Merge branch '1.0-dev' into joslobo/merge-for-may-update

SPECS/libxml2/libxml2.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "libxml2-2.9.10.tar.gz": "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
+ "libxml2-2.9.12.tar.gz": "c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92"
  }
-}
+}

SPECS/libxml2/libxml2.spec

@@ -2,17 +2,14 @@
 %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 Summary:        Libxml2
 Name:           libxml2
-Version:        2.9.10
-Release:        4%{?dist}
+Version:        2.9.12
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/General Libraries
 URL:            http://www.xmlsoft.org/
 Source0:        ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz
-Patch0:         CVE-2019-20388.patch
-Patch1:         CVE-2020-7595.patch
-Patch2:         CVE-2020-24977.patch
 BuildRequires:  python2-devel
 BuildRequires:  python2-libs
 BuildRequires:  python3-devel
@@ -105,6 +102,9 @@ rm -rf %{buildroot}/*
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Thu May 27 2021 Mateusz Malisz <[email protected]> - 2.9.12-1
+- Update to version 2.9.12 to fix CVE-2021-3517, CVE-2021-3518 and CVE-2021-3537
+
 * Wed Mar 03 2021 Andrew Phelps <[email protected]> - 2.9.10-4
 - Skip python tests which are known to be broken.
 

cgmanifest.json

@@ -3195,8 +3195,8 @@
         "type": "other",
         "other": {
           "name": "libxml2",
-          "version": "2.9.10",
-          "downloadUrl": "ftp://xmlsoft.org/libxml2/libxml2-2.9.10.tar.gz"
+          "version": "2.9.12",
+          "downloadUrl": "ftp://xmlsoft.org/libxml2/libxml2-2.9.12.tar.gz"
         }
       }
     },

toolkit/Makefile

@@ -23,6 +23,7 @@ INCREMENTAL_TOOLCHAIN           ?= n
 UPDATE_TOOLCHAIN_LIST           ?= n
 REBUILD_PACKAGES                ?= y
 DOWNLOAD_SRPMS                  ?= n
+ALLOW_SRPM_DOWNLOAD_FAIL        ?= n
 REBUILD_TOOLS                   ?= n
 RUN_CHECK                       ?= n
 USE_UPDATE_REPO                 ?= y

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -137,8 +137,8 @@ tdnf-cli-libs-2.1.0-6.cm1.aarch64.rpm
 tdnf-devel-2.1.0-6.cm1.aarch64.rpm
 tdnf-plugin-repogpgcheck-2.1.0-6.cm1.aarch64.rpm
 createrepo_c-0.11.1-6.cm1.aarch64.rpm
-libxml2-2.9.10-4.cm1.aarch64.rpm
-libxml2-devel-2.9.10-4.cm1.aarch64.rpm
+libxml2-2.9.12-1.cm1.aarch64.rpm
+libxml2-devel-2.9.12-1.cm1.aarch64.rpm
 glib-2.58.0-9.cm1.aarch64.rpm
 libltdl-2.4.6-5.cm1.aarch64.rpm
 libltdl-devel-2.4.6-5.cm1.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -137,8 +137,8 @@ tdnf-cli-libs-2.1.0-6.cm1.x86_64.rpm
 tdnf-devel-2.1.0-6.cm1.x86_64.rpm
 tdnf-plugin-repogpgcheck-2.1.0-6.cm1.x86_64.rpm
 createrepo_c-0.11.1-6.cm1.x86_64.rpm
-libxml2-2.9.10-4.cm1.x86_64.rpm
-libxml2-devel-2.9.10-4.cm1.x86_64.rpm
+libxml2-2.9.12-1.cm1.x86_64.rpm
+libxml2-devel-2.9.12-1.cm1.x86_64.rpm
 glib-2.58.0-9.cm1.x86_64.rpm
 libltdl-2.4.6-5.cm1.x86_64.rpm
 libltdl-devel-2.4.6-5.cm1.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -218,10 +218,10 @@ libtasn1-debuginfo-4.14-2.cm1.aarch64.rpm
 libtasn1-devel-4.14-2.cm1.aarch64.rpm
 libtool-2.4.6-5.cm1.aarch64.rpm
 libtool-debuginfo-2.4.6-5.cm1.aarch64.rpm
-libxml2-2.9.10-4.cm1.aarch64.rpm
-libxml2-debuginfo-2.9.10-4.cm1.aarch64.rpm
-libxml2-devel-2.9.10-4.cm1.aarch64.rpm
-libxml2-python-2.9.10-4.cm1.aarch64.rpm
+libxml2-2.9.12-1.cm1.aarch64.rpm
+libxml2-debuginfo-2.9.12-1.cm1.aarch64.rpm
+libxml2-devel-2.9.12-1.cm1.aarch64.rpm
+libxml2-python-2.9.12-1.cm1.aarch64.rpm
 libxslt-1.1.34-2.cm1.aarch64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.aarch64.rpm
 libxslt-devel-1.1.34-2.cm1.aarch64.rpm
@@ -331,7 +331,7 @@ python2-test-2.7.18-6.cm1.aarch64.rpm
 python2-tools-2.7.18-6.cm1.aarch64.rpm
 python3-cracklib-2.9.7-2.cm1.aarch64.rpm
 python3-gpg-1.13.1-6.cm1.aarch64.rpm
-python3-libxml2-2.9.10-4.cm1.aarch64.rpm
+python3-libxml2-2.9.12-1.cm1.aarch64.rpm
 python3-pwquality-1.4.2-6.cm1.aarch64.rpm
 python3-rpm-4.14.2-11.cm1.aarch64.rpm
 python-curses-2.7.18-6.cm1.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -218,10 +218,10 @@ libtasn1-debuginfo-4.14-2.cm1.x86_64.rpm
 libtasn1-devel-4.14-2.cm1.x86_64.rpm
 libtool-2.4.6-5.cm1.x86_64.rpm
 libtool-debuginfo-2.4.6-5.cm1.x86_64.rpm
-libxml2-2.9.10-4.cm1.x86_64.rpm
-libxml2-debuginfo-2.9.10-4.cm1.x86_64.rpm
-libxml2-devel-2.9.10-4.cm1.x86_64.rpm
-libxml2-python-2.9.10-4.cm1.x86_64.rpm
+libxml2-2.9.12-1.cm1.x86_64.rpm
+libxml2-debuginfo-2.9.12-1.cm1.x86_64.rpm
+libxml2-devel-2.9.12-1.cm1.x86_64.rpm
+libxml2-python-2.9.12-1.cm1.x86_64.rpm
 libxslt-1.1.34-2.cm1.x86_64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.x86_64.rpm
 libxslt-devel-1.1.34-2.cm1.x86_64.rpm
@@ -331,7 +331,7 @@ python2-test-2.7.18-6.cm1.x86_64.rpm
 python2-tools-2.7.18-6.cm1.x86_64.rpm
 python3-cracklib-2.9.7-2.cm1.x86_64.rpm
 python3-gpg-1.13.1-6.cm1.x86_64.rpm
-python3-libxml2-2.9.10-4.cm1.x86_64.rpm
+python3-libxml2-2.9.12-1.cm1.x86_64.rpm
 python3-pwquality-1.4.2-6.cm1.x86_64.rpm
 python3-rpm-4.14.2-11.cm1.x86_64.rpm
 python-curses-2.7.18-6.cm1.x86_64.rpm

toolkit/scripts/download-packages.sh

@@ -0,0 +1,99 @@
+#!/bin/bash -e
+
+function get_packages {
+    # First argument is an URL to a directory containing packages
+    download_url="$1"
+
+    # wget -nv -O - "$download_url"               -- Download HTML of package directory and send to stdout (-nv reduces verbosity)
+    # | grep 'a href'                             -- Filter out lines that are not links (we're looking for links to rpms)
+    # | sed -E -e 's:<a href="(.+[^\])".+:\1:'    -- Remove everything but the address part of links (these are already URL encoded)
+    # | grep -v '/'                               -- '/' is invalid in RPM name but appears in links to different directories. Filter these out.
+    # | xargs -I {} wget -nv "$download_url"/{}   -- Download the packages
+
+    echo "-- Downloading packages from $download_url."
+    SECONDS=0
+    wget -nv -O - "$download_url" | grep 'a href' | sed -E -e 's:<a href="(.+[^\])".+:\1:' | grep -v '/' | xargs -P8 -I {} wget -nv "$download_url"/{}
+    echo "-- Finished downloading packages from $download_url. Operation took $SECONDS seconds."
+}
+
+function make_tarball {
+    archive_name=rpms.tar.gz
+
+    for package_type in $packages_types; do
+        mkdir -p RPMS/$package_type
+        mv *.$package_type.rpm RPMS/$package_type/
+    done
+
+    mkdir -p RPMS/noarch
+    mv *.noarch.rpm RPMS/noarch/
+
+    echo "-- Packaging into a tarball..."
+    tar --remove-files -czvf $archive_name RPMS
+}
+
+function help {
+    echo "Package downloader. Downloads packages from a repository."
+    echo "Usage:"
+    echo '[MANDATORY] -d DIR -> space-separated list of directories in the RPM repository (passed with the -u) (e.g. "base update")'
+    echo '[OPTIONAL]  -h -> print this help dialogue and exit'
+    echo '[MANDATORY] -t TYPE -> select which type of packages to download. Can provide more than one type, separated by space. The valid types are: x86_64 aarch64 srpms'
+    echo '[MANDATORY] -u URL -> URL to a root directory of a repository (e.g. https://packages.microsoft.com/cbl-mariner/1.0/prod/)'
+    echo '[OPTIONAL]  -z -> create a tarball for each downloaded package type and clean up'
+}
+
+repository_url=
+packages_types=
+directories=
+tar_packages=0
+
+while getopts "d:ht:u:z" OPTIONS; do
+    case ${OPTIONS} in
+        d ) directories="$OPTARG" ;;
+        h ) help; exit 0 ;;
+        t ) packages_types="$OPTARG" ;;
+        u ) repository_url=$OPTARG ;;
+        z ) tar_packages=1 ;;
+        ? ) echo -e "ERROR: INVALID OPTION.\n\n"; help; exit 1 ;;
+    esac
+done
+
+if [[ -z "$directories" ]] || [[ -z "$packages_types" ]] || [[ -z "$repository_url" ]]; then
+    echo -e "ERROR: Arguments '-d', '-t' and '-u' are mandatory!\n\n"
+    help
+    exit 2
+fi
+
+# Remove trailing directory separator, if any
+if [[ $repository_url =~ ^.+/$ ]]; then
+    echo "-- Removing trailing directory separator from $repository_url"
+    repository_url=`echo $repository_url | head -c -2`
+fi
+
+# For benchmark purposes
+before_run=$(date +%s)
+
+# Iterate over directories and types, downloading the files
+for directory in $directories; do
+    echo "-- Downloading directory $directory..."
+    for package_type in $packages_types; do
+        echo "-- Downloading type $package_type for directory $directory..."
+
+        # If these are not srpms, there is additional directory to skip
+        appendix=
+        if [[ ! "$package_type" == "srpms" ]]; then
+            echo "-- Downloading RPMS - adding additional directory."
+            appendix="/rpms"
+        fi
+
+        # Appendix contains the slash, if needed.
+        get_packages "$repository_url"/"$directory"/"$package_type""$appendix"
+    done
+done
+
+if [[ 1 == $tar_packages ]]; then
+    make_tarball
+fi
+
+echo "Total execution time:"
+after_run=$(date +%s)
+date -d@$((before_run - now)) -u +%H:%M:%S