsistent, with both `/dev/XX` and `/dev/pXX` being used, depending on the device driver. So, the toolkit checks for both. However, a problem occurs when the device name itself ends in a digit. If the disk device path is say `/dev/loop1`, then `/dev/loop11` is also a valid disk device path. For such disks, the `/dev/pXX` form must be used for partitions. While the toolkit prioritizes `/dev/loop1p1` over `/dev/loop11`, if the `/dev/loop1p1` device doesn't exist yet and `/dev/loop11` is in use, then the toolkit may pick the wrong device path for the partition. This change fixes this by ignoring the `/dev/XX` variant if the disk device path ends in a digit. --- toolkit/tools/imagegen/diskutils/diskutils.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go index 0beab227883..a19fb8e2d65 100644 --- a/toolkit/tools/imagegen/diskutils/diskutils.go +++ b/toolkit/tools/imagegen/diskutils/diskutils.go @@ -682,13 +682,19 @@ func InitializeSinglePartition(diskDevPath string, partitionNumber int, partitionNumberStr := strconv.Itoa(partitionNumber) // There are two primary partition naming conventions: - // /dev/sdN style or /dev/loopNp style + // - /dev/sdN + // - /dev/loopNp // Detect the exact one we are using. - // Make sure we check for /dev/loopNp FIRST, since /dev/loop1 would generate /dev/loop11 as a partition - // device which may be a valid device. We want to select /dev/loop1p1 first. testPartDevPaths := []string{ fmt.Sprintf("%sp%s", diskDevPath, partitionNumberStr), - fmt.Sprintf("%s%s", diskDevPath, partitionNumberStr), + } + + // If disk path ends in a digit, then the 'p' style must be used. + // So, don't check the other style to avoid ambiguities. For example, /dev/loop1 vs. /dev/loop11. + // This is particularly relevant on Ubuntu, due to snap's use of loopback devices. + if !isDigit(diskDevPath[len(diskDevPath)-1]) { + devPath := fmt.Sprintf("%s%s", diskDevPath, partitionNumberStr) + testPartDevPaths = append(testPartDevPaths, devPath) } err = retry.Run(func() error { @@ -759,6 +765,10 @@ func InitializeSinglePartition(diskDevPath string, partitionNumber int, return } +func isDigit(c byte) bool { + return c >= '0' && c <= '9' +} + func setGptPartitionType(partition configuration.Partition, timeoutInSeconds, diskDevPath, partitionNumberStr string) (err error) { if supports, _ := PartedSupportsTypeCommand(); !supports { logger.Log.Warn("parted version <3.6 does not support the 'type' session command - skipping this operation") From 97ffbbb88ec3d865b3ad11e1b6cbd52b34c0046e Mon Sep 17 00:00:00 2001 From: Saul Paredes <30801614+Redent0r@users.noreply.github.com> Date: Fri, 25 Oct 2024 13:15:40 -0700 Subject: [PATCH 05/21] kata-containers: only build for x86_64 (#10849) Signed-off-by: Saul Paredes --- SPECS/kata-containers/kata-containers.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 140c1ef0074..0400e8d583f 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -2,7 +2,7 @@ Name: kata-containers Version: 3.2.0.azl3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Kata Containers package developed for Pod Sandboxing on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -11,6 +11,8 @@ Distribution: Azure Linux Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-cargo.tar.gz +ExclusiveArch: x86_64 + BuildRequires: golang BuildRequires: protobuf-compiler BuildRequires: rust @@ -108,6 +110,9 @@ popd %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Thu Oct 25 2024 Saul Paredes - 3.2.0.azl3-2 +- Only build for x86_64 + * Fri Sep 20 2024 Manuel Huber - 3.2.0.azl3-1 - Upgrade to 3.2.0.azl3 release, refactor build instructions From 0353f3269fe9031c42575e05af74049f390830c7 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Fri, 25 Oct 2024 15:20:10 -0700 Subject: [PATCH 06/21] Image Customizer: Make verity API a list. (#10789) Change the verity config from a single item to a list of items. This is being done so that it is easier to add support for other verity partitions (e.g. /usr) in the future. However, this change restricts the verity API to only the root partition (`/`). In addition, move the verity config from `.os` to `.storage`. This is being done for alignment with the Trident API. But is also probably a more morally correct place for verity to be placed. As a side effect, this change removes support for enabling verity on a base image that somehow had all the correct partitions to support verity but didn't actually have verity enabled. None of our base images are like this. So, it is expected that no user ever made use of this functionality. This functionality could be re-added in the future. It was omitted from this change to avoid adding additional complexity. --- toolkit/tools/imagecustomizerapi/config.go | 37 - .../tools/imagecustomizerapi/config_test.go | 62 +- .../tools/imagecustomizerapi/filesystem.go | 9 + .../imagecustomizerapi/identifiedpartition.go | 44 - .../identifiedpartition_test.go | 87 -- toolkit/tools/imagecustomizerapi/os.go | 8 - toolkit/tools/imagecustomizerapi/os_test.go | 19 - toolkit/tools/imagecustomizerapi/storage.go | 235 +++++- .../tools/imagecustomizerapi/storage_test.go | 775 +++++++++++++++++- toolkit/tools/imagecustomizerapi/verity.go | 51 +- .../tools/imagecustomizerapi/verity_test.go | 89 +- .../pkg/imagecustomizerlib/bootcustomizer.go | 6 +- .../pkg/imagecustomizerlib/customizeos.go | 2 +- .../pkg/imagecustomizerlib/customizeverity.go | 122 +-- .../customizeverity_test.go | 2 +- .../pkg/imagecustomizerlib/imagecustomizer.go | 24 +- .../pkg/imagecustomizerlib/partitionutils.go | 21 +- .../imagecustomizerlib/shrinkfilesystems.go | 12 +- .../testdata/verity-config.yaml | 18 +- .../testdata/verity-partition-labels.yaml | 27 +- .../pkg/imagecustomizerlib/typeConversion.go | 4 +- 21 files changed, 1184 insertions(+), 470 deletions(-) delete mode 100644 toolkit/tools/imagecustomizerapi/identifiedpartition.go delete mode 100644 toolkit/tools/imagecustomizerapi/identifiedpartition_test.go diff --git a/toolkit/tools/imagecustomizerapi/config.go b/toolkit/tools/imagecustomizerapi/config.go index 30dd156b811..36b6658fe05 100644 --- a/toolkit/tools/imagecustomizerapi/config.go +++ b/toolkit/tools/imagecustomizerapi/config.go @@ -49,43 +49,6 @@ func (c *Config) IsValid() (err error) { return fmt.Errorf("'os.resetBootLoaderType' must be specified if 'storage.resetPartitionsUuidsType' is specified") } - if c.OS != nil && c.OS.Verity != nil { - err := ensureVerityPartitionIdExists(c.OS.Verity.DataPartition, &c.Storage) - if err != nil { - return fmt.Errorf("invalid verity 'dataPartition':\n%w", err) - } - - err = ensureVerityPartitionIdExists(c.OS.Verity.HashPartition, &c.Storage) - if err != nil { - return fmt.Errorf("invalid verity 'hashPartition':\n%w", err) - } - } - - return nil -} - -func ensureVerityPartitionIdExists(verityPartition IdentifiedPartition, storage *Storage) error { - switch verityPartition.IdType { - case IdTypeId: - if !storage.CustomizePartitions() { - return fmt.Errorf("'idType' cannot be 'id' if 'storage.disks' is not specified") - } - - foundPartition := false - for _, disk := range storage.Disks { - for _, partition := range disk.Partitions { - if partition.Id == verityPartition.Id { - foundPartition = true - break - } - } - } - - if !foundPartition { - return fmt.Errorf("partition with 'id' (%s) not found", verityPartition.Id) - } - } - return nil } diff --git a/toolkit/tools/imagecustomizerapi/config_test.go b/toolkit/tools/imagecustomizerapi/config_test.go index f05d8393111..380b2ef0bf8 100644 --- a/toolkit/tools/imagecustomizerapi/config_test.go +++ b/toolkit/tools/imagecustomizerapi/config_test.go @@ -413,26 +413,24 @@ func TestConfigIsValidVerityValid(t *testing.T) { }, }, { - DeviceId: "root", + DeviceId: "rootverity", Type: "ext4", MountPoint: &MountPoint{ Path: "/", }, }, }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "verityhash", + }, + }, }, OS: &OS{ ResetBootLoaderType: "hard-reset", - Verity: &Verity{ - DataPartition: IdentifiedPartition{ - IdType: IdTypeId, - Id: "root", - }, - HashPartition: IdentifiedPartition{ - IdType: IdTypeId, - Id: "verityhash", - }, - }, }, } err := config.IsValid() @@ -486,42 +484,38 @@ func TestConfigIsValidVerityPartitionNotFound(t *testing.T) { }, }, }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "wrongname", + HashDeviceId: "verityhash", + }, + }, }, OS: &OS{ ResetBootLoaderType: "hard-reset", - Verity: &Verity{ - DataPartition: IdentifiedPartition{ - IdType: IdTypeId, - Id: "wrongname", - }, - HashPartition: IdentifiedPartition{ - IdType: IdTypeId, - Id: "verityhash", - }, - }, }, } err := config.IsValid() - assert.ErrorContains(t, err, "invalid verity 'dataPartition'") - assert.ErrorContains(t, err, "partition with 'id' (wrongname) not found") + assert.ErrorContains(t, err, "invalid verity item at index 0:") + assert.ErrorContains(t, err, "invalid 'dataDeviceId'") + assert.ErrorContains(t, err, "device (wrongname) not found") } func TestConfigIsValidVerityNoStorage(t *testing.T) { config := &Config{ - OS: &OS{ - Verity: &Verity{ - DataPartition: IdentifiedPartition{ - IdType: IdTypePartLabel, - Id: "root", - }, - HashPartition: IdentifiedPartition{ - IdType: IdTypeId, - Id: "verityhash", + Storage: Storage{ + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "verityhash", }, }, }, } err := config.IsValid() - assert.ErrorContains(t, err, "invalid verity 'hashPartition'") - assert.ErrorContains(t, err, "'idType' cannot be 'id' if 'storage.disks' is not specified") + assert.ErrorContains(t, err, "cannot specify 'verity' without specifying 'disks'") } diff --git a/toolkit/tools/imagecustomizerapi/filesystem.go b/toolkit/tools/imagecustomizerapi/filesystem.go index 6f7312e3c49..4be08baf230 100644 --- a/toolkit/tools/imagecustomizerapi/filesystem.go +++ b/toolkit/tools/imagecustomizerapi/filesystem.go @@ -15,6 +15,11 @@ type FileSystem struct { Type FileSystemType `yaml:"type"` // MountPoint contains the mount settings. MountPoint *MountPoint `yaml:"mountPoint"` + + // If 'DeviceId' points at a verity device, this value is the 'Id' of the data partition. + // Otherwise, it is the same as 'DeviceId'. + // Value is filled in by Storage.IsValid(). + PartitionId string } // IsValid returns an error if the MountPoint is not valid @@ -33,6 +38,10 @@ func (f *FileSystem) IsValid() error { if err != nil { return fmt.Errorf("invalid mountPoint value:\n%w", err) } + + if f.Type == FileSystemTypeNone { + return fmt.Errorf("filesystem with 'mountPoint' must have a 'type'") + } } return nil diff --git a/toolkit/tools/imagecustomizerapi/identifiedpartition.go b/toolkit/tools/imagecustomizerapi/identifiedpartition.go deleted file mode 100644 index 49112f2d3a0..00000000000 --- a/toolkit/tools/imagecustomizerapi/identifiedpartition.go +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -package imagecustomizerapi - -import ( - "fmt" - "regexp" -) - -type IdentifiedPartition struct { - IdType IdType `yaml:"idType"` - Id string `yaml:"id"` -} - -var uuidRegex = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`) - -func (i *IdentifiedPartition) IsValid() error { - // Check if IdType is valid - if err := i.IdType.IsValid(); err != nil { - return fmt.Errorf("invalid idType:\n%w", err) - } - - // Check if Id is not empty - if i.Id == "" { - return fmt.Errorf("invalid id: empty string") - } - - // Check Id format based on IdType - switch i.IdType { - case IdTypePartLabel: - // Validate using isGPTNameValid function for IdTypePartLabel - if err := isGPTNameValid(i.Id); err != nil { - return fmt.Errorf("invalid id format for %s:\n%w", IdTypePartLabel, err) - } - case IdTypeUuid, IdTypePartUuid: - // UUID validation (standard format) - if !uuidRegex.MatchString(i.Id) { - return fmt.Errorf("invalid id format for %s (%s)", i.IdType, i.Id) - } - } - - return nil -} diff --git a/toolkit/tools/imagecustomizerapi/identifiedpartition_test.go b/toolkit/tools/imagecustomizerapi/identifiedpartition_test.go deleted file mode 100644 index 4c719b46d02..00000000000 --- a/toolkit/tools/imagecustomizerapi/identifiedpartition_test.go +++ /dev/null @@ -1,87 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -package imagecustomizerapi - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestIdentifiedPartitionIsValidValidPartUuidFormat(t *testing.T) { - correctUuidPartition := IdentifiedPartition{ - IdType: "part-uuid", - Id: "123e4567-e89b-4d3a-a456-426614174000", - } - - err := correctUuidPartition.IsValid() - assert.NoError(t, err) -} - -func TestIdentifiedPartitionIsValidValidPartLabel(t *testing.T) { - validPartition := IdentifiedPartition{ - IdType: "part-label", - Id: "ValidLabelName", - } - - err := validPartition.IsValid() - assert.NoError(t, err) -} - -func TestIdentifiedPartitionIsValidEmptyPartLabel(t *testing.T) { - invalidPartition := IdentifiedPartition{ - IdType: "part-label", - Id: "", - } - - err := invalidPartition.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid id: empty string") -} - -func TestIdentifiedPartitionIsValidInvalidEmptyPartUuid(t *testing.T) { - emptyIdPartition := IdentifiedPartition{ - IdType: "part-uuid", - Id: "", - } - - err := emptyIdPartition.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid id: empty string") -} - -func TestIdentifiedPartitionIsValidInvalidPartUuidFormat(t *testing.T) { - incorrectUuidPartition := IdentifiedPartition{ - IdType: "part-uuid", - Id: "incorrect-uuid-format", - } - - err := incorrectUuidPartition.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid id format") -} - -func TestIdentifiedPartitionIsValidInvalidIdType(t *testing.T) { - incorrectUuidPartition := IdentifiedPartition{ - IdType: "cat", - Id: "incorrect-uuid-format", - } - - err := incorrectUuidPartition.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid idType") - assert.ErrorContains(t, err, "invalid idType value (cat)") -} - -func TestIdentifiedPartitionIsValidInvalidPartLabel(t *testing.T) { - incorrectUuidPartition := IdentifiedPartition{ - IdType: IdTypePartLabel, - Id: "i ❤️ cats", - } - - err := incorrectUuidPartition.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid id format for part-label") - assert.ErrorContains(t, err, "partition name (i ❤️ cats) contains a non-ASCII character (❤)") -} diff --git a/toolkit/tools/imagecustomizerapi/os.go b/toolkit/tools/imagecustomizerapi/os.go index ee1bfc9a5a0..f5a4794e164 100644 --- a/toolkit/tools/imagecustomizerapi/os.go +++ b/toolkit/tools/imagecustomizerapi/os.go @@ -22,7 +22,6 @@ type OS struct { Users []User `yaml:"users"` Services Services `yaml:"services"` Modules []Module `yaml:"modules"` - Verity *Verity `yaml:"verity"` Overlays *[]Overlay `yaml:"overlays"` } @@ -83,13 +82,6 @@ func (s *OS) IsValid() error { } } - if s.Verity != nil { - err = s.Verity.IsValid() - if err != nil { - return fmt.Errorf("invalid verity:\n%w", err) - } - } - if s.Overlays != nil { mountPoints := make(map[string]bool) upperDirs := make(map[string]bool) diff --git a/toolkit/tools/imagecustomizerapi/os_test.go b/toolkit/tools/imagecustomizerapi/os_test.go index 529d892141d..b17fde39140 100644 --- a/toolkit/tools/imagecustomizerapi/os_test.go +++ b/toolkit/tools/imagecustomizerapi/os_test.go @@ -53,25 +53,6 @@ func TestOSIsValidInvalidAdditionalFilesContent(t *testing.T) { assert.NoError(t, err) } -func TestOSIsValidVerityInValidPartUuid(t *testing.T) { - invalidVerity := OS{ - Verity: &Verity{ - DataPartition: IdentifiedPartition{ - IdType: "part-uuid", - Id: "incorrect-uuid-format", - }, - HashPartition: IdentifiedPartition{ - IdType: "part-label", - Id: "hash_partition", - }, - }, - } - - err := invalidVerity.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "invalid id format") -} - func TestOSIsValidInvalidResetBootLoaderType(t *testing.T) { os := OS{ ResetBootLoaderType: "bad", diff --git a/toolkit/tools/imagecustomizerapi/storage.go b/toolkit/tools/imagecustomizerapi/storage.go index 15a7b2f4db6..15088af4726 100644 --- a/toolkit/tools/imagecustomizerapi/storage.go +++ b/toolkit/tools/imagecustomizerapi/storage.go @@ -12,6 +12,7 @@ type Storage struct { BootType BootType `yaml:"bootType"` Disks []Disk `yaml:"disks"` FileSystems []FileSystem `yaml:"filesystems"` + Verity []Verity `yaml:"verity"` } func (s *Storage) IsValid() error { @@ -40,24 +41,25 @@ func (s *Storage) IsValid() error { } } - fileSystemSet := make(map[string]FileSystem) + for i, verity := range s.Verity { + err = verity.IsValid() + if err != nil { + return fmt.Errorf("invalid verity item at index %d:\n%w", i, err) + } + } + for i, fileSystem := range s.FileSystems { err = fileSystem.IsValid() if err != nil { return fmt.Errorf("invalid filesystems item at index %d:\n%w", i, err) } - - if _, existingName := fileSystemSet[fileSystem.DeviceId]; existingName { - return fmt.Errorf("duplicate fileSystem deviceId used (%s) at index %d", fileSystem.DeviceId, i) - } - - fileSystemSet[fileSystem.DeviceId] = fileSystem } hasResetUuids := s.ResetPartitionsUuidsType != ResetPartitionsUuidsTypeDefault hasBootType := s.BootType != BootTypeNone hasDisks := len(s.Disks) > 0 hasFileSystems := len(s.FileSystems) > 0 + hasVerity := len(s.Verity) > 0 if hasResetUuids && hasDisks { return fmt.Errorf("cannot specify both 'resetPartitionsUuidsType' and 'disks'") @@ -75,21 +77,28 @@ func (s *Storage) IsValid() error { return fmt.Errorf("cannot specify 'filesystems' without specifying 'disks'") } - partitionSet := make(map[string]Partition) - espPartitionExists := false - biosBootPartitionExists := false - partitionLabelCounts := make(map[string]int) + if hasVerity && !hasDisks { + return fmt.Errorf("cannot specify 'verity' without specifying 'disks'") + } - for i, disk := range s.Disks { - for j, partition := range disk.Partitions { - if _, existingName := partitionSet[partition.Id]; existingName { - return fmt.Errorf("invalid disk at index %d:\nduplicate partition id used (%s) at index %d", i, - partition.Id, j) - } + // Create a set of all block devices by their Id. + deviceMap, partitionLabelCounts, err := s.buildDeviceMap() + if err != nil { + return err + } - partitionSet[partition.Id] = partition + // Check that all child block devices exist and are not used by multiple things. + deviceParents, err := s.checkDeviceTree(deviceMap, partitionLabelCounts) + if err != nil { + return err + } + + espPartitionExists := false + biosBootPartitionExists := false - fileSystem, hasFileSystem := fileSystemSet[partition.Id] + for _, disk := range s.Disks { + for _, partition := range disk.Partitions { + fileSystem, hasFileSystem := deviceParents[partition.Id].(*FileSystem) // Ensure special partitions have the correct filesystem type. switch partition.Type { @@ -114,14 +123,6 @@ func (s *Storage) IsValid() error { } } } - - // Ensure filesystem entires with a mountPoint also have a filesystem type value. - if hasFileSystem && fileSystem.MountPoint != nil && fileSystem.Type == FileSystemTypeNone { - return fmt.Errorf("filesystem with 'mountPoint' must have a 'type'") - } - - // Count the number of partitions that use each label. - partitionLabelCounts[partition.Label] += 1 } } @@ -138,31 +139,181 @@ func (s *Storage) IsValid() error { } } - // Ensure all the filesystems objects have an equivalent partition object. - for i, fileSystem := range s.FileSystems { - partition, found := partitionSet[fileSystem.DeviceId] - if !found { - return fmt.Errorf("invalid fileSystem at index %d:\nno partition with matching ID (%s)", i, - fileSystem.DeviceId) + // Validate verity filesystem settings. + for i := range s.Verity { + verity := &s.Verity[i] + + filesystem, hasFileSystem := deviceParents[verity.Id].(*FileSystem) + if hasFileSystem { + verity.FileSystem = filesystem + } + + if !hasFileSystem || filesystem.MountPoint == nil || filesystem.MountPoint.Path != "/" { + return fmt.Errorf("defining non-root verity devices is not currently supported:\n"+ + "filesystems[].mountPoint.path' of verity device (%s) must be set to '/'", + verity.Id) } - if fileSystem.MountPoint != nil && fileSystem.MountPoint.IdType == MountIdentifierTypePartLabel { - if partition.Label == "" { - return fmt.Errorf("invalid fileSystem at index %d:\nidType is set to (part-label) but partition (%s) has no label set", - i, partition.Id) + if verity.Name != VerityRootDeviceName { + return fmt.Errorf("verity 'name' (%s) must be \"%s\" for filesystem (%s) partition (%s)", verity.Name, + VerityRootDeviceName, filesystem.MountPoint.Path, verity.DataDeviceId) + } + } + + return nil +} + +func (s *Storage) CustomizePartitions() bool { + return len(s.Disks) > 0 +} + +func (s *Storage) buildDeviceMap() (map[string]any, map[string]int, error) { + deviceMap := make(map[string]any) + partitionLabelCounts := make(map[string]int) + + for i, disk := range s.Disks { + for j := range disk.Partitions { + partition := &disk.Partitions[j] + + if _, existingName := deviceMap[partition.Id]; existingName { + return nil, nil, fmt.Errorf("invalid disk at index %d:\ninvalid partition at index %d:\nduplicate id (%s)", + i, j, partition.Id) } - labelCount := partitionLabelCounts[partition.Label] + deviceMap[partition.Id] = partition + + // Count the number of partitions that use each label. + partitionLabelCounts[partition.Label] += 1 + } + } + + for i := range s.Verity { + verity := &s.Verity[i] + + if _, existingName := deviceMap[verity.Id]; existingName { + return nil, nil, fmt.Errorf("invalid verity item at index %d:\nduplicate id (%s)", i, verity.Id) + } + + deviceMap[verity.Id] = verity + } + + return deviceMap, partitionLabelCounts, nil +} + +func (s *Storage) checkDeviceTree(deviceMap map[string]any, partitionLabelCounts map[string]int, +) (map[string]any, error) { + deviceParents := make(map[string]any) + + for i := range s.Verity { + verity := &s.Verity[i] + + err := checkDeviceTreeVerityItem(verity, deviceMap, deviceParents) + if err != nil { + return nil, fmt.Errorf("invalid verity item at index %d:\n%w", i, err) + } + } + + mountPaths := make(map[string]bool) + for i := range s.FileSystems { + filesystem := &s.FileSystems[i] + + err := checkDeviceTreeFileSystemItem(filesystem, deviceMap, deviceParents, partitionLabelCounts, mountPaths) + if err != nil { + return nil, fmt.Errorf("invalid filesystem item at index %d:\n%w", i, err) + } + } + + return deviceParents, nil +} + +func checkDeviceTreeVerityItem(verity *Verity, deviceMap map[string]any, deviceParents map[string]any) error { + err := addVerityParentToDevice(verity.DataDeviceId, deviceMap, deviceParents, verity) + if err != nil { + return fmt.Errorf("invalid 'dataDeviceId':\n%w", err) + } + + err = addVerityParentToDevice(verity.HashDeviceId, deviceMap, deviceParents, verity) + if err != nil { + return fmt.Errorf("invalid 'hashDeviceId':\n%w", err) + } + + return nil +} + +func addVerityParentToDevice(deviceId string, deviceMap map[string]any, deviceParents map[string]any, parent *Verity, +) error { + device, err := addParentToDevice(deviceId, deviceMap, deviceParents, parent) + if err != nil { + return err + } + + switch device.(type) { + case *Partition: + + default: + return fmt.Errorf("device (%s) must be a partition", deviceId) + } + + return nil +} + +func checkDeviceTreeFileSystemItem(filesystem *FileSystem, deviceMap map[string]any, deviceParents map[string]any, + partitionLabelCounts map[string]int, mountPaths map[string]bool, +) error { + device, err := addParentToDevice(filesystem.DeviceId, deviceMap, deviceParents, filesystem) + if err != nil { + return fmt.Errorf("invalid 'deviceId':\n%w", err) + } + + if filesystem.MountPoint != nil { + if _, existingMountPath := mountPaths[filesystem.MountPoint.Path]; existingMountPath { + return fmt.Errorf("duplicate 'mountPoint.path' (%s)", filesystem.MountPoint.Path) + } + + mountPaths[filesystem.MountPoint.Path] = true + } + + switch device := device.(type) { + case *Partition: + filesystem.PartitionId = filesystem.DeviceId + + if filesystem.MountPoint != nil && filesystem.MountPoint.IdType == MountIdentifierTypePartLabel { + if device.Label == "" { + return fmt.Errorf("idType is set to (part-label) but partition (%s) has no label set", device.Id) + } + + labelCount := partitionLabelCounts[device.Label] if labelCount > 1 { - return fmt.Errorf("invalid fileSystem at index %d:\nmore than one partition has a label of (%s)", i, - partition.Label) + return fmt.Errorf("more than one partition has a label of (%s)", device.Label) } } + + case *Verity: + filesystem.PartitionId = device.DataDeviceId + + if filesystem.MountPoint != nil && filesystem.MountPoint.IdType != MountIdentifierTypeDefault { + return fmt.Errorf("filesystem for verity device (%s) may not specify 'mountPoint.idType'", + filesystem.DeviceId) + } + + default: + } return nil } -func (s *Storage) CustomizePartitions() bool { - return len(s.Disks) > 0 +func addParentToDevice(deviceId string, deviceMap map[string]any, deviceParents map[string]any, parent any, +) (any, error) { + device, deviceExists := deviceMap[deviceId] + if !deviceExists { + return nil, fmt.Errorf("device (%s) not found", deviceId) + } + + if _, deviceInUse := deviceParents[deviceId]; deviceInUse { + return nil, fmt.Errorf("device (%s) is used by multiple things", deviceId) + } + + deviceParents[deviceId] = parent + return device, nil } diff --git a/toolkit/tools/imagecustomizerapi/storage_test.go b/toolkit/tools/imagecustomizerapi/storage_test.go index 56de00c3c37..da84f3830f5 100644 --- a/toolkit/tools/imagecustomizerapi/storage_test.go +++ b/toolkit/tools/imagecustomizerapi/storage_test.go @@ -86,7 +86,9 @@ func TestStorageIsValidDuplicatePartitionID(t *testing.T) { err := value.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "duplicate fileSystem deviceId used") + assert.ErrorContains(t, err, "invalid filesystem item at index 1") + assert.ErrorContains(t, err, "invalid 'deviceId'") + assert.ErrorContains(t, err, "device (esp) is used by multiple things") } func TestStorageIsValidUnsupportedFileSystem(t *testing.T) { @@ -223,36 +225,6 @@ func TestStorageIsValidBadBiosBootFsType(t *testing.T) { assert.ErrorContains(t, err, "BIOS boot partition (bios) must not have a filesystem 'type'") } -func TestStorageIsValidBiosWithMountPoint(t *testing.T) { - storage := Storage{ - Disks: []Disk{{ - PartitionTableType: PartitionTableTypeGpt, - MaxSize: ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)), - Partitions: []Partition{ - { - Id: "bios", - Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)), - End: nil, - Type: PartitionTypeBiosGrub, - }, - }, - }}, - BootType: BootTypeEfi, - FileSystems: []FileSystem{ - { - DeviceId: "bios", - MountPoint: &MountPoint{ - Path: "/boot/bios", - }, - }, - }, - } - - err := storage.IsValid() - assert.Error(t, err) - assert.ErrorContains(t, err, "BIOS boot partition (bios) must not have a 'mountPoint'") -} - func TestStorageIsValidBadBiosBootStart(t *testing.T) { storage := Storage{ Disks: []Disk{{ @@ -312,7 +284,9 @@ func TestStorageIsValidBadDeviceId(t *testing.T) { err := value.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "no partition with matching ID (a)") + assert.ErrorContains(t, err, "invalid filesystem item at index 1") + assert.ErrorContains(t, err, "invalid 'deviceId'") + assert.ErrorContains(t, err, "device (a) not found") } func TestStorageIsValidDuplicatePartitionId(t *testing.T) { @@ -344,7 +318,9 @@ func TestStorageIsValidDuplicatePartitionId(t *testing.T) { } err := storage.IsValid() - assert.ErrorContains(t, err, "duplicate partition id") + assert.ErrorContains(t, err, "invalid disk at index 0") + assert.ErrorContains(t, err, "invalid partition at index 1") + assert.ErrorContains(t, err, "duplicate id (a)") } func TestStorageIsValidNoLabel(t *testing.T) { @@ -377,7 +353,7 @@ func TestStorageIsValidNoLabel(t *testing.T) { } err := storage.IsValid() - assert.ErrorContains(t, err, "invalid fileSystem at index 0") + assert.ErrorContains(t, err, "invalid filesystem item at index 0") assert.ErrorContains(t, err, "idType is set to (part-label) but partition (a) has no label set") } @@ -472,7 +448,7 @@ func TestStorageIsValidDuplicateLabel(t *testing.T) { } err := storage.IsValid() - assert.ErrorContains(t, err, "invalid fileSystem at index 0") + assert.ErrorContains(t, err, "invalid filesystem item at index 0") assert.ErrorContains(t, err, "more than one partition has a label of (a)") } @@ -518,6 +494,48 @@ func TestStorageIsValidBothDisksAndResetUuid(t *testing.T) { assert.ErrorContains(t, err, "cannot specify both 'resetPartitionsUuidsType' and 'disks'") } +func TestStorageIsValidDuplicateMountPoint(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + MaxSize: ptrutils.PtrTo(DiskSize(4 * diskutils.GiB)), + Partitions: []Partition{ + { + Id: "esp", + Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)), + End: ptrutils.PtrTo(DiskSize(9 * diskutils.MiB)), + Type: PartitionTypeESP, + }, + { + Id: "rootfs", + Start: ptrutils.PtrTo(DiskSize(9 * diskutils.MiB)), + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + { + DeviceId: "rootfs", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid filesystem item at index 1:\n"+ + "duplicate 'mountPoint.path' (/)") +} + func TestStorageIsValidFileSystemsWithoutDisks(t *testing.T) { value := Storage{ FileSystems: []FileSystem{ @@ -542,3 +560,690 @@ func TestStorageIsValidFileSystemsWithoutDisks(t *testing.T) { err := value.IsValid() assert.ErrorContains(t, err, "cannot specify 'filesystems' without specifying 'disks'") } + +func TestStorageIsValidVerityRoot(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "rootverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.NoError(t, err) +} + +func TestStorageIsValidVerityUsr(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "usr", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "usrhash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "root", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + { + DeviceId: "usrverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/usr", + }, + }, + }, + Verity: []Verity{ + { + Id: "usrverity", + Name: "usr", + DataDeviceId: "usr", + HashDeviceId: "usrhash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "defining non-root verity devices is not currently supported") + assert.ErrorContains(t, err, "filesystems[].mountPoint.path' of verity device (usrverity) must be set to '/'") +} + +func TestStorageIsValidVerityInvalidName(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "root", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid verity item at index 0") + assert.ErrorContains(t, err, "'dataDeviceId' may not be empty") +} + +func TestStorageIsValidVerityDuplicateId(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "root", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "root", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid verity item at index 0") + assert.ErrorContains(t, err, "duplicate id (root)") +} + +func TestStorageIsValidVerityBadDataId(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "root", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "usr", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid verity item at index 0") + assert.ErrorContains(t, err, "invalid 'dataDeviceId':\ndevice (usr) not found") +} + +func TestStorageIsValidVerityBadHashId(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "root", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "usrhash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid verity item at index 0") + assert.ErrorContains(t, err, "invalid 'hashDeviceId':\ndevice (usrhash) not found") +} + +func TestStorageIsValidVerityWrongDeviceName(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "rootverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "usr", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "verity 'name' (usr) must be \"root\" for filesystem (/) partition (root)") +} + +func TestStorageIsValidVerityHashFileSystem(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "rootverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + { + DeviceId: "roothash", + Type: "ext4", + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid filesystem item at index 2") + assert.ErrorContains(t, err, "invalid 'deviceId'") + assert.ErrorContains(t, err, "device (roothash) is used by multiple things") +} + +func TestStorageIsValidVerityFileSystemHasIdType(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "rootverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + IdType: MountIdentifierTypeUuid, + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "filesystem for verity device (rootverity) may not specify 'mountPoint.idType'") +} + +func TestStorageIsValidVerityFileSystemMissing(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "defining non-root verity devices is not currently supported:\n"+ + "filesystems[].mountPoint.path' of verity device (rootverity) must be set to '/'") +} + +func TestStorageIsValidVerityTwoVerity(t *testing.T) { + value := Storage{ + Disks: []Disk{{ + PartitionTableType: "gpt", + Partitions: []Partition{ + { + Id: "esp", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 8 * diskutils.MiB, + }, + Type: PartitionTypeESP, + }, + { + Id: "root", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 1 * diskutils.GiB, + }, + }, + { + Id: "roothash", + Size: PartitionSize{ + Type: PartitionSizeTypeExplicit, + Size: 100 * diskutils.MiB, + }, + }, + }, + }}, + BootType: "efi", + FileSystems: []FileSystem{ + { + DeviceId: "esp", + Type: "vfat", + MountPoint: &MountPoint{ + Path: "/boot/efi", + }, + }, + { + DeviceId: "rootverity", + Type: "ext4", + MountPoint: &MountPoint{ + Path: "/", + }, + }, + }, + Verity: []Verity{ + { + Id: "rootverity", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + { + Id: "rootverity2", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + }, + }, + } + + err := value.IsValid() + assert.ErrorContains(t, err, "invalid verity item at index 1") + assert.ErrorContains(t, err, "invalid 'dataDeviceId'") + assert.ErrorContains(t, err, "device (root) is used by multiple things") +} diff --git a/toolkit/tools/imagecustomizerapi/verity.go b/toolkit/tools/imagecustomizerapi/verity.go index 4dc142dc4a4..338085247a4 100644 --- a/toolkit/tools/imagecustomizerapi/verity.go +++ b/toolkit/tools/imagecustomizerapi/verity.go @@ -5,25 +5,60 @@ package imagecustomizerapi import ( "fmt" + "regexp" +) + +const ( + DeviceMapperPath = "/dev/mapper" + + VerityRootDeviceName = "root" +) + +var ( + verityNameRegex = regexp.MustCompile("^[a-z]+$") ) type Verity struct { - DataPartition IdentifiedPartition `yaml:"dataPartition"` - HashPartition IdentifiedPartition `yaml:"hashPartition"` - CorruptionOption CorruptionOption `yaml:"corruptionOption"` + // ID is used to correlate `Verity` objects with `FileSystem` objects. + Id string `yaml:"id"` + // The name of the mapper block device. + // Must be 'root' for the rootfs (/) filesystem. + Name string `yaml:"name"` + // The ID of the 'Partition' to use as the data partition. + DataDeviceId string `yaml:"dataDeviceId"` + // The device ID type used to reference the data partition. + DataDeviceMountIdType MountIdentifierType `yaml:"dataDeviceMountIdType"` + // The ID of the 'Partition' to use as the hash partition. + HashDeviceId string `yaml:"hashDeviceId"` + // The device ID type used to reference the data partition. + HashDeviceMountIdType MountIdentifierType `yaml:"hashDeviceMountIdType"` + // How to handle corruption. + CorruptionOption CorruptionOption `yaml:"corruptionOption"` + + // The filesystem config that points to this verity device. + // Value is filled in by Storage.IsValid(). + FileSystem *FileSystem } func (v *Verity) IsValid() error { - if err := v.DataPartition.IsValid(); err != nil { - return fmt.Errorf("invalid dataPartition: %v", err) + if v.Id == "" { + return fmt.Errorf("'id' may not be empty") + } + + if !verityNameRegex.MatchString(v.Name) { + return fmt.Errorf("invalid 'name' value (%s)", v.Name) + } + + if v.DataDeviceId == "" { + return fmt.Errorf("'dataDeviceId' may not be empty") } - if err := v.HashPartition.IsValid(); err != nil { - return fmt.Errorf("invalid hashPartition: %v", err) + if v.HashDeviceId == "" { + return fmt.Errorf("'hashDeviceId' may not be empty") } if err := v.CorruptionOption.IsValid(); err != nil { - return fmt.Errorf("invalid corruptionOption: %v", err) + return fmt.Errorf("invalid corruptionOption:\n%w", err) } return nil diff --git a/toolkit/tools/imagecustomizerapi/verity_test.go b/toolkit/tools/imagecustomizerapi/verity_test.go index 99283a5901e..94a11378cf1 100644 --- a/toolkit/tools/imagecustomizerapi/verity_test.go +++ b/toolkit/tools/imagecustomizerapi/verity_test.go @@ -9,67 +9,74 @@ import ( "github.com/stretchr/testify/assert" ) -func TestVerityIsValidInvalidDataPartition(t *testing.T) { +func TestVerityIsValid(t *testing.T) { + validVerity := Verity{ + Id: "root", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", + CorruptionOption: CorruptionOption("panic"), + } + + err := validVerity.IsValid() + assert.NoError(t, err) +} + +func TestVerityIsValidMissingId(t *testing.T) { invalidVerity := Verity{ - DataPartition: IdentifiedPartition{ - IdType: "part-uuid", - Id: "incorrect-uuid-format", - }, - HashPartition: IdentifiedPartition{ - IdType: "part-label", - Id: "hash_partition", - }, + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", } err := invalidVerity.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "invalid dataPartition") + assert.ErrorContains(t, err, "'id' may not be empty") } -func TestVerityIsValidInvalidHashPartition(t *testing.T) { +func TestVerityIsValidInvalidName(t *testing.T) { invalidVerity := Verity{ - DataPartition: IdentifiedPartition{ - IdType: "part-uuid", - Id: "123e4567-e89b-4d3a-a456-426614174000", - }, - HashPartition: IdentifiedPartition{ - IdType: "part-label", - Id: "", - }, + Id: "root", + Name: "$root", + DataDeviceId: "root", + HashDeviceId: "roothash", } err := invalidVerity.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "invalid hashPartition") + assert.ErrorContains(t, err, "invalid 'name' value ($root)") } -func TestVerityIsValid(t *testing.T) { - validVerity := Verity{ - DataPartition: IdentifiedPartition{ - IdType: "part-uuid", - Id: "123e4567-e89b-4d3a-a456-426614174000", - }, - HashPartition: IdentifiedPartition{ - IdType: "part-label", - Id: "hash_partition", - }, - CorruptionOption: CorruptionOption("panic"), +func TestVerityIsValidMissingDataDeviceId(t *testing.T) { + invalidVerity := Verity{ + Id: "root", + Name: "root", + HashDeviceId: "roothash", } - err := validVerity.IsValid() - assert.NoError(t, err) + err := invalidVerity.IsValid() + assert.Error(t, err) + assert.ErrorContains(t, err, "'dataDeviceId' may not be empty") +} + +func TestVerityIsValidMissingHashDeviceId(t *testing.T) { + invalidVerity := Verity{ + Id: "root", + Name: "root", + DataDeviceId: "root", + } + + err := invalidVerity.IsValid() + assert.Error(t, err) + assert.ErrorContains(t, err, "'hashDeviceId' may not be empty") } func TestVerityIsValidInvalidCorruptionOption(t *testing.T) { invalidVerity := Verity{ - DataPartition: IdentifiedPartition{ - IdType: "part-uuid", - Id: "123e4567-e89b-4d3a-a456-426614174000", - }, - HashPartition: IdentifiedPartition{ - IdType: "part-label", - Id: "hash_partition", - }, + Id: "root", + Name: "root", + DataDeviceId: "root", + HashDeviceId: "roothash", CorruptionOption: CorruptionOption("bad"), } diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go index 0dd50767177..ab7d4ed8b77 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go @@ -177,8 +177,10 @@ func (b *BootCustomizer) PrepareForVerity() error { return err } - // For verity, the root device will always be "/dev/mapper/root" - defaultGrubFileContent, err = UpdateDefaultGrubFileVariable(defaultGrubFileContent, "GRUB_DEVICE", "/dev/mapper/root") + // For rootfs verity, the root device will always be "/dev/mapper/root" + rootDevicePath := verityDevicePathFromName(imagecustomizerapi.VerityRootDeviceName) + defaultGrubFileContent, err = UpdateDefaultGrubFileVariable(defaultGrubFileContent, "GRUB_DEVICE", + rootDevicePath) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go index b0b91d6273f..37ca4c745a9 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go @@ -80,7 +80,7 @@ func doOsCustomizations(buildDir string, baseConfigPath string, config *imagecus return err } - verityUpdated, err := enableVerityPartition(config.OS.Verity, imageChroot) + verityUpdated, err := enableVerityPartition(config.Storage.Verity, imageChroot) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go index 1b12678dc3b..b299a7dcc5a 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go @@ -14,11 +14,11 @@ import ( "github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot" ) -func enableVerityPartition(verity *imagecustomizerapi.Verity, imageChroot *safechroot.Chroot, +func enableVerityPartition(verity []imagecustomizerapi.Verity, imageChroot *safechroot.Chroot, ) (bool, error) { var err error - if verity == nil { + if len(verity) <= 0 { return false, nil } @@ -37,7 +37,7 @@ func enableVerityPartition(verity *imagecustomizerapi.Verity, imageChroot *safec return false, fmt.Errorf("failed to add dracut modules for verity:\n%w", err) } - err = updateFstabForVerity(imageChroot) + err = updateFstabForVerity(verity, imageChroot) if err != nil { return false, fmt.Errorf("failed to update fstab file for verity:\n%w", err) } @@ -50,7 +50,7 @@ func enableVerityPartition(verity *imagecustomizerapi.Verity, imageChroot *safec return true, nil } -func updateFstabForVerity(imageChroot *safechroot.Chroot) error { +func updateFstabForVerity(verityList []imagecustomizerapi.Verity, imageChroot *safechroot.Chroot) error { var err error fstabFile := filepath.Join(imageChroot.RootDir(), "etc", "fstab") @@ -59,18 +59,27 @@ func updateFstabForVerity(imageChroot *safechroot.Chroot) error { return fmt.Errorf("failed to read fstab file: %v", err) } - var updatedEntries []diskutils.FstabEntry - for _, entry := range fstabEntries { - if entry.Target == "/" { - // Replace existing root partition line with the Verity target. - entry.Source = "/dev/mapper/root" - entry.Options = "ro," + entry.Options + // Update fstab entries so that verity mounts point to verity device paths. + for _, verity := range verityList { + if verity.FileSystem == nil || verity.FileSystem.MountPoint == nil { + // No mount point assigned to verity device. + continue + } + + mountPath := verity.FileSystem.MountPoint.Path + + for j := range fstabEntries { + entry := &fstabEntries[j] + if entry.Target == mountPath { + // Replace mount's source with verity device. + entry.Source = verityDevicePath(verity) + entry.Options = "ro," + entry.Options + } } - updatedEntries = append(updatedEntries, entry) } // Write the updated fstab entries back to the fstab file - err = diskutils.WriteFstabFile(updatedEntries, fstabFile) + err = diskutils.WriteFstabFile(fstabEntries, fstabFile) if err != nil { return err } @@ -97,22 +106,24 @@ func prepareGrubConfigForVerity(imageChroot *safechroot.Chroot) error { return nil } -func updateGrubConfigForVerity(verity *imagecustomizerapi.Verity, rootHash string, grubCfgFullPath string, - partIdToPartUuid map[string]string, +func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash string, grubCfgFullPath string, + partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, ) error { var err error // Format the dataPartitionId and hashPartitionId using the helper function. - formattedDataPartition, err := systemdFormatPartitionId(verity.DataPartition, partIdToPartUuid) + formattedDataPartition, err := systemdFormatPartitionId(rootfsVerity.DataDeviceId, + rootfsVerity.DataDeviceMountIdType, partIdToPartUuid, partitions) if err != nil { return err } - formattedHashPartition, err := systemdFormatPartitionId(verity.HashPartition, partIdToPartUuid) + formattedHashPartition, err := systemdFormatPartitionId(rootfsVerity.HashDeviceId, + rootfsVerity.HashDeviceMountIdType, partIdToPartUuid, partitions) if err != nil { return err } - formattedCorruptionOption, err := systemdFormatCorruptionOption(verity.CorruptionOption) + formattedCorruptionOption, err := systemdFormatCorruptionOption(rootfsVerity.CorruptionOption) if err != nil { return err } @@ -141,13 +152,16 @@ func updateGrubConfigForVerity(verity *imagecustomizerapi.Verity, rootHash strin return fmt.Errorf("failed to set verity kernel command line args:\n%w", err) } + rootDevicePath := verityDevicePath(rootfsVerity) + if grubMkconfigEnabled { - grub2Config, err = updateKernelCommandLineArgs(grub2Config, []string{"root"}, []string{"root=/dev/mapper/root"}) + grub2Config, err = updateKernelCommandLineArgs(grub2Config, []string{"root"}, + []string{"root=" + rootDevicePath}) if err != nil { return fmt.Errorf("failed to set verity root command-line arg:\n%w", err) } } else { - grub2Config, err = replaceSetCommandValue(grub2Config, "rootdevice", "/dev/mapper/root") + grub2Config, err = replaceSetCommandValue(grub2Config, "rootdevice", rootDevicePath) if err != nil { return fmt.Errorf("failed to set verity root device:\n%w", err) } @@ -161,67 +175,59 @@ func updateGrubConfigForVerity(verity *imagecustomizerapi.Verity, rootHash strin return nil } +func verityDevicePath(verity imagecustomizerapi.Verity) string { + return verityDevicePathFromName(verity.Name) +} + +func verityDevicePathFromName(name string) string { + return imagecustomizerapi.DeviceMapperPath + "/" + name +} + // idToPartitionBlockDevicePath returns the block device path for a given idType and id. -func idToPartitionBlockDevicePath(partitionId imagecustomizerapi.IdentifiedPartition, +func idToPartitionBlockDevicePath(configDeviceId string, diskPartitions []diskutils.PartitionInfo, partIdToPartUuid map[string]string, ) (string, error) { // Iterate over each partition to find the matching id. for _, partition := range diskPartitions { - matches, err := partitionMatchesId(partitionId, partition, partIdToPartUuid) - if err != nil { - return "", err - } - - if matches { + if partitionMatchesDeviceId(configDeviceId, partition, partIdToPartUuid) { return partition.Path, nil } } // If no partition is found with the given id. - return "", fmt.Errorf("no partition found for %s: %s", partitionId.IdType, partitionId.Id) + return "", fmt.Errorf("no partition found with id (%s)", configDeviceId) } -func partitionMatchesId(partitionId imagecustomizerapi.IdentifiedPartition, partition diskutils.PartitionInfo, +func partitionMatchesDeviceId(configDeviceId string, partition diskutils.PartitionInfo, partIdToPartUuid map[string]string, -) (bool, error) { - switch partitionId.IdType { - case imagecustomizerapi.IdTypeId: - partUuid := partIdToPartUuid[partitionId.Id] - return partition.PartUuid == partUuid, nil - - case imagecustomizerapi.IdTypePartLabel: - return partition.PartLabel == partitionId.Id, nil - - case imagecustomizerapi.IdTypeUuid: - return partition.Uuid == partitionId.Id, nil - - case imagecustomizerapi.IdTypePartUuid: - return partition.PartUuid == partitionId.Id, nil - - default: - return true, fmt.Errorf("invalid idType provided (%s)", string(partitionId.IdType)) - } +) bool { + partUuid := partIdToPartUuid[configDeviceId] + return partition.PartUuid == partUuid } // systemdFormatPartitionId formats the partition ID based on the ID type following systemd dm-verity style. -func systemdFormatPartitionId(partition imagecustomizerapi.IdentifiedPartition, partIdToPartUuid map[string]string, +func systemdFormatPartitionId(configDeviceId string, mountIdType imagecustomizerapi.MountIdentifierType, + partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, ) (string, error) { - switch partition.IdType { - case imagecustomizerapi.IdTypeId: - partUuid := partIdToPartUuid[partition.Id] - return fmt.Sprintf("%s=%s", "PARTUUID", partUuid), nil + partUuid := partIdToPartUuid[configDeviceId] + + partition, _, err := findPartition(imagecustomizerapi.MountIdentifierTypePartUuid, partUuid, partitions) + if err != nil { + return "", err + } - case imagecustomizerapi.IdTypePartLabel: - return fmt.Sprintf("%s=%s", "PARTLABEL", partition.Id), nil + switch mountIdType { + case imagecustomizerapi.MountIdentifierTypePartLabel: + return fmt.Sprintf("%s=%s", "PARTLABEL", partition.PartLabel), nil - case imagecustomizerapi.IdTypeUuid: - return fmt.Sprintf("%s=%s", "UUID", partition.Id), nil + case imagecustomizerapi.MountIdentifierTypeUuid: + return fmt.Sprintf("%s=%s", "UUID", partition.Uuid), nil - case imagecustomizerapi.IdTypePartUuid: - return fmt.Sprintf("%s=%s", "PARTUUID", partition.Id), nil + case imagecustomizerapi.MountIdentifierTypePartUuid, imagecustomizerapi.MountIdentifierTypeDefault: + return fmt.Sprintf("%s=%s", "PARTUUID", partition.PartUuid), nil default: - return "", fmt.Errorf("invalid idType provided (%s)", string(partition.IdType)) + return "", fmt.Errorf("invalid idType provided (%s)", string(mountIdType)) } } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go index 0f96fc2a8d0..9cade94f8e2 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go @@ -157,7 +157,7 @@ func testCustomizeImageVerityShrinkExtractHelper(t *testing.T, testName string, // Verify that verity is configured correctly. verifyVerity(t, bootMountPath, rootDevice.DevicePath(), hashDevice.DevicePath(), "PARTLABEL=root", - "PARTLABEL=root-hash") + "PARTLABEL=roothash") } func verifyVerity(t *testing.T, bootPath string, rootDevice string, hashDevice string, rootId string, hashId string) { diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go index a3d3bf85652..1c5764cb59b 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go @@ -15,7 +15,6 @@ import ( "github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils" "github.com/microsoft/azurelinux/toolkit/tools/internal/file" "github.com/microsoft/azurelinux/toolkit/tools/internal/logger" - "github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils" "github.com/microsoft/azurelinux/toolkit/tools/internal/safeloopback" "github.com/microsoft/azurelinux/toolkit/tools/internal/safemount" "github.com/microsoft/azurelinux/toolkit/tools/internal/shell" @@ -370,18 +369,13 @@ func customizeOSContents(ic *ImageCustomizerParameters) error { // Shrink the filesystems. if ic.enableShrinkFilesystems { - verityHashPartitionId := (*imagecustomizerapi.IdentifiedPartition)(nil) - if ic.config.OS.Verity != nil { - verityHashPartitionId = ptrutils.PtrTo(ic.config.OS.Verity.HashPartition) - } - - err = shrinkFilesystemsHelper(ic.rawImageFile, verityHashPartitionId, partIdToPartUuid) + err = shrinkFilesystemsHelper(ic.rawImageFile, ic.config.Storage.Verity, partIdToPartUuid) if err != nil { return fmt.Errorf("failed to shrink filesystems:\n%w", err) } } - if ic.config.OS.Verity != nil { + if len(ic.config.Storage.Verity) > 0 { // Customize image for dm-verity, setting up verity metadata and security features. err = customizeVerityImageHelper(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile, partIdToPartUuid) if err != nil { @@ -711,7 +705,7 @@ func extractPartitionsHelper(rawImageFile string, outputDir string, outputBasena return nil } -func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecustomizerapi.IdentifiedPartition, +func shrinkFilesystemsHelper(buildImageFile string, verity []imagecustomizerapi.Verity, partIdToPartUuid map[string]string, ) error { imageLoopback, err := safeloopback.NewLoopback(buildImageFile) @@ -721,7 +715,7 @@ func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecu defer imageLoopback.Close() // Shrink the filesystems. - err = shrinkFilesystems(imageLoopback.DevicePath(), verityHashPartition, partIdToPartUuid) + err = shrinkFilesystems(imageLoopback.DevicePath(), verity, partIdToPartUuid) if err != nil { return err } @@ -750,12 +744,16 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config * return err } + // Verity support is limited to only rootfs at the moment, which is verified in the API validity checks. + // Hence, it is safe to assume that index 0 is rootfs. + rootfsVerity := config.Storage.Verity[0] + // Extract the partition block device path. - dataPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.DataPartition, diskPartitions, partIdToPartUuid) + dataPartition, err := idToPartitionBlockDevicePath(rootfsVerity.DataDeviceId, diskPartitions, partIdToPartUuid) if err != nil { return err } - hashPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.HashPartition, diskPartitions, partIdToPartUuid) + hashPartition, err := idToPartitionBlockDevicePath(rootfsVerity.HashDeviceId, diskPartitions, partIdToPartUuid) if err != nil { return err } @@ -801,7 +799,7 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config * return fmt.Errorf("failed to stat file (%s):\n%w", grubCfgFullPath, err) } - err = updateGrubConfigForVerity(config.OS.Verity, rootHash, grubCfgFullPath, partIdToPartUuid) + err = updateGrubConfigForVerity(rootfsVerity, rootHash, grubCfgFullPath, partIdToPartUuid, diskPartitions) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go index e7332d54ef8..98c4695a4f9 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go @@ -305,6 +305,17 @@ func findSourcePartitionHelper(source string, return imagecustomizerapi.MountIdentifierTypeDefault, diskutils.PartitionInfo{}, 0, err } + partition, partitionIndex, err := findPartition(mountIdType, mountId, partitions) + if err != nil { + return imagecustomizerapi.MountIdentifierTypeDefault, diskutils.PartitionInfo{}, 0, err + } + + return mountIdType, partition, partitionIndex, nil +} + +func findPartition(mountIdType imagecustomizerapi.MountIdentifierType, mountId string, + partitions []diskutils.PartitionInfo, +) (diskutils.PartitionInfo, int, error) { matchedPartitionIndexes := []int(nil) for i, partition := range partitions { matches := false @@ -322,18 +333,18 @@ func findSourcePartitionHelper(source string, } if len(matchedPartitionIndexes) < 1 { - err := fmt.Errorf("partition not found (%s)", source) - return imagecustomizerapi.MountIdentifierTypeDefault, diskutils.PartitionInfo{}, 0, err + err := fmt.Errorf("partition not found (%s=%s)", mountIdType, mountId) + return diskutils.PartitionInfo{}, 0, err } if len(matchedPartitionIndexes) > 1 { - err := fmt.Errorf("too many matches for partition found (%s)", source) - return imagecustomizerapi.MountIdentifierTypeDefault, diskutils.PartitionInfo{}, 0, err + err := fmt.Errorf("too many matches for partition found (%s=%s)", mountIdType, mountId) + return diskutils.PartitionInfo{}, 0, err } partitionIndex := matchedPartitionIndexes[0] partition := partitions[partitionIndex] - return mountIdType, partition, partitionIndex, nil + return partition, partitionIndex, nil } func parseSourcePartition(source string) (imagecustomizerapi.MountIdentifierType, string, error) { diff --git a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go index f444de5a1b1..798616a87a2 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go +++ b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go @@ -23,7 +23,7 @@ var ( fdiskPartitionsTableEntryRegexp = regexp.MustCompile(`^([0-9A-Za-z-_/]+)[\t ]+(\d+)[\t ]+`) ) -func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomizerapi.IdentifiedPartition, +func shrinkFilesystems(imageLoopDevice string, verity []imagecustomizerapi.Verity, partIdToPartUuid map[string]string, ) error { logger.Log.Infof("Shrinking filesystems") @@ -54,13 +54,9 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi continue } - if verityHashPartition != nil { - matches, err := partitionMatchesId(*verityHashPartition, diskPartition, partIdToPartUuid) - if err != nil { - return err - } - - if matches { + // Don't try to shrink verity hash partitions. + for _, verityItem := range verity { + if partitionMatchesDeviceId(verityItem.HashDeviceId, diskPartition, partIdToPartUuid) { logger.Log.Infof("Shrinking partition (%s): skipping verity hash partition", partitionLoopDevice) continue } diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml index 070fe15497b..8106c5da599 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml +++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml @@ -24,6 +24,13 @@ storage: - id: var start: 3200M + verity: + - id: verityroot + name: root + dataDeviceId: root + hashDeviceId: roothash + corruptionOption: panic + filesystems: - deviceId: esp type: fat32 @@ -36,7 +43,7 @@ storage: mountPoint: path: /boot - - deviceId: root + - deviceId: verityroot type: ext4 mountPoint: path: / @@ -60,15 +67,6 @@ os: - veritysetup - vim - verity: - corruptionOption: panic - dataPartition: - idType: id - id: root - hashPartition: - idType: id - id: roothash - additionalFiles: # Change the directory that the sshd-keygen service writes the SSH host keys to. - source: files/sshd-keygen.service diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml index 73cfd190b7d..f4d3f19067a 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml +++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml @@ -18,14 +18,23 @@ storage: start: 1024M end: 3072M - - id: verityhash - label: root-hash + - id: roothash + label: roothash start: 3072M end: 3200M - id: var start: 3200M + verity: + - id: verityroot + name: root + dataDeviceId: root + hashDeviceId: roothash + dataDeviceMountIdType: part-label + hashDeviceMountIdType: part-label + corruptionOption: panic + filesystems: - deviceId: esp type: fat32 @@ -38,13 +47,10 @@ storage: mountPoint: path: /boot - - deviceId: root + - deviceId: verityroot type: ext4 mountPoint: path: / - - - deviceId: verityhash - type: fat32 - deviceId: var type: ext4 @@ -65,15 +71,6 @@ os: - veritysetup - vim - verity: - corruptionOption: panic - dataPartition: - idType: part-label - id: root - hashPartition: - idType: part-label - id: root-hash - additionalFiles: # Change the directory that the sshd-keygen service writes the SSH host keys to. - source: files/sshd-keygen.service diff --git a/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go b/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go index 545acc77506..a13d1efbbb8 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go +++ b/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go @@ -80,7 +80,7 @@ func partitionToImager(partition imagecustomizerapi.Partition, fileSystems []ima ) (configuration.Partition, error) { fileSystem, _ := sliceutils.FindValueFunc(fileSystems, func(fileSystem imagecustomizerapi.FileSystem) bool { - return fileSystem.DeviceId == partition.Id + return fileSystem.PartitionId == partition.Id }, ) @@ -157,7 +157,7 @@ func partitionSettingToImager(fileSystem imagecustomizerapi.FileSystem, } imagerPartitionSetting := configuration.PartitionSetting{ - ID: fileSystem.DeviceId, + ID: fileSystem.PartitionId, MountIdentifier: imagerMountIdentifierType, MountOptions: mountOptions, MountPoint: mountPath, From 59216ae4b3c62c284f74451a5927509ba2530724 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 22:28:33 -0400 Subject: [PATCH 07/21] [AUTOPATCHER-kernel] Kernel CVE - branch 3.0-dev - CVE-2024-46863 CVE-2024-26596 CVE-2024-27017 CVE-2024-27012 CVE-2024-36478 CVE-2024-46710 (#10631) --- SPECS/kernel/CVE-2024-26596.nopatch | 3 +++ SPECS/kernel/CVE-2024-27012.nopatch | 3 +++ SPECS/kernel/CVE-2024-27017.nopatch | 3 +++ SPECS/kernel/CVE-2024-36478.nopatch | 3 +++ SPECS/kernel/CVE-2024-46710.nopatch | 3 +++ SPECS/kernel/CVE-2024-46863.nopatch | 4 ++++ 6 files changed, 19 insertions(+) create mode 100644 SPECS/kernel/CVE-2024-26596.nopatch create mode 100644 SPECS/kernel/CVE-2024-27012.nopatch create mode 100644 SPECS/kernel/CVE-2024-27017.nopatch create mode 100644 SPECS/kernel/CVE-2024-36478.nopatch create mode 100644 SPECS/kernel/CVE-2024-46710.nopatch create mode 100644 SPECS/kernel/CVE-2024-46863.nopatch diff --git a/SPECS/kernel/CVE-2024-26596.nopatch b/SPECS/kernel/CVE-2024-26596.nopatch new file mode 100644 index 00000000000..2883929ae05 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26596.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26596 - patched in 6.6.56.1 - (generated by autopatch tool) +upstream 844f104790bd69c2e4dbb9ee3eba46fde1fcea7b - stable 69a1e2d938dbbfcff0e064269adf60ad26dbb102 + diff --git a/SPECS/kernel/CVE-2024-27012.nopatch b/SPECS/kernel/CVE-2024-27012.nopatch new file mode 100644 index 00000000000..abd9f232a1e --- /dev/null +++ b/SPECS/kernel/CVE-2024-27012.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27012 - patched in 6.6.56.1 - (generated by autopatch tool) +upstream e79b47a8615d42c68aaeb68971593333667382ed - stable 164936b2fc88883341fe7a2d9c42b69020e5cafd + diff --git a/SPECS/kernel/CVE-2024-27017.nopatch b/SPECS/kernel/CVE-2024-27017.nopatch new file mode 100644 index 00000000000..36648a61f15 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27017.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27017 - patched in 6.6.56.1 - (generated by autopatch tool) +upstream 29b359cf6d95fd60730533f7f10464e95bd17c73 - stable f24d8abc2bb8cbf31ec713336e402eafa8f42f60 + diff --git a/SPECS/kernel/CVE-2024-36478.nopatch b/SPECS/kernel/CVE-2024-36478.nopatch new file mode 100644 index 00000000000..ce23bbd7dd2 --- /dev/null +++ b/SPECS/kernel/CVE-2024-36478.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36478 - patched in 6.6.56.1 - (generated by autopatch tool) +upstream a2db328b0839312c169eb42746ec46fc1ab53ed2 - stable aaadb755f2d684f715a6eb85cb7243aa0c67dfa9 + diff --git a/SPECS/kernel/CVE-2024-46710.nopatch b/SPECS/kernel/CVE-2024-46710.nopatch new file mode 100644 index 00000000000..c417b22b265 --- /dev/null +++ b/SPECS/kernel/CVE-2024-46710.nopatch @@ -0,0 +1,3 @@ +CVE-2024-46710 - patched in 6.6.56.1 - (generated by autopatch tool) +upstream aba07b9a0587f50e5d3346eaa19019cf3f86c0ea - stable 0851b1ec650adadcaa23ec96daad95a55bf966f0 + diff --git a/SPECS/kernel/CVE-2024-46863.nopatch b/SPECS/kernel/CVE-2024-46863.nopatch new file mode 100644 index 00000000000..84be2916e20 --- /dev/null +++ b/SPECS/kernel/CVE-2024-46863.nopatch @@ -0,0 +1,4 @@ +CVE-2024-46863 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: c4246f1fe9f24f8dcd97887ed67d8fcfd91f4796 +upstream introducing commit: dd3bd9dc47084195fcb3c1b371cb03046abb13ab + From 1346b9143d48c7c2f3c0d020358b0ac95eb5f9ac Mon Sep 17 00:00:00 2001 From: Thien Trung Vuong Date: Fri, 25 Oct 2024 20:14:11 -0700 Subject: [PATCH 08/21] dracut: make tpm2-tss an optional dependency of systemd-pcrphase (#10693) Signed-off-by: Thien Trung Vuong --- ...-not-try-to-include-systemd-pcrphase.patch | 57 +++++++++++++++++++ ...make-tpm2-tss-an-optional-dependency.patch | 32 +++++++++++ SPECS/dracut/dracut.spec | 7 ++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 SPECS/dracut/0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch create mode 100644 SPECS/dracut/0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch diff --git a/SPECS/dracut/0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch b/SPECS/dracut/0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch new file mode 100644 index 00000000000..1531e2a6663 --- /dev/null +++ b/SPECS/dracut/0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch @@ -0,0 +1,57 @@ +From 96d153fe927987ce31a1f876b7eeea6fe9cee06a Mon Sep 17 00:00:00 2001 +From: Laszlo Gombos +Date: Thu, 30 May 2024 10:06:04 -0400 +Subject: [PATCH] fix(systemd-pcrphase): in hostonly mode do not try to include + systemd-pcrphase + +--- + modules.d/01systemd-pcrphase/module-setup.sh | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/modules.d/01systemd-pcrphase/module-setup.sh b/modules.d/01systemd-pcrphase/module-setup.sh +index eb8520799..922711709 100755 +--- a/modules.d/01systemd-pcrphase/module-setup.sh ++++ b/modules.d/01systemd-pcrphase/module-setup.sh +@@ -4,7 +4,6 @@ + + # Prerequisite check(s) for module. + check() { +- + # If the binary(s) requirements are not fulfilled the module can't be installed. + # systemd-255 renamed the binary, check for old and new location. + if ! require_binaries "$systemdutildir"/systemd-pcrphase \ +@@ -12,23 +11,24 @@ check() { + return 1 + fi + +- return 0 ++ if [[ $hostonly ]]; then ++ return 255 ++ fi + ++ return 0 + } + + # Module dependency requirements. + depends() { +- + # This module has external dependency on other module(s). + echo systemd tpm2-tss ++ + # Return 0 to include the dependent module(s) in the initramfs. + return 0 +- + } + + # Install the required file(s) and directories for the module in the initramfs. + install() { +- + inst_multiple -o \ + "$systemdutildir"/systemd-pcrphase \ + "$systemdutildir"/systemd-pcrextend \ +@@ -43,5 +43,4 @@ install() { + "$systemdsystemconfdir/systemd-pcrphase-initrd.service.d/*.conf" \ + "$systemdsystemconfdir"/initrd.target.wants/systemd-pcrphase-initrd.service + fi +- + } diff --git a/SPECS/dracut/0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch b/SPECS/dracut/0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch new file mode 100644 index 00000000000..8f89fddc973 --- /dev/null +++ b/SPECS/dracut/0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch @@ -0,0 +1,32 @@ +From a2193b71f7be75f719eec29faacae36ab25e9147 Mon Sep 17 00:00:00 2001 +From: Laszlo Gombos +Date: Fri, 5 Jul 2024 14:17:00 -0400 +Subject: [PATCH] fix(systemd-pcrphase): make tpm2-tss an optional dependency + +--- + modules.d/01systemd-pcrphase/module-setup.sh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/modules.d/01systemd-pcrphase/module-setup.sh b/modules.d/01systemd-pcrphase/module-setup.sh +index 922711709..3016d7e44 100755 +--- a/modules.d/01systemd-pcrphase/module-setup.sh ++++ b/modules.d/01systemd-pcrphase/module-setup.sh +@@ -21,7 +21,17 @@ check() { + # Module dependency requirements. + depends() { + # This module has external dependency on other module(s). +- echo systemd tpm2-tss ++ ++ local deps ++ deps="systemd" ++ ++ # optional dependencies ++ module="tpm2-tss" ++ module_check $module > /dev/null 2>&1 ++ if [[ $? == 255 ]]; then ++ deps+=" $module" ++ fi ++ echo "$deps" + + # Return 0 to include the dependent module(s) in the initramfs. + return 0 diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index 2b7812a5929..2b9b86aea26 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 102 -Release: 5%{?dist} +Release: 6%{?dist} # The entire source code is GPLv2+ # except install/* which is LGPLv2+ License: GPLv2+ AND LGPLv2+ @@ -34,6 +34,8 @@ Patch: 0006-dracut.sh-validate-instmods-calls.patch Patch: 0011-Remove-reference-to-kernel-module-zlib-in-fips-module.patch Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch +Patch: 0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch +Patch: 0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch BuildRequires: bash BuildRequires: kmod-devel @@ -288,6 +290,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} %dir %{_sharedstatedir}/%{name}/overlay %changelog +* Thu Oct 10 2024 Thien Trung Vuong - 102-6 +- Add patch to make tpm2-tss an optional dependency for systemd-pcrphase + * Sun Oct 06 2024 Jon Slobodzian - 102-5 - Bump version to build with latest systemd From 2a21a73548b78438454deb2aee82ced1ee55926a Mon Sep 17 00:00:00 2001 From: Saul Paredes <30801614+Redent0r@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:46:39 -0700 Subject: [PATCH 09/21] kernel-mshv: Increase build verbosity (#10851) Signed-off-by: Saul Paredes --- SPECS/kernel-mshv/kernel-mshv.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/SPECS/kernel-mshv/kernel-mshv.spec b/SPECS/kernel-mshv/kernel-mshv.spec index e2457615269..280a7400393 100644 --- a/SPECS/kernel-mshv/kernel-mshv.spec +++ b/SPECS/kernel-mshv/kernel-mshv.spec @@ -11,7 +11,7 @@ Summary: Mariner kernel that has MSHV Host support Name: kernel-mshv Version: 5.15.157.mshv1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Group: Development/Tools Vendor: Microsoft Corporation @@ -91,7 +91,7 @@ sed -i 's/CONFIG_LOCALVERSION=""/CONFIG_LOCALVERSION="-%{release}"/' .config make LC_ALL= ARCH=%{arch} olddefconfig %build -make VERBOSE=1 KBUILD_BUILD_VERSION="1" KBUILD_BUILD_HOST="CBL-Mariner" ARCH=%{arch} %{?_smp_mflags} +make VERBOSE=1 V=1 KBUILD_VERBOSE=1 KBUILD_BUILD_VERSION="1" KBUILD_BUILD_HOST="CBL-Mariner" ARCH=%{arch} %{?_smp_mflags} %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ @@ -224,6 +224,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_includedir}/perf/perf_dlfilter.h %changelog +* Fri Oct 25 2024 Saul Paredes - 5.15.157.mshv1-3 +- Increase build verbosity + * Mon Jul 08 2024 Mitch Zhu - 5.15.157.mshv1-2 - Update config to enable PSI for cgroup-memory-telemetry From 015c33535063b04262d817c073e0feb631c51437 Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Tue, 29 Oct 2024 21:02:12 +0530 Subject: [PATCH 10/21] Valkey: disable flaky mem tests (#10873) --- SPECS/valkey/disable-mem-defrag-tests.patch | 30 +++++++++++++++++++++ SPECS/valkey/valkey.spec | 6 ++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 SPECS/valkey/disable-mem-defrag-tests.patch diff --git a/SPECS/valkey/disable-mem-defrag-tests.patch b/SPECS/valkey/disable-mem-defrag-tests.patch new file mode 100644 index 00000000000..880afd18b00 --- /dev/null +++ b/SPECS/valkey/disable-mem-defrag-tests.patch @@ -0,0 +1,30 @@ +From d9f795c8181d2db70626b7d43ebb2e6e8d2fbed8 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Tue, 29 Oct 2024 14:10:20 +0000 +Subject: [PATCH] Disable flaky mem defrag tests + +--- + tests/unit/memefficiency.tcl | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/unit/memefficiency.tcl b/tests/unit/memefficiency.tcl +index d5a6a6e..37e1711 100644 +--- a/tests/unit/memefficiency.tcl ++++ b/tests/unit/memefficiency.tcl +@@ -720,6 +720,7 @@ run_solo {defrag} { + } + } + ++ if {0} { + start_cluster 1 0 {tags {"defrag external:skip cluster"} overrides {appendonly yes auto-aof-rewrite-percentage 0 save ""}} { + test_active_defrag "cluster" + } +@@ -727,4 +728,5 @@ run_solo {defrag} { + start_server {tags {"defrag external:skip standalone"} overrides {appendonly yes auto-aof-rewrite-percentage 0 save ""}} { + test_active_defrag "standalone" + } ++ } + } ;# run_solo +-- +2.39.4 + diff --git a/SPECS/valkey/valkey.spec b/SPECS/valkey/valkey.spec index 5ebe3431a1d..3ca7c376852 100644 --- a/SPECS/valkey/valkey.spec +++ b/SPECS/valkey/valkey.spec @@ -1,7 +1,7 @@ Summary: advanced key-value store Name: valkey Version: 8.0.0 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: Applications/Databases URL: https://valkey.io/ Source0: https://github.com/valkey-io/valkey/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: valkey-conf.patch +Patch1: disable-mem-defrag-tests.patch BuildRequires: gcc BuildRequires: make BuildRequires: openssl-devel @@ -83,6 +84,9 @@ exit 0 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/valkey.conf %changelog +* Tue Oct 29 2024 Rohit Rawat - 8.0.0-2 +- Add patch to remove flaky mem defrag test. + * Mon Sep 30 2024 Rohit Rawat - 8.0.0-1 - Original version for CBL-Mariner. - License Verified. From 04fe625df7da98ea3094bd42c8bbecc41d733144 Mon Sep 17 00:00:00 2001 From: Aditya Dubey <110563293+Adub17030MS@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:14:02 -0700 Subject: [PATCH 11/21] Image Customizer: Support string mountPoint (#10862) --- .../imagecustomizer/docs/configuration.md | 19 +++++++++++ .../tools/imagecustomizerapi/mountpoint.go | 34 +++++++++++++++++-- 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/toolkit/tools/imagecustomizer/docs/configuration.md b/toolkit/tools/imagecustomizer/docs/configuration.md index 9d8f4a56b5e..93fad58e4bd 100644 --- a/toolkit/tools/imagecustomizer/docs/configuration.md +++ b/toolkit/tools/imagecustomizer/docs/configuration.md @@ -1010,6 +1010,25 @@ The meaning of this value depends on the type property. ## mountPoint type +You can configure `mountPoint` in one of two ways: + +1. **Structured Format**: Use `idType`, `options`, and `path` fields for a more detailed configuration. + + ```yaml + mountPoint: + path: /boot/efi + options: umask=0077 + idType: part-uuid + ``` + +2. **Shorthand Path Format**: Provide the mount path directly as a string when only `path` is required. + + ```yaml + mountPoint: /boot/efi + ``` + + In this shorthand format, only the `path` is specified, and default values will be applied to any optional fields. + ### idType [string] Default: `part-uuid` diff --git a/toolkit/tools/imagecustomizerapi/mountpoint.go b/toolkit/tools/imagecustomizerapi/mountpoint.go index 1cae3bf4fab..505dcccda36 100644 --- a/toolkit/tools/imagecustomizerapi/mountpoint.go +++ b/toolkit/tools/imagecustomizerapi/mountpoint.go @@ -1,10 +1,10 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - package imagecustomizerapi import ( "fmt" + + "github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils" + "gopkg.in/yaml.v3" ) // MountPoint holds the mounting information for each partition. @@ -17,6 +17,34 @@ type MountPoint struct { Path string `yaml:"path"` } +// UnmarshalYAML enables MountPoint to handle both a shorthand path and a structured object. +func (p *MountPoint) UnmarshalYAML(value *yaml.Node) error { + // Check if the node is a scalar (i.e., single path string). + if value.Kind == yaml.ScalarNode { + // Treat scalar value as the Path directly. + p.Path = value.Value + return nil + } + + // yaml.Node.Decode() doesn't respect the KnownFields() option. + // So, manually enforce this. + validFields := []string{"idType", "options", "path"} + for i := 0; i < len(value.Content); i += 2 { + key := value.Content[i].Value + if !sliceutils.ContainsValue(validFields, key) { + return fmt.Errorf("line %d: field %s not found in type %s", value.Line, key, "MountPoint") + } + } + + // Otherwise, decode as a full MountPoint struct. + type IntermediateTypeMountPoint MountPoint + err := value.Decode((*IntermediateTypeMountPoint)(p)) + if err != nil { + return fmt.Errorf("failed to parse MountPoint struct:\n%w", err) + } + return nil +} + // IsValid returns an error if the MountPoint is not valid func (p *MountPoint) IsValid() error { err := p.IdType.IsValid() From 9255c2313ce90b0f1729559d7f6d375d99a90736 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Tue, 29 Oct 2024 16:02:15 -0700 Subject: [PATCH 12/21] Image Customizer: Fix ISO customization. (#10885) In change #10789, the `imagecustomizerapi.FileSystem` type had an internal field added called `PartitionId` which is filled in by the API validity checks. ISO to ISO customization supports cracking open the squashfs file and modifying the Live-OS. However, to do this, a temporary OS image must be created. This creation logic uses the `imagecustomizerapi.FileSystem` type but the code wasn't updated to ensure the `PartitionId` field has a value. --- .../tools/pkg/imagecustomizerlib/liveosisobuilder.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go index 9f54ddaf972..c1005a32125 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go +++ b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go @@ -1444,16 +1444,18 @@ func (b *LiveOSIsoBuilder) createWriteableImageFromSquashfs(buildDir, rawImageFi fileSystemConfigs := []imagecustomizerapi.FileSystem{ { - DeviceId: "esp", - Type: imagecustomizerapi.FileSystemTypeFat32, + DeviceId: "esp", + PartitionId: "esp", + Type: imagecustomizerapi.FileSystemTypeFat32, MountPoint: &imagecustomizerapi.MountPoint{ Path: "/boot/efi", Options: "umask=0077", }, }, { - DeviceId: "rootfs", - Type: imagecustomizerapi.FileSystemTypeExt4, + DeviceId: "rootfs", + PartitionId: "rootfs", + Type: imagecustomizerapi.FileSystemTypeExt4, MountPoint: &imagecustomizerapi.MountPoint{ Path: "/", }, From 1dcc31387367ec3a52e836ac7fbe5237702bc974 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Tue, 29 Oct 2024 16:45:03 -0700 Subject: [PATCH 13/21] Image Customizer: Fix verity docs. (#10852) --- .../imagecustomizer/docs/configuration.md | 107 +++++++++++------- toolkit/tools/imagecustomizer/docs/verity.md | 15 ++- 2 files changed, 75 insertions(+), 47 deletions(-) diff --git a/toolkit/tools/imagecustomizer/docs/configuration.md b/toolkit/tools/imagecustomizer/docs/configuration.md index 93fad58e4bd..aa00fe3c83b 100644 --- a/toolkit/tools/imagecustomizer/docs/configuration.md +++ b/toolkit/tools/imagecustomizer/docs/configuration.md @@ -50,8 +50,8 @@ The Azure Linux Image Customizer is configured using a YAML (or JSON) file. 13. If ([overlays](#overlay-type)) are specified, then add the overlay driver and update the fstab file with the overlay mount information. -14. If ([verity](#verity-type)) is specified, then add the dm-verity dracut driver - and update the grub config. +14. If a ([verity](#verity-type)) device is specified, then add the dm-verity dracut + driver and update the grub config. 15. Regenerate the initramfs file (if needed). @@ -66,8 +66,8 @@ The Azure Linux Image Customizer is configured using a YAML (or JSON) file. 20. If [--shrink-filesystems](./cli.md#shrink-filesystems) is specified, then shrink the file systems. -21. If ([verity](#verity-type)) is specified, then create the hash tree and update the - grub config. +21. If a ([verity](#verity-type)) device is specified, then create the hash tree and + update the grub config. 22. If the output format is set to `iso`, copy additional iso media files. ([iso](#iso-type)) @@ -125,6 +125,13 @@ os: - [end](#end-uint64) - [size](#size-uint64) - [type](#partition-type-string) + - [verity](#verity-verity) + - [verity type](#verity-type) + - [id](#verity-id) + - [name](#verity-name) + - [dataDeviceId](#datadeviceid-string) + - [hashDeviceId](#hashdeviceid-string) + - [corruptionOption](#corruptionoption-string) - [filesystems](#filesystems-filesystem) - [filesystem type](#filesystem-type) - [deviceId](#deviceid-string) @@ -198,8 +205,8 @@ os: - [name](#module-name) - [loadMode](#loadmode-string) - [options](#options-mapstring-string) - - [overlay type](#overlay-type) - - [verity type](#verity-type) + - [overlays](#overlays-overlay) + - [overlay type](#overlay-type) - [scripts type](#scripts-type) - [postCustomization](#postcustomization-script) - [script type](#script-type) @@ -483,45 +490,58 @@ Example: `noatime,nodiratime` ## verity type -Specifies the configuration for dm-verity root integrity verification. +Specifies the configuration for dm-verity integrity verification. -- `dataPartition`: A partition configured with dm-verity, which verifies integrity - at each system boot. +Note: Currently only root partition (`/`) is supported. Support for other partitions +(e.g. `/usr`) may be added in the future. - - `idType`: Specifies the type of id for the partition. The options are - `id` (partition [id](#id-string)), `part-label` (partition label), - `uuid` (filesystem UUID), and `part-uuid` (partition UUID). +There are multiple ways to configure a verity enabled image. For +recommendations, see [Verity Image Recommendations](./verity.md). - - `id`: The unique identifier value of the partition, corresponding to the - specified IdType. +
-- `hashPartition`: A partition used exclusively for storing a calculated hash - tree. +### id [string] -- `corruptionOption`: Optional. Specifies the behavior in case of detected - corruption. This is configurable with the following options: - - `io-error`: Default setting. Fails the I/O operation with an I/O error. - - `ignore`: ignores the corruption and continues operation. - - `panic`: causes the system to panic (print errors) and then try restarting - if corruption is detected. - - `restart`: attempts to restart the system upon detecting corruption. +Required. -Example: +The ID of the verity object. +This is used to correlate verity objects with [filesystem](#filesystem-type) +objects. -```yaml -os: - verity: - dataPartition: - idType: part-uuid - id: 00000000-0000-0000-0000-000000000000 - hashPartition: - idType: part-label - Id: hash_partition - corruptionOption: panic -``` +
-There are multiple ways to configure a verity enabled image. For -recommendations, see [Verity Image Recommendations](./verity.md). +### name [string] + +Required. + +The name of the device mapper block device. + +The value must be: + +- `root` for root partition (i.e. `/`) + +### dataDeviceId [string] + +The ID of the [partition](#partition-type) to use as the verity data partition. + +### hashDeviceId [string] + +The ID of the [partition](#partition-type) to use as the verity hash partition. + +### corruptionOption [string] + +Optional. + +Specifies how a mismatch between the hash and the data partition is handled. + +Supported values: + +- `io-error`: Fails the I/O operation with an I/O error. +- `ignore`: Ignores the corruption and continues operation. +- `panic`: Causes the system to panic (print errors) and then try restarting. +- `restart`: Attempts to restart the system. + +Default value: `io-error`. ## additionalFile type @@ -654,8 +674,7 @@ Specifies the mount options for a partition. Required. -The ID of the partition. -This is used correlate [partition](#partition-type) objects with filesystem objects. +The ID of the [partition](#partition-type) or [verity](#verity-type) object. ### type [string] @@ -885,6 +904,8 @@ os: ## partition type +
+ ### id [string] Required. @@ -1350,6 +1371,10 @@ os: - name: vfio ``` +### overlays [[overlay](#overlay-type)[]] + +Used to add filesystem overlays. + ### selinux [[selinux](#selinux-type)] Options for configuring SELinux. @@ -1591,6 +1616,10 @@ Supported options: Contains the options for provisioning disks and their partitions. +### verity [[verity](#verity-type)[]] + +Configure verity block devices. + ### filesystems [[filesystem](#filesystem-type)[]] Specifies the mount options of the partitions. diff --git a/toolkit/tools/imagecustomizer/docs/verity.md b/toolkit/tools/imagecustomizer/docs/verity.md index 08a370887c6..f3f42465fae 100644 --- a/toolkit/tools/imagecustomizer/docs/verity.md +++ b/toolkit/tools/imagecustomizer/docs/verity.md @@ -145,12 +145,18 @@ storage: end: 3200M - id: var start: 3200M + verity: + - id: verityroot + name: root + dataDeviceId: root + hashDeviceId: roothash + corruptionOption: panic filesystems: - deviceId: boot type: ext4 mountPoint: path: /boot - - deviceId: root + - deviceId: verityroot type: ext4 mountPoint: path: / @@ -159,13 +165,6 @@ storage: mountPoint: path: /var os: - verity: - dataPartition: - idType: id - id: root - hashPartition: - idType: id - id: roothash additionalFiles: # Change the directory that the sshd-keygen service writes the SSH host keys to. - content: | From 482476a44e75184f17134db4cfa018aa96c31b6c Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Tue, 29 Oct 2024 16:52:56 -0700 Subject: [PATCH 14/21] Image Customizer: Set VHDX block-size to 2 MiB. (#10880) Currently, the size of outputted VHDX files can be substantially larger than VHD or qcow2 files. This behavior occurs because `qemu-img` dynamically sets the block-size based on the size of the disk. And larger blocks sizes means the file format is less space efficient, which results in a larger image file. This change sets the block-size to 2 MiB for VHDX files. This matches the `qemu-img` defaults for VHD and QCOW2. For reference, Windows seems to use a default block-size of 1 MiB for VHDX files. --- toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go index 1c5764cb59b..32dfee9d321 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go @@ -466,6 +466,12 @@ func toQemuImageFormat(imageFormat string) (string, string) { case ImageFormatVhdFixed: return QemuFormatVpc, "subformat=fixed,force_size" + case ImageFormatVhdx: + // For VHDX, qemu-img dynamically picks the block-size based on the size of the disk. + // However, this can result in a significantly larger file size than other formats. + // So, use a fixed block-size of 2 MiB to match the block-sizes used for qcow2 and VHD. + return ImageFormatVhdx, "block_size=2097152" + default: return imageFormat, "" } From a1bad828ee08006ccf2d94f3492ec8b4bcc3cba1 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 30 Oct 2024 01:20:29 -0400 Subject: [PATCH 15/21] [AUTOPATCHER-kernel] Kernel upgrade to version 6.6.57.1 - branch 3.0-dev (#10879) This upgrade introduces the nvidia-gb-200 feature branch and updates source to 6.6.57.1 --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 7 +++++-- .../kernel-uki-signed/kernel-uki-signed.spec | 7 +++++-- SPECS/hyperv-daemons/hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 7 +++++-- SPECS/kernel/config | 3 ++- SPECS/kernel/config_aarch64 | 3 ++- SPECS/kernel/kernel-uki.spec | 7 +++++-- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 7 +++++-- cgmanifest.json | 12 ++++++------ .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../resources/manifests/package/toolchain_x86_64.txt | 4 ++-- toolkit/scripts/toolchain/container/Dockerfile | 2 +- .../scripts/toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_temp_tools.sh | 2 +- 19 files changed, 52 insertions(+), 32 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 8f3f2013739..25abcfe9084 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 6.6.56.1 -Release: 5%{?dist} +Version: 6.6.57.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 24 2024 Rachel Menge - 6.6.56.1-5 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index d7685d7cae6..05867cf451a 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -5,8 +5,8 @@ %define kernelver %{version}-%{release} Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} -Version: 6.6.56.1 -Release: 5%{?dist} +Version: 6.6.57.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 24 2024 Rachel Menge - 6.6.56.1-5 - Bump release to match kernel diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 28bc8950357..de83d61ba93 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-6.6.56.1.tar.gz": "d3b47525a6b529f3fcc3ba602ebb14c02dfd4d0fcf73628511135e5a073d8cee" + "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 47d7a79b591..cbf41377aa7 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -10,7 +10,7 @@ Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 6.6.56.1 +Version: 6.6.57.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 17 2024 CBL-Mariner Servicing Account - 6.6.56.1-1 - Auto-upgrade to 6.6.56.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 3b208eae923..302a1c69051 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-6.6.56.1.tar.gz": "d3b47525a6b529f3fcc3ba602ebb14c02dfd4d0fcf73628511135e5a073d8cee" + "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index d968469cb4b..cbf87fcbe2f 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -13,8 +13,8 @@ Summary: Linux API header files Name: kernel-headers -Version: 6.6.56.1 -Release: 5%{?dist} +Version: 6.6.57.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 24 2024 Rachel Menge - 6.6.56.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/config b/SPECS/kernel/config index a484000f974..6a0f77cb2b2 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.56.1 Kernel Configuration +# Linux/x86_64 6.6.57.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -5543,6 +5543,7 @@ CONFIG_HID_HYPERV_MOUSE=m # CONFIG_HID_ZYDACRON is not set # CONFIG_HID_SENSOR_HUB is not set # CONFIG_HID_ALPS is not set +# CONFIG_HID_MCP2200 is not set # CONFIG_HID_MCP2221 is not set # end of Special HID drivers diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index bab99729ab0..30464ea0b1d 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.56.1 Kernel Configuration +# Linux/arm64 6.6.57.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -7575,6 +7575,7 @@ CONFIG_HID_ZYDACRON=m CONFIG_HID_SENSOR_HUB=m CONFIG_HID_SENSOR_CUSTOM_SENSOR=m CONFIG_HID_ALPS=m +# CONFIG_HID_MCP2200 is not set # CONFIG_HID_MCP2221 is not set # end of Special HID drivers diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index f8c71cb6a74..0098ad9aea8 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -17,8 +17,8 @@ Summary: Unified Kernel Image Name: kernel-uki -Version: 6.6.56.1 -Release: 5%{?dist} +Version: 6.6.57.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 24 2024 Rachel Menge - 6.6.56.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index fab74bfb27d..33f130add80 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,11 +1,11 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "8698b0820d8c0cd7ba5a1c3e704182defed133ecb563da23e51e8f68bf600b20", - "config_aarch64": "02d7b098babe23f281b12ac1231e53e60aaf30d1d984d8e62084f1e72acff204", + "config": "5636a263f1802641e806b6971303eb28f77167ef42ece09782b4638c75bf03b5", + "config_aarch64": "bac4a99b57ce11f25ef8bce844ed6285932aa29139b85ccde850acaabafdcffd", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.56.1.tar.gz": "d3b47525a6b529f3fcc3ba602ebb14c02dfd4d0fcf73628511135e5a073d8cee" + "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 84af8188eb0..f14a9606cc2 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -29,8 +29,8 @@ Summary: Linux Kernel Name: kernel -Version: 6.6.56.1 -Release: 5%{?dist} +Version: 6.6.57.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -407,6 +407,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Oct 29 2024 CBL-Mariner Servicing Account - 6.6.57.1-1 +- Auto-upgrade to 6.6.57.1 + * Thu Oct 24 2024 Rachel Menge - 6.6.56.1-5 - Enable Arm FF-A Support diff --git a/cgmanifest.json b/cgmanifest.json index 9844b8f542f..71edcf25cc7 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -6510,8 +6510,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "6.6.56.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.56.1.tar.gz" + "version": "6.6.57.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.57.1.tar.gz" } } }, @@ -8111,8 +8111,8 @@ "type": "other", "other": { "name": "kernel", - "version": "6.6.56.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.56.1.tar.gz" + "version": "6.6.57.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.57.1.tar.gz" } } }, @@ -8121,8 +8121,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "6.6.56.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.56.1.tar.gz" + "version": "6.6.57.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.57.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 63be4e4f163..ddb8edfb83b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.56.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-1.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 8833c929015..920078ba2bf 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.56.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-1.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c7a3b321b7e..f61ef0df06a 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.56.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-1.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 3e545055954..2f539153db4 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.56.1-5.azl3.noarch.rpm -kernel-headers-6.6.56.1-5.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-1.azl3.noarch.rpm +kernel-headers-6.6.57.1-1.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index e9d7ea963ff..111ff83c734 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL) # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired. #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.56.1.tar.gz -O kernel-6.6.56.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.57.1.tar.gz -O kernel-6.6.57.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 468701b639e..10b5dd57a5d 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898 gmp-6.3.0.tar. 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab grep-3.11.tar.xz 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13 groff-1.23.0.tar.gz 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057 gzip-1.13.tar.xz -d3b47525a6b529f3fcc3ba602ebb14c02dfd4d0fcf73628511135e5a073d8cee kernel-6.6.56.1.tar.gz +1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3 kernel-6.6.57.1.tar.gz 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0 libarchive-3.7.1.tar.gz f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb libcap-2.69.tar.xz b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0 libpipeline-1.5.7.tar.gz diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index f57c1575395..6556dfe97f4 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -86,7 +86,7 @@ rm -rf gcc-13.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="6.6.56.1" +KERNEL_VERSION="6.6.57.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-3-${KERNEL_VERSION} From 61e1f3956be28e56e2c39f399cfe428291d7fe3e Mon Sep 17 00:00:00 2001 From: Christopher Co <35273088+christopherco@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:18:23 -0700 Subject: [PATCH 16/21] Revert "iptables: Enable nftables (#10786)" (#10814) --- SPECS/ebtables/ebtables.spec | 30 +++++------------------ SPECS/iptables/iptables.spec | 47 ++++++------------------------------ 2 files changed, 13 insertions(+), 64 deletions(-) diff --git a/SPECS/ebtables/ebtables.spec b/SPECS/ebtables/ebtables.spec index 5586d849799..653dfe42132 100644 --- a/SPECS/ebtables/ebtables.spec +++ b/SPECS/ebtables/ebtables.spec @@ -2,7 +2,7 @@ Name: ebtables Version: 2.0.11 -Release: 9%{?dist} +Release: 8%{?dist} Summary: Ethernet Bridge frame table administration tool License: GPLv2+ URL: http://ebtables.sourceforge.net/ @@ -35,9 +35,6 @@ like iptables. There are no known incompatibility issues. %package legacy Summary: Legacy user space tool to configure bridge netfilter rules in kernel -Requires(post): %{_sbindir}/update-alternatives -Requires(post): %{_bindir}/readlink -Requires(postun): %{_sbindir}/update-alternatives Provides: ebtables %description legacy @@ -93,22 +90,10 @@ rm %{buildroot}/%{_libdir}/libebtc.la # Drop these binaries (for now at least) rm %{buildroot}/%{_sbindir}/ebtables{d,u} -# Prepare for Alternatives system -touch %{buildroot}%{_sbindir}/ebtables -touch %{buildroot}%{_sbindir}/ebtables-save -touch %{buildroot}%{_sbindir}/ebtables-restore - -%post legacy -pfx=%{_sbindir}/ebtables -%{_sbindir}/update-alternatives --install %{_sbindir}/%{name} %{name} %{_sbindir}/%{name}-legacy 10000 \ - --slave %{_sbindir}/%{name}-save %{name}-save %{_sbindir}/%{name}-legacy-save \ - --slave %{_sbindir}/%{name}-restore %{name}-restore %{_sbindir}/%{name}-legacy-restore - -%postun legacy -if [ $1 -eq 0 ]; then - %{_sbindir}/update-alternatives --remove \ - %{name} %{_sbindir}/%{name}-legacy -fi +# Symlink ebtables-legacy to ebtables +ln -sf ebtables-legacy %{buildroot}%{_sbindir}/ebtables +ln -sf ebtables-legacy-save %{buildroot}%{_sbindir}/ebtables-save +ln -sf ebtables-legacy-restore %{buildroot}%{_sbindir}/ebtables-restore %post services %systemd_post ebtables.service @@ -123,10 +108,10 @@ fi %license COPYING %doc ChangeLog THANKS %{_sbindir}/ebtables-legacy* +%{_sbindir}/ebtables* %{_mandir}/*/ebtables-legacy* %{_libdir}/libebtc.so* %{_sysconfdir}/ethertypes -%ghost %{_sbindir}/ebtables{,-save,-restore} %files services %{_unitdir}/ebtables.service @@ -135,9 +120,6 @@ fi %ghost %{_sysconfdir}/sysconfig/ebtables %changelog -* Mon Oct 21 2024 Sumedh Sharma - 2.0.11-9 -- introduce alternatives for legacy - * Tue Sep 03 2024 Neha Agarwal - 2.0.11-8 - Add missing Vendor and Distribution tags. diff --git a/SPECS/iptables/iptables.spec b/SPECS/iptables/iptables.spec index b901d59052a..45a2377da83 100644 --- a/SPECS/iptables/iptables.spec +++ b/SPECS/iptables/iptables.spec @@ -1,7 +1,7 @@ Summary: Linux kernel packet control tool Name: iptables Version: 1.8.10 -Release: 3%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -43,14 +43,15 @@ It contains the libraries and header files to create applications. --exec-prefix= \ --with-xtlibdir=%{_libdir}/iptables \ --with-pkgconfigdir=%{_libdir}/pkgconfig \ + --disable-nftables \ --enable-libipq \ --enable-devel -%make_build +make V=0 %install %make_install - +ln -sfv ../../sbin/xtables-multi %{buildroot}%{_libdir}/iptables-xml # Install daemon scripts install -vdm755 %{buildroot}%{_unitdir} install -m 644 %{SOURCE1} %{buildroot}%{_unitdir} @@ -64,42 +65,14 @@ find %{buildroot} -name '*.a' -delete find %{buildroot} -type f -name "*.la" -delete -print %{_fixperms} %{buildroot}/* -ln -sf --relative %{buildroot}%{_sbindir}/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml +%preun +%systemd_preun iptables.service %post -for target in %{name} \ - ip6tables \ - ebtables \ - arptables; do - alternatives --install %{_sbindir}/${target} ${target} %{_sbindir}/${target}-nft 30000 \ - --slave %{_sbindir}/${target}-save ${target}-save %{_sbindir}/${target}-nft-save \ - --slave %{_sbindir}/${target}-restore ${target}-restore %{_sbindir}/${target}-nft-restore -done - -for target in %{name} \ - ip6tables; do - alternatives --install %{_sbindir}/${target} ${target} %{_sbindir}/${target}-legacy 10000 \ - --slave %{_sbindir}/${target}-save ${target}-save %{_sbindir}/${target}-legacy-save \ - --slave %{_sbindir}/${target}-restore ${target}-restore %{_sbindir}/${target}-legacy-restore -done - /sbin/ldconfig %systemd_post iptables.service -%preun -%systemd_preun iptables.service - %postun -if [ $1 -eq 0 ]; then - for target in %{name} \ - ip6tables \ - ebtables \ - arptables; do - alternatives --remove ${target} %{_sbindir}/${target}-nft - done - alternatives --remove %{name} %{_sbindir}/%{name}-legacy - alternatives --remove ip6tables %{_sbindir}/ip6tables-legacy -fi /sbin/ldconfig %systemd_postun_with_restart iptables.service @@ -110,18 +83,15 @@ fi %config(noreplace) %{_sysconfdir}/systemd/scripts/iptables.stop %config(noreplace) %{_sysconfdir}/systemd/scripts/ip4save %config(noreplace) %{_sysconfdir}/systemd/scripts/ip6save -%config(noreplace) %{_sysconfdir}/ethertypes %{_unitdir}/iptables.service %{_sbindir}/* %{_bindir}/* %{_libdir}/*.so.* %{_libdir}/iptables/* -%{_bindir}/iptables-xml +%{_libdir}/iptables-xml %{_mandir}/man1/* %{_mandir}/man8/* /usr/share/xtables/iptables.xslt -%ghost %{_sbindir}/ip{,6}tables{,-save,-restore} -%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %files devel %{_libdir}/*.so @@ -130,9 +100,6 @@ fi %{_mandir}/man3/* %changelog -* Fri Oct 18 2024 Sumedh Sharma - 1.8.10-3 -- Enable nftables and use alternatives. - * Mon Mar 18 2024 Andy Zaugg - 1.8.10-2 - Flush raw table when restarting iptables service From bc236a19f259a3226b393452940b45435cd0b73f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 30 Oct 2024 18:20:33 -0400 Subject: [PATCH 17/21] [AUTO-CHERRYPICK] Switched `mysql` to use AZL's version of `protobuf` to fix CVE-2024-2410. - branch 3.0-dev (#10893) Co-authored-by: Pawel Winogrodzki --- ...tests-for-unsupported-chacha-ciphers.patch | 52 +++++++++++++++++++ SPECS/mysql/mysql.spec | 31 +++++++++-- 2 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch diff --git a/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch b/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch new file mode 100644 index 00000000000..7bac5c10805 --- /dev/null +++ b/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch @@ -0,0 +1,52 @@ +From 540814076995de6bcb119a68fa4cce9e7214b3c0 Mon Sep 17 00:00:00 2001 +From: Pawel Winogrodzki +Date: Tue, 29 Oct 2024 15:37:51 -0700 +Subject: [PATCH] Remove ciphers unsupported by AZL. + +--- + .../src/harness/tests/test_tls_server_context.cc | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/router/src/harness/tests/test_tls_server_context.cc b/router/src/harness/tests/test_tls_server_context.cc +index 57859357..e7edb4fa 100644 +--- a/router/src/harness/tests/test_tls_server_context.cc ++++ b/router/src/harness/tests/test_tls_server_context.cc +@@ -93,7 +93,6 @@ static const std::string acceptable_ciphers_test_data[] = { + // TLSv1.3 + {"TLS_AES_128_GCM_SHA256"}, + {"TLS_AES_256_GCM_SHA384"}, +- {"TLS_CHACHA20_POLY1305_SHA256"}, + #if 0 // embedded + {"TLS_AES_128_CCM_SHA256"}, + #endif +@@ -102,11 +101,6 @@ static const std::string acceptable_ciphers_test_data[] = { + {"ECDHE-RSA-AES256-GCM-SHA384"}, + {"DHE-RSA-AES128-GCM-SHA256"}, + {"DHE-RSA-AES256-GCM-SHA384"}, +-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) +- {"ECDHE-ECDSA-CHACHA20-POLY1305"}, +- {"ECDHE-RSA-CHACHA20-POLY1305"}, +- {"DHE-RSA-CHACHA20-POLY1305"}, +-#endif + #if 0 // embedded + {"ECDHE-ECDSA-AES256-CCM"}, + {"ECDHE-ECDSA-AES128-CCM"}, +@@ -336,7 +330,14 @@ static const std::string unacceptable_ciphers_test_data[] = { + {"ECDH-ECDSA-DES-CBC3-SHA"}, + {"ECDHE-RSA-DES-CBC3-SHA"}, + {"ECDHE-ECDSA-DES-CBC3-SHA"}, +- {"DES-CBC3-SHA"}, ++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1) ++ {"TLS_CHACHA20_POLY1305_SHA256"}, ++#endif ++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) ++ {"ECDHE-ECDSA-CHACHA20-POLY1305"}, ++ {"ECDHE-RSA-CHACHA20-POLY1305"}, ++ {"DHE-RSA-CHACHA20-POLY1305"}, ++#endif + }; + + INSTANTIATE_TEST_SUITE_P(CiphersUnacceptableParam, CiphersUnacceptable, +-- +2.34.1 + diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 480665946a4..469298f87ac 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,19 +1,29 @@ +%define majmin %(echo %{version} | cut -d. -f1-2) + Summary: MySQL. Name: mysql Version: 8.0.40 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/Databases URL: https://www.mysql.com -Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz +Source0: https://dev.mysql.com/get/Downloads/MySQL-%{majmin}/%{name}-boost-%{version}.tar.gz Patch0: CVE-2012-5627.nopatch +# AZL's OpenSSL builds with the "no-chacha" option making all ChaCha +# ciphers unavailable. +Patch1: fix-tests-for-unsupported-chacha-ciphers.patch BuildRequires: cmake BuildRequires: libtirpc-devel BuildRequires: openssl-devel +BuildRequires: protobuf-devel BuildRequires: rpcsvc-proto-devel BuildRequires: zlib-devel +%if 0%{?with_check} +BuildRequires: shadow-utils +BuildRequires: sudo +%endif %description MySQL is a free, widely used SQL engine. It can be used as a fast database as well as a rock-solid DBMS using a modular engine architecture. @@ -28,10 +38,15 @@ Development headers for developing applications linking to maridb %prep %autosetup -p1 +# Remove unused, bundled version of protobuf. +# We're building with the '-DWITH_PROTOBUF=system' option. +rm -r extra/protobuf + %build cmake . \ -DCMAKE_INSTALL_PREFIX=%{_prefix} \ -DWITH_BOOST=boost/boost_1_77_0 \ + -DWITH_PROTOBUF=system \ -DINSTALL_MANDIR=share/man \ -DINSTALL_DOCDIR=share/doc \ -DINSTALL_DOCREADMEDIR=share/doc \ @@ -48,7 +63,13 @@ make %{?_smp_mflags} make DESTDIR=%{buildroot} install %check -make test +# Tests expect to be run as a non-root user. +groupadd test +useradd test -g test -m +chown -R test:test . + +# In case of failure, print the test log. +sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; } %files %defattr(-,root,root) @@ -58,7 +79,6 @@ make test %{_libdir}/*.so.* %{_libdir}/mysqlrouter/*.so* %{_libdir}/mysqlrouter/private/*.so* -%{_libdir}/private/*.so* %{_bindir}/* %{_mandir}/man1/* %{_mandir}/man8/* @@ -83,6 +103,9 @@ make test %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Mon Oct 28 2024 Pawel Winogrodzki - 8.0.40-2 +- Switch to ALZ version of protobuf instead of using the bundled one. + * Fri Oct 18 2024 CBL-Mariner Servicing Account - 8.0.40-1 - Auto-upgrade to 8.0.40 - Fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134, From bef8a9cc8c5af905e70d6186c0406b51d37783a0 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 30 Oct 2024 18:23:56 -0400 Subject: [PATCH 18/21] [AUTO-CHERRYPICK] Fix expat CVE-2024-50602 fasttrack 3.0 - branch 3.0-dev (#10895) Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com> --- SPECS/expat/CVE-2024-50602.patch | 156 ++++++++++++++++++ SPECS/expat/expat.spec | 8 +- .../manifests/package/pkggen_core_aarch64.txt | 6 +- .../manifests/package/pkggen_core_x86_64.txt | 6 +- .../manifests/package/toolchain_aarch64.txt | 8 +- .../manifests/package/toolchain_x86_64.txt | 8 +- 6 files changed, 176 insertions(+), 16 deletions(-) create mode 100644 SPECS/expat/CVE-2024-50602.patch diff --git a/SPECS/expat/CVE-2024-50602.patch b/SPECS/expat/CVE-2024-50602.patch new file mode 100644 index 00000000000..0d908da5fc8 --- /dev/null +++ b/SPECS/expat/CVE-2024-50602.patch @@ -0,0 +1,156 @@ +From 22f1d9704ac38c7102e7a68272b07355cad4925a Mon Sep 17 00:00:00 2001 +From: Sindhu Karri +Date: Tue, 29 Oct 2024 10:17:59 +0000 +Subject: [PATCH] CVE-2024-50602 + +--- +From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Oct 2024 01:42:54 +0200 +Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an + unstarted parser + + +From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Oct 2024 01:46:11 +0200 +Subject: [PATCH 2/3] lib: Be explicit about XML_PARSING in XML_StopParser + +From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 20 Oct 2024 23:24:27 +0200 +Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status + XML_INITIALIZED + +Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing +would crash with a NULL pointer dereference in function normal_updatePosition. +This was the AddressSanitizer output: + +> AddressSanitizer:DEADLYSIGNAL +> ================================================================= +> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0) +> ==19700==The signal is caused by a READ memory access. +> ==19700==Hint: address points to the zero page. +> #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13 +> #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3 +> #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3 +> #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp +> #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228) +> #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d) +> #6 0x7f802a39af79 (/lib64/libc.so.6+0x25f79) +> #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034) +> #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340) +> +> AddressSanitizer can not provide additional info. +> SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition +> ==19700==ABORTING + +And this the UndefinedBehaviorSanitizer output: + +> [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in +--- + lib/expat.h | 4 +++- + lib/xmlparse.c | 11 ++++++++++- + tests/misc_tests.c | 24 ++++++++++++++++++++++++ + 3 files changed, 37 insertions(+), 2 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index d0d6015..3ba6130 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -130,7 +130,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index d9285b2..983f6df 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2234,6 +2234,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2244,7 +2247,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2255,6 +2258,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2519,6 +2525,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +diff --git a/tests/misc_tests.c b/tests/misc_tests.c +index 2ee9320..1766e41 100644 +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -496,6 +496,28 @@ START_TEST(test_misc_char_handler_stop_without_leak) { + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases[] = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const XML_Bool resumable = cases[i]; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE); ++ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + void + make_miscellaneous_test_case(Suite *s) { + TCase *tc_misc = tcase_create("miscellaneous tests"); +@@ -520,4 +542,6 @@ make_miscellaneous_test_case(Suite *s) { + test_misc_create_external_entity_parser_with_null_context); + tcase_add_test(tc_misc, test_misc_general_entities_support); + tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); + } +-- +2.33.8 diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec index 19defa4bd1c..5bc249efd0c 100644 --- a/SPECS/expat/expat.spec +++ b/SPECS/expat/expat.spec @@ -2,13 +2,14 @@ Summary: An XML parser library Name: expat Version: 2.6.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: System Environment/GeneralLibraries URL: https://libexpat.github.io/ Source0: https://github.com/libexpat/libexpat/releases/download/R_%{underscore_version}/%{name}-%{version}.tar.bz2 +Patch0: CVE-2024-50602.patch Requires: %{name}-libs = %{version}-%{release} %description @@ -29,7 +30,7 @@ Group: System Environment/Libraries This package contains minimal set of shared expat libraries. %prep -%autosetup -p2 +%autosetup -p1 %build %configure \ @@ -66,6 +67,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name} %{_libdir}/libexpat.so.1* %changelog +* Wed Oct 30 2024 Sindhu Karri - 2.6.3-2 +- Fix CVE-2024-50602 with a patch + * Tue Sep 04 2024 Gary Swalling - 2.6.3-1 - Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index ddb8edfb83b..62a8dc6412c 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm -expat-2.6.3-1.azl3.aarch64.rpm -expat-devel-2.6.3-1.azl3.aarch64.rpm -expat-libs-2.6.3-1.azl3.aarch64.rpm +expat-2.6.3-2.azl3.aarch64.rpm +expat-devel-2.6.3-2.azl3.aarch64.rpm +expat-libs-2.6.3-2.azl3.aarch64.rpm libpipeline-1.5.7-1.azl3.aarch64.rpm libpipeline-devel-1.5.7-1.azl3.aarch64.rpm gdbm-1.23-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 920078ba2bf..a8cd5987f0b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm -expat-2.6.3-1.azl3.x86_64.rpm -expat-devel-2.6.3-1.azl3.x86_64.rpm -expat-libs-2.6.3-1.azl3.x86_64.rpm +expat-2.6.3-2.azl3.x86_64.rpm +expat-devel-2.6.3-2.azl3.x86_64.rpm +expat-libs-2.6.3-2.azl3.x86_64.rpm libpipeline-1.5.7-1.azl3.x86_64.rpm libpipeline-devel-1.5.7-1.azl3.x86_64.rpm gdbm-1.23-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index f61ef0df06a..492123cdb15 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -92,10 +92,10 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm -expat-2.6.3-1.azl3.aarch64.rpm -expat-debuginfo-2.6.3-1.azl3.aarch64.rpm -expat-devel-2.6.3-1.azl3.aarch64.rpm -expat-libs-2.6.3-1.azl3.aarch64.rpm +expat-2.6.3-2.azl3.aarch64.rpm +expat-debuginfo-2.6.3-2.azl3.aarch64.rpm +expat-devel-2.6.3-2.azl3.aarch64.rpm +expat-libs-2.6.3-2.azl3.aarch64.rpm file-5.45-1.azl3.aarch64.rpm file-debuginfo-5.45-1.azl3.aarch64.rpm file-devel-5.45-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 2f539153db4..b831dbcaec8 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -95,10 +95,10 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm -expat-2.6.3-1.azl3.x86_64.rpm -expat-debuginfo-2.6.3-1.azl3.x86_64.rpm -expat-devel-2.6.3-1.azl3.x86_64.rpm -expat-libs-2.6.3-1.azl3.x86_64.rpm +expat-2.6.3-2.azl3.x86_64.rpm +expat-debuginfo-2.6.3-2.azl3.x86_64.rpm +expat-devel-2.6.3-2.azl3.x86_64.rpm +expat-libs-2.6.3-2.azl3.x86_64.rpm file-5.45-1.azl3.x86_64.rpm file-debuginfo-5.45-1.azl3.x86_64.rpm file-devel-5.45-1.azl3.x86_64.rpm From 76a299f7a1707808ca27101793565d6403473250 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 30 Oct 2024 18:26:59 -0400 Subject: [PATCH 19/21] [AUTO-CHERRYPICK] Patched CVE-2024-22365 in `pam`. (CP: #8320) - branch 3.0-dev (#10896) Co-authored-by: Pawel Winogrodzki --- SPECS/pam/CVE-2024-22365.patch | 55 +++++++++++++++++++ SPECS/pam/pam.spec | 9 ++- .../manifests/package/toolchain_aarch64.txt | 8 +-- .../manifests/package/toolchain_x86_64.txt | 8 +-- 4 files changed, 70 insertions(+), 10 deletions(-) create mode 100644 SPECS/pam/CVE-2024-22365.patch diff --git a/SPECS/pam/CVE-2024-22365.patch b/SPECS/pam/CVE-2024-22365.patch new file mode 100644 index 00000000000..7811013728a --- /dev/null +++ b/SPECS/pam/CVE-2024-22365.patch @@ -0,0 +1,55 @@ +From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent + local DoS situations + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86..f72d67189 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 523ec8b6213..18cb42a6858 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,7 +1,7 @@ Summary: Linux Pluggable Authentication Modules Name: pam Version: 1.5.3 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and GPLv2+ URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz @@ -15,6 +15,8 @@ BuildRequires: audit-devel Requires: audit-libs Recommends: cracklib-dicts +Patch0: CVE-2024-22365.patch + %description The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users. @@ -37,7 +39,7 @@ This package contains libraries, header files and documentation for developing applications that use pam. %prep -%autosetup -n Linux-PAM-%{version} +%autosetup -n Linux-PAM-%{version} -p1 %build ./configure \ @@ -102,6 +104,9 @@ EOF %{_libdir}/pkgconfig/pamc.pc %changelog +* Wed Oct 30 2024 Pawel Winogrodzki - 1.5.3-2 +- Patching CVE-2024-22365. + * Tue Nov 21 2023 CBL-Mariner Servicing Account - 1.5.3-1 - Auto-upgrade to 1.5.3 - Azure Linux 3.0 - package upgrades diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 492123cdb15..45f17f39b98 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -296,10 +296,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm p11-kit-devel-0.25.0-1.azl3.aarch64.rpm p11-kit-server-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -pam-1.5.3-1.azl3.aarch64.rpm -pam-debuginfo-1.5.3-1.azl3.aarch64.rpm -pam-devel-1.5.3-1.azl3.aarch64.rpm -pam-lang-1.5.3-1.azl3.aarch64.rpm +pam-1.5.3-2.azl3.aarch64.rpm +pam-debuginfo-1.5.3-2.azl3.aarch64.rpm +pam-devel-1.5.3-2.azl3.aarch64.rpm +pam-lang-1.5.3-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm patch-debuginfo-2.7.6-9.azl3.aarch64.rpm pcre2-10.42-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b831dbcaec8..93ebd330501 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -302,10 +302,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm p11-kit-devel-0.25.0-1.azl3.x86_64.rpm p11-kit-server-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -pam-1.5.3-1.azl3.x86_64.rpm -pam-debuginfo-1.5.3-1.azl3.x86_64.rpm -pam-devel-1.5.3-1.azl3.x86_64.rpm -pam-lang-1.5.3-1.azl3.x86_64.rpm +pam-1.5.3-2.azl3.x86_64.rpm +pam-debuginfo-1.5.3-2.azl3.x86_64.rpm +pam-devel-1.5.3-2.azl3.x86_64.rpm +pam-lang-1.5.3-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm patch-debuginfo-2.7.6-9.azl3.x86_64.rpm pcre2-10.42-3.azl3.x86_64.rpm From 29b2ed2896e1ed75b142cf47b727f78214d95a69 Mon Sep 17 00:00:00 2001 From: Nick Samson Date: Wed, 30 Oct 2024 15:30:58 -0700 Subject: [PATCH 20/21] Upgrade vim to 9.1.0791 to fix CVE-2024-47814 and remove older unnecessary patches (#10883) Co-authored-by: CBL-Mariner Servicing Account --- SPECS/vim/CVE-2024-41957.patch | 81 ----- SPECS/vim/CVE-2024-41965.patch | 45 --- SPECS/vim/CVE-2024-43374.patch | 282 ------------------ SPECS/vim/CVE-2024-43802.patch | 49 --- .../fix_save_unnamed_buffer_correctly.patch | 54 ---- SPECS/vim/vim.signatures.json | 2 +- SPECS/vim/vim.spec | 24 +- cgmanifest.json | 4 +- 8 files changed, 15 insertions(+), 526 deletions(-) delete mode 100644 SPECS/vim/CVE-2024-41957.patch delete mode 100644 SPECS/vim/CVE-2024-41965.patch delete mode 100644 SPECS/vim/CVE-2024-43374.patch delete mode 100644 SPECS/vim/CVE-2024-43802.patch delete mode 100644 SPECS/vim/fix_save_unnamed_buffer_correctly.patch diff --git a/SPECS/vim/CVE-2024-41957.patch b/SPECS/vim/CVE-2024-41957.patch deleted file mode 100644 index 40d9bd2c298..00000000000 --- a/SPECS/vim/CVE-2024-41957.patch +++ /dev/null @@ -1,81 +0,0 @@ -Modified patch to apply to older version -Modifed by: sumsharma@microsoft.com - -From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 1 Aug 2024 20:16:51 +0200 -Subject: [PATCH] patch 9.1.0647: [security] use-after-free in - tagstack_clear_entry - -Problem: [security] use-after-free in tagstack_clear_entry - (Suyue Guo ) -Solution: Instead of manually calling vim_free() on each of the tagstack - entries, let's use tagstack_clear_entry(), which will - also free the stack, but using the VIM_CLEAR macro, - which prevents a use-after-free by setting those pointers - to NULL - -This addresses CVE-2024-41957 - -Github advisory: -https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 - -Signed-off-by: Christian Brabandt ---- - src/proto/tag.pro | 1 + - src/tag.c | 4 ++-- - src/window.c | 6 ++---- - 3 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/src/proto/tag.pro b/src/proto/tag.pro -index 6de463e..eec7c24 100644 ---- a/src/proto/tag.pro -+++ b/src/proto/tag.pro -@@ -14,4 +14,5 @@ int expand_tags(int tagnames, char_u *pat, int *num_file, char_u ***file); - int get_tags(list_T *list, char_u *pat, char_u *buf_fname); - void get_tagstack(win_T *wp, dict_T *retdict); - int set_tagstack(win_T *wp, dict_T *d, int action); -+void tagstack_clear_entry(taggy_T *item); - /* vim: set ft=c : */ -diff --git a/src/tag.c b/src/tag.c -index 8003156..31b89e7 100644 ---- a/src/tag.c -+++ b/src/tag.c -@@ -144,7 +144,7 @@ static void print_tag_list(int new_tag, int use_tagstack, int num_matches, char_ - #if defined(FEAT_QUICKFIX) && defined(FEAT_EVAL) - static int add_llist_tags(char_u *tag, int num_matches, char_u **matches); - #endif --static void tagstack_clear_entry(taggy_T *item); -+void tagstack_clear_entry(taggy_T *item); - - static char_u *tagmatchname = NULL; // name of last used tag - -@@ -4225,7 +4225,7 @@ find_extra(char_u **pp) - /* - * Free a single entry in a tag stack - */ -- static void -+void - tagstack_clear_entry(taggy_T *item) - { - VIM_CLEAR(item->tagname); -diff --git a/src/window.c b/src/window.c -index 55ce31c..ffffde8 100644 ---- a/src/window.c -+++ b/src/window.c -@@ -5661,10 +5661,8 @@ win_free( - win_free_lsize(wp); - - for (i = 0; i < wp->w_tagstacklen; ++i) -- { -- vim_free(wp->w_tagstack[i].tagname); -- vim_free(wp->w_tagstack[i].user_data); -- } -+ tagstack_clear_entry(&wp->w_tagstack[i]); -+ - vim_free(wp->w_localdir); - vim_free(wp->w_prevdir); - --- -2.25.1 - diff --git a/SPECS/vim/CVE-2024-41965.patch b/SPECS/vim/CVE-2024-41965.patch deleted file mode 100644 index 1f932bf4852..00000000000 --- a/SPECS/vim/CVE-2024-41965.patch +++ /dev/null @@ -1,45 +0,0 @@ -Modified patch to apply to older version of vim -Modified by: sumsharma@microsoft.com - -From b29f4abcd4b3382fa746edd1d0562b7b48c9de60 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 1 Aug 2024 22:10:28 +0200 -Subject: [PATCH] patch 9.1.0648: [security] double-free in dialog_changed() - -Problem: [security] double-free in dialog_changed() - (SuyueGuo) -Solution: Only clear pointer b_sfname pointer, if it is different - than the b_ffname pointer. Don't try to free b_fname, - set it to NULL instead. - -fixes: #15403 - -Github Advisory: -https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f - -Signed-off-by: Christian Brabandt ---- - src/ex_cmds2.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c -index 0b57fd8..ede403a 100644 ---- a/src/ex_cmds2.c -+++ b/src/ex_cmds2.c -@@ -197,9 +197,11 @@ dialog_changed( - // restore to empty when write failed - if (empty_bufname) - { -- VIM_CLEAR(buf->b_fname); -+ // prevent double free -+ if (buf->b_sfname != buf->b_ffname) -+ VIM_CLEAR(buf->b_sfname); -+ buf->b_fname = NULL; - VIM_CLEAR(buf->b_ffname); -- VIM_CLEAR(buf->b_sfname); - unchanged(buf, TRUE, FALSE); - } - } --- -2.25.1 - diff --git a/SPECS/vim/CVE-2024-43374.patch b/SPECS/vim/CVE-2024-43374.patch deleted file mode 100644 index 0687ccf6788..00000000000 --- a/SPECS/vim/CVE-2024-43374.patch +++ /dev/null @@ -1,282 +0,0 @@ -From 0a6e57b09bc8c76691b367a5babfb79b31b770e8 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 15 Aug 2024 22:15:28 +0200 -Subject: [PATCH] patch 9.1.0678: [security]: use-after-free in alist_add() - -Problem: [security]: use-after-free in alist_add() - (SuyueGuo) -Solution: Lock the current window, so that the reference to - the argument list remains valid. - -This fixes CVE-2024-43374 - -Signed-off-by: Christian Brabandt ---- - src/arglist.c | 6 ++++++ - src/buffer.c | 4 ++-- - src/ex_cmds.c | 4 ++-- - src/proto/window.pro | 1 + - src/structs.h | 2 +- - src/terminal.c | 4 ++-- - src/testdir/test_arglist.vim | 23 +++++++++++++++++++++++ - src/version.c | 2 ++ - src/window.c | 29 +++++++++++++++++++---------- - 9 files changed, 58 insertions(+), 17 deletions(-) - -diff --git a/src/arglist.c b/src/arglist.c -index 187e16e8354b1..8825c8e252ccc 100644 ---- a/src/arglist.c -+++ b/src/arglist.c -@@ -184,6 +184,8 @@ alist_set( - /* - * Add file "fname" to argument list "al". - * "fname" must have been allocated and "al" must have been checked for room. -+ * -+ * May trigger Buf* autocommands - */ - void - alist_add( -@@ -196,6 +198,7 @@ alist_add( - if (check_arglist_locked() == FAIL) - return; - arglist_locked = TRUE; -+ curwin->w_locked = TRUE; - - #ifdef BACKSLASH_IN_FILENAME - slash_adjust(fname); -@@ -207,6 +210,7 @@ alist_add( - ++al->al_ga.ga_len; - - arglist_locked = FALSE; -+ curwin->w_locked = FALSE; - } - - #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO) -@@ -365,6 +369,7 @@ alist_add_list( - mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]), - (ARGCOUNT - after) * sizeof(aentry_T)); - arglist_locked = TRUE; -+ curwin->w_locked = TRUE; - for (i = 0; i < count; ++i) - { - int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); -@@ -373,6 +378,7 @@ alist_add_list( - ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); - } - arglist_locked = FALSE; -+ curwin->w_locked = FALSE; - ALIST(curwin)->al_ga.ga_len += count; - if (old_argcount > 0 && curwin->w_arg_idx >= after) - curwin->w_arg_idx += count; -diff --git a/src/buffer.c b/src/buffer.c -index 447ce76d49a32..34500e4abc282 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -1484,7 +1484,7 @@ do_buffer_ext( - // (unless it's the only window). Repeat this so long as we end up in - // a window with this buffer. - while (buf == curbuf -- && !(curwin->w_closing || curwin->w_buffer->b_locked > 0) -+ && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0) - && (!ONE_WINDOW || first_tabpage->tp_next != NULL)) - { - if (win_close(curwin, FALSE) == FAIL) -@@ -5470,7 +5470,7 @@ ex_buffer_all(exarg_T *eap) - : wp->w_width != Columns) - || (had_tab > 0 && wp != firstwin)) - && !ONE_WINDOW -- && !(wp->w_closing || wp->w_buffer->b_locked > 0) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0) - && !win_unlisted(wp)) - { - if (win_close(wp, FALSE) == FAIL) -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index 05778c8fd8b9c..349269a2bb8b6 100644 ---- a/src/ex_cmds.c -+++ b/src/ex_cmds.c -@@ -2840,7 +2840,7 @@ do_ecmd( - - // Set the w_closing flag to avoid that autocommands close the - // window. And set b_locked for the same reason. -- the_curwin->w_closing = TRUE; -+ the_curwin->w_locked = TRUE; - ++buf->b_locked; - - if (curbuf == old_curbuf.br_buf) -@@ -2854,7 +2854,7 @@ do_ecmd( - - // Autocommands may have closed the window. - if (win_valid(the_curwin)) -- the_curwin->w_closing = FALSE; -+ the_curwin->w_locked = FALSE; - --buf->b_locked; - - #ifdef FEAT_EVAL -diff --git a/src/proto/window.pro b/src/proto/window.pro -index 26c7040b8a1b4..441070ebfcb8e 100644 ---- a/src/proto/window.pro -+++ b/src/proto/window.pro -@@ -93,3 +93,4 @@ int get_win_number(win_T *wp, win_T *first_win); - int get_tab_number(tabpage_T *tp); - char *check_colorcolumn(win_T *wp); -+int win_locked(win_T *wp); - /* vim: set ft=c : */ -diff --git a/src/structs.h b/src/structs.h -index fe4704a367949..abda3a0c38b4e 100644 ---- a/src/structs.h -+++ b/src/structs.h -@@ -3785,7 +3785,7 @@ struct window_S - synblock_T *w_s; // for :ownsyntax - #endif - -- int w_closing; // window is being closed, don't let -+ int w_locked; // window is being closed, don't let - // autocommands close it too. - - frame_T *w_frame; // frame containing this window -diff --git a/src/terminal.c b/src/terminal.c -index 1fc0ef96881f9..f80196096df49 100644 ---- a/src/terminal.c -+++ b/src/terminal.c -@@ -3680,10 +3680,10 @@ term_after_channel_closed(term_T *term) - if (is_aucmd_win(curwin)) - do_set_w_closing = TRUE; - if (do_set_w_closing) -- curwin->w_closing = TRUE; -+ curwin->w_locked = TRUE; - do_bufdel(DOBUF_WIPE, (char_u *)"", 1, fnum, fnum, FALSE); - if (do_set_w_closing) -- curwin->w_closing = FALSE; -+ curwin->w_locked = FALSE; - aucmd_restbuf(&aco); - } - #ifdef FEAT_PROP_POPUP -diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim -index edc8b77429e20..8d81a828b3e03 100644 ---- a/src/testdir/test_arglist.vim -+++ b/src/testdir/test_arglist.vim -@@ -359,6 +359,7 @@ func Test_argv() - call assert_equal('', argv(1, 100)) - call assert_equal([], argv(-1, 100)) - call assert_equal('', argv(10, -1)) -+ %argdelete - endfunc - - " Test for the :argedit command -@@ -744,4 +745,26 @@ func Test_all_command() - %bw! - endfunc - -+" Test for deleting buffer when creating an arglist. This was accessing freed -+" memory -+func Test_crash_arglist_uaf() -+ "%argdelete -+ new one -+ au BufAdd XUAFlocal :bw -+ "call assert_fails(':arglocal XUAFlocal', 'E163:') -+ arglocal XUAFlocal -+ au! BufAdd -+ bw! XUAFlocal -+ -+ au BufAdd XUAFlocal2 :bw -+ new two -+ new three -+ arglocal -+ argadd XUAFlocal2 Xfoobar -+ bw! XUAFlocal2 -+ bw! two -+ -+ au! BufAdd -+endfunc -+ - " vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/window.c b/src/window.c -index 43a15e0561f2c..b2c90c7d64114 100644 ---- a/src/window.c -+++ b/src/window.c -@@ -2511,7 +2511,7 @@ close_windows( - for (wp = firstwin; wp != NULL && !ONE_WINDOW; ) - { - if (wp->w_buffer == buf && (!keep_curwin || wp != curwin) -- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) - { - if (win_close(wp, FALSE) == FAIL) - // If closing the window fails give up, to avoid looping -@@ -2532,7 +2532,7 @@ close_windows( - if (tp != curtab) - FOR_ALL_WINDOWS_IN_TAB(tp, wp) - if (wp->w_buffer == buf -- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) - { - win_close_othertab(wp, FALSE, tp); - -@@ -2654,10 +2654,10 @@ win_close_buffer(win_T *win, int action, int abort_if_last) - bufref_T bufref; - - set_bufref(&bufref, curbuf); -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - close_buffer(win, win->w_buffer, action, abort_if_last, TRUE); - if (win_valid_any_tab(win)) -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - // Make sure curbuf is valid. It can become invalid if 'bufhidden' is - // "wipe". - if (!bufref_valid(&bufref)) -@@ -2705,7 +2705,7 @@ win_close(win_T *win, int free_buf) - if (window_layout_locked(CMD_close)) - return FAIL; - -- if (win->w_closing || (win->w_buffer != NULL -+ if (win_locked(win) || (win->w_buffer != NULL - && win->w_buffer->b_locked > 0)) - return FAIL; // window is already being closed - if (win_unlisted(win)) -@@ -2754,19 +2754,19 @@ win_close(win_T *win, int free_buf) - other_buffer = TRUE; - if (!win_valid(win)) - return FAIL; -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); - if (!win_valid(win)) - return FAIL; -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - if (last_window()) - return FAIL; - } -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - apply_autocmds(EVENT_WINLEAVE, NULL, NULL, FALSE, curbuf); - if (!win_valid(win)) - return FAIL; -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - if (last_window()) - return FAIL; - #ifdef FEAT_EVAL -@@ -3346,7 +3346,7 @@ win_close_othertab(win_T *win, int free_buf, tabpage_T *tp) - - // Get here with win->w_buffer == NULL when win_close() detects the tab - // page changed. -- if (win->w_closing || (win->w_buffer != NULL -+ if (win_locked(win) || (win->w_buffer != NULL - && win->w_buffer->b_locked > 0)) - return; // window is already being closed - -@@ -7808,3 +7808,12 @@ skip: - return NULL; // no error - } - #endif -+ -+/* -+ * Don't let autocommands close the given window -+ */ -+ int -+win_locked(win_T *wp) -+{ -+ return wp->w_locked; -+} diff --git a/SPECS/vim/CVE-2024-43802.patch b/SPECS/vim/CVE-2024-43802.patch deleted file mode 100644 index 0962098c743..00000000000 --- a/SPECS/vim/CVE-2024-43802.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Sun, 25 Aug 2024 21:33:03 +0200 -Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in - ins_typebuf - -Problem: heap-buffer-overflow in ins_typebuf - (SuyueGuo) -Solution: When flushing the typeahead buffer, validate that there - is enough space left - -Github Advisory: -https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh - -Signed-off-by: Christian Brabandt - -Removed binary test file and test only changes for security fix - ---- - src/getchar.c | 15 ++++++++++++--- - 1 files changed, 12 insertions(+), 3 deletions(-) - create mode 100644 src/testdir/crash/heap_overflow3 - -diff --git a/src/getchar.c b/src/getchar.c -index 29323fa328bd1..96e180f4ae1a9 100644 ---- a/src/getchar.c -+++ b/src/getchar.c -@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead) - - if (flush_typeahead == FLUSH_MINIMAL) - { -- // remove mapped characters at the start only -- typebuf.tb_off += typebuf.tb_maplen; -- typebuf.tb_len -= typebuf.tb_maplen; -+ // remove mapped characters at the start only, -+ // but only when enough space left in typebuf -+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) -+ { -+ typebuf.tb_off = MAXMAPLEN; -+ typebuf.tb_len = 0; -+ } -+ else -+ { -+ typebuf.tb_off += typebuf.tb_maplen; -+ typebuf.tb_len -= typebuf.tb_maplen; -+ } - #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) - if (typebuf.tb_len == 0) - typebuf_was_filled = FALSE; diff --git a/SPECS/vim/fix_save_unnamed_buffer_correctly.patch b/SPECS/vim/fix_save_unnamed_buffer_correctly.patch deleted file mode 100644 index ce1ebe0b7e5..00000000000 --- a/SPECS/vim/fix_save_unnamed_buffer_correctly.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 3c8cfa2245104ce4cb2ad3f40783aa6da6f3adde Mon Sep 17 00:00:00 2001 -From: glepnir -Date: Tue, 2 Apr 2024 15:40:38 +0800 -Subject: [PATCH] fix(dialog): save unamed buffer correctly - -Problem: when bufname is empty it can not save correctly - -Solution: set bufname before save. ---- - src/ex_cmds2.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c -index 45ccb52..0b57fd8 100644 ---- a/src/ex_cmds2.c -+++ b/src/ex_cmds2.c -@@ -177,14 +177,31 @@ dialog_changed( - - if (ret == VIM_YES) - { -+ int empty_bufname; -+ - #ifdef FEAT_BROWSE - // May get file name, when there is none - browse_save_fname(buf); - #endif -- if (buf->b_fname != NULL && check_overwrite(&ea, buf, -- buf->b_fname, buf->b_ffname, FALSE) == OK) -+ empty_bufname = buf->b_fname == NULL ? TRUE : FALSE; -+ if (empty_bufname) -+ buf_set_name(buf->b_fnum, (char_u *)"Untitled"); -+ -+ if (check_overwrite(&ea, buf, buf->b_fname, buf->b_ffname, FALSE) == OK) -+ { - // didn't hit Cancel -- (void)buf_write_all(buf, FALSE); -+ if (buf_write_all(buf, FALSE) == OK) -+ return; -+ } -+ -+ // restore to empty when write failed -+ if (empty_bufname) -+ { -+ VIM_CLEAR(buf->b_fname); -+ VIM_CLEAR(buf->b_ffname); -+ VIM_CLEAR(buf->b_sfname); -+ unchanged(buf, TRUE, FALSE); -+ } - } - else if (ret == VIM_NO) - { --- -2.25.1 - diff --git a/SPECS/vim/vim.signatures.json b/SPECS/vim/vim.signatures.json index d373f282cde..eff7669fded 100644 --- a/SPECS/vim/vim.signatures.json +++ b/SPECS/vim/vim.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "vim-9.0.2190.tar.gz": "c0f06f783e922136e64570e754ed8eac565725206460a88f0c43b7b175573099", + "vim-9.1.0791.tar.gz": "ce6dcd15d4e7e7406315eecf1b7d6610a6b9e71efeb98646648a3008b7cea6b7", "macros.vim": "98d2e285e93e339defc13ef1dc4fa76f24e3fca6282e4196a3dae45de778eab8" } } diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index 21729fbac48..0f93156890a 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -1,8 +1,8 @@ %define debug_package %{nil} Summary: Text editor Name: vim -Version: 9.0.2190 -Release: 6%{?dist} +Version: 9.1.0791 +Release: 1%{?dist} License: Vim Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,11 +10,6 @@ Group: Applications/Editors URL: https://www.vim.org Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: macros.vim -Patch0: CVE-2024-41957.patch -Patch1: fix_save_unnamed_buffer_correctly.patch -Patch2: CVE-2024-41965.patch -Patch3: CVE-2024-43374.patch -Patch4: CVE-2024-43802.patch BuildRequires: ncurses-devel BuildRequires: python3-devel Requires(post): sed @@ -149,14 +144,15 @@ fi %{_datarootdir}/vim/vim*/scripts.vim %{_datarootdir}/vim/vim*/spell/* %{_datarootdir}/vim/vim*/syntax/* -%exclude %{_datarootdir}/vim/vim90/syntax/nosyntax.vim -%exclude %{_datarootdir}/vim/vim90/syntax/syntax.vim -%exclude %{_datarootdir}/vim/vim90/autoload/dist/ft.vim +%exclude %{_datarootdir}/vim/vim*/syntax/nosyntax.vim +%exclude %{_datarootdir}/vim/vim*/syntax/syntax.vim +%exclude %{_datarootdir}/vim/vim*/autoload/dist/ft.vim %{_datarootdir}/vim/vim*/tools/* %{_datarootdir}/vim/vim*/tutor/* %{_datarootdir}/vim/vim*/lang/*.vim %doc %{_datarootdir}/vim/vim*/lang/*.txt %lang(af) %{_datarootdir}/vim/vim*/lang/af/LC_MESSAGES/vim.mo +%lang(am) %{_datarootdir}/vim/vim*/lang/am/LC_MESSAGES/vim.mo %lang(ca) %{_datarootdir}/vim/vim*/lang/ca/LC_MESSAGES/vim.mo %lang(cs) %{_datarootdir}/vim/vim*/lang/cs/LC_MESSAGES/vim.mo %lang(de) %{_datarootdir}/vim/vim*/lang/de/LC_MESSAGES/vim.mo @@ -208,8 +204,8 @@ fi %{_datarootdir}/vim/vim*/colors/lists/default.vim %{_datarootdir}/vim/vim*/defaults.vim %{_datarootdir}/vim/vim*/filetype.vim -%{_datarootdir}/vim/vim90/syntax/nosyntax.vim -%{_datarootdir}/vim/vim90/autoload/dist/ft.vim +%{_datarootdir}/vim/vim*/syntax/nosyntax.vim +%{_datarootdir}/vim/vim*/autoload/dist/ft.vim %{_bindir}/ex %{_bindir}/vi %{_bindir}/view @@ -222,6 +218,10 @@ fi %{_rpmconfigdir}/macros.d/macros.vim %changelog +* Tue Oct 29 2024 Nick Samson - 9.1.0791-1 +- Upgrade to 9.1.0791 to fix CVE-2024-47814, CVE-2024-43802 +- Added language configurations for Amharic + * Tue Oct 08 2024 Sam Meluch - 9.0.2190-6 - Add patch to resolve CVE-2024-43802 diff --git a/cgmanifest.json b/cgmanifest.json index 71edcf25cc7..79dcf675b00 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -29336,8 +29336,8 @@ "type": "other", "other": { "name": "vim", - "version": "9.0.2190", - "downloadUrl": "https://github.com/vim/vim/archive/v9.0.2190.tar.gz" + "version": "9.1.0791", + "downloadUrl": "https://github.com/vim/vim/archive/v9.1.0791.tar.gz" } } }, From 07c7a6f6858a2d8c160a5923b4795c7933158d86 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Wed, 30 Oct 2024 15:37:00 -0700 Subject: [PATCH 21/21] Avahi: Fix CVE-2023-1981, add %check section (#10882) --- SPECS/avahi/CVE-2023-1981.patch | 53 +++++++++++++++++++++++++++++++++ SPECS/avahi/avahi.spec | 10 ++++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 SPECS/avahi/CVE-2023-1981.patch diff --git a/SPECS/avahi/CVE-2023-1981.patch b/SPECS/avahi/CVE-2023-1981.patch new file mode 100644 index 00000000000..4c1b7847dec --- /dev/null +++ b/SPECS/avahi/CVE-2023-1981.patch @@ -0,0 +1,53 @@ +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c +index 70d7687b..406d0b44 100644 +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + } + + static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { +@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + } + + static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { diff --git a/SPECS/avahi/avahi.spec b/SPECS/avahi/avahi.spec index 8ab176bfdff..0275002caf9 100644 --- a/SPECS/avahi/avahi.spec +++ b/SPECS/avahi/avahi.spec @@ -3,7 +3,7 @@ Summary: Local network service discovery Name: avahi Version: 0.8 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: https://github.com/lathiat/avahi/releases/download/v%{version}/% Patch0: %{name}-libevent-pc-fix.patch Patch1: CVE-2021-3468.patch Patch2: CVE-2021-3502.patch +Patch3: CVE-2023-1981.patch BuildRequires: automake BuildRequires: dbus-devel >= 0.90 BuildRequires: dbus-glib-devel >= 0.70 @@ -214,6 +215,9 @@ NOCONFIGURE=1 ./autogen.sh --disable-gtk \ --disable-gtk3 \ --disable-mono \ +%if 0%{?with_check} + --enable-tests \ +%endif ; # workaround parallel build issues (aarch64 only so far, bug #1564553) @@ -258,6 +262,7 @@ rm -fv %{buildroot}%{_datadir}/avahi/interfaces/avahi-discover.ui %check +%make_build -k V=1 check || make check V=1 %pre getent group avahi >/dev/null || groupadd -f -g 70 -r avahi @@ -415,6 +420,9 @@ exit 0 %endif %changelog +* Tue Oct 29 2024 Daniel McIlvaney - 0.8-3 +- Fix CVE-2023-1981 with an upstream patch, enable basic check section + * Wed Aug 14 2024 Chris Co - 0.8-2 - Remove libssp from build environment to fix avahi-daemon hang