From e3bd13733ee0808e31d73fe60a47c6e02115b37d Mon Sep 17 00:00:00 2001 From: Dallas Delaney <106280731+dallasd1@users.noreply.github.com> Date: Wed, 7 Jun 2023 07:08:49 -0700 Subject: [PATCH 01/13] Upgrade c-ares for CVE-2023-32067, CVE-2023-31130, and CVE-2023-31147 (#5634) * Address CVE-2023-32067, CVE-2023-31130, and CVE-2023-31147 --- SPECS/c-ares/c-ares.signatures.json | 2 +- SPECS/c-ares/c-ares.spec | 5 ++++- SPECS/grpc/grpc.spec | 5 ++++- SPECS/nodejs/nodejs.spec | 9 +++++++-- cgmanifest.json | 4 ++-- 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/SPECS/c-ares/c-ares.signatures.json b/SPECS/c-ares/c-ares.signatures.json index 9a72e9a0146..4300e0380c7 100644 --- a/SPECS/c-ares/c-ares.signatures.json +++ b/SPECS/c-ares/c-ares.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "c-ares-1.19.0.tar.gz": "bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3" + "c-ares-1.19.1.tar.gz": "321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e" } } \ No newline at end of file diff --git a/SPECS/c-ares/c-ares.spec b/SPECS/c-ares/c-ares.spec index e66f1cb3fe7..1ad327c4cb6 100644 --- a/SPECS/c-ares/c-ares.spec +++ b/SPECS/c-ares/c-ares.spec @@ -1,6 +1,6 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares -Version: 1.19.0 +Version: 1.19.1 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -70,6 +70,9 @@ rm -rf %{buildroot} %{_mandir}/man3/ares_* %changelog +* Tue Jun 6 2023 Dallas Delaney - 1.19.1-1 +- Upgrade to 1.19.1 - CVE-2023-32067, CVE-2023-31130, and CVE-2023-31147 + * Tue Apr 04 2023 CBL-Mariner Servicing Account - 1.19.0-1 - Auto-upgrade to 1.19.0 - To Address CVE-2022-4904 diff --git a/SPECS/grpc/grpc.spec b/SPECS/grpc/grpc.spec index 5c562e78107..d5d2dc9f1f8 100644 --- a/SPECS/grpc/grpc.spec +++ b/SPECS/grpc/grpc.spec @@ -1,7 +1,7 @@ Summary: Open source remote procedure call (RPC) framework Name: grpc Version: 1.35.0 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -102,6 +102,9 @@ find %{buildroot} -name '*.cmake' -delete %{_bindir}/grpc_*_plugin %changelog +* Tue Jun 6 2023 Dallas Delaney - 1.35.0-9 +- Rebuild against c-ares to Fix CVE-2023-32067, CVE-2023-31130, CVE-2023-31147 + * Mon Nov 29 2021 Pawel Winogrodzki - 1.35.0-8 - Building with CBL-Mariner's default C++ version. diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec index ec0d77b588e..c60c563ee0f 100644 --- a/SPECS/nodejs/nodejs.spec +++ b/SPECS/nodejs/nodejs.spec @@ -1,7 +1,7 @@ Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. Name: nodejs Version: 14.21.1 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD and MIT and Public Domain and naist-2003 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ BuildRequires: coreutils >= 8.22 BuildRequires: openssl-devel >= 1.1.1 BuildRequires: python3 BuildRequires: which +BuildRequires: c-ares-devel Requires: coreutils >= 8.22 Requires: openssl >= 1.1.1 Requires: python3 @@ -44,7 +45,8 @@ python3 configure.py \ --prefix=%{_prefix} \ --shared-openssl \ --shared-zlib \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --shared-cares %make_build %install @@ -80,6 +82,9 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog +* Tue Jun 6 2023 Dallas Delaney - 14.21.1-3 +- Fix CVE-2023-32067, CVE-2023-31130, CVE-2023-31147 by using system c-ares + * Thu May 25 2023 Tobias Brick - 14.21.1-2 - Add patch to fix CVE-2023-28155 diff --git a/cgmanifest.json b/cgmanifest.json index 36ed96435f5..7f035d76a9f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -516,8 +516,8 @@ "type": "other", "other": { "name": "c-ares", - "version": "1.19.0", - "downloadUrl": "https://c-ares.haxx.se/download/c-ares-1.19.0.tar.gz" + "version": "1.19.1", + "downloadUrl": "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz" } } }, From 9e448f7be0c6da1f49025bf3ff93ec145aaf23ef Mon Sep 17 00:00:00 2001 From: Sumynwa <80809794+Sumynwa@users.noreply.github.com> Date: Wed, 7 Jun 2023 23:37:02 +0530 Subject: [PATCH 02/13] Patch curl to address CVE-2023-28322 (#5639) * curl: Apply patch to address CVE-2023-28322 * curl: Update toolkit manifest files --- SPECS/curl/CVE-2023-28322.patch | 434 ++++++++++++++++++ SPECS/curl/curl.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 6 +- .../manifests/package/pkggen_core_x86_64.txt | 6 +- .../manifests/package/toolchain_aarch64.txt | 8 +- .../manifests/package/toolchain_x86_64.txt | 8 +- 6 files changed, 453 insertions(+), 15 deletions(-) create mode 100644 SPECS/curl/CVE-2023-28322.patch diff --git a/SPECS/curl/CVE-2023-28322.patch b/SPECS/curl/CVE-2023-28322.patch new file mode 100644 index 00000000000..9fb1f059957 --- /dev/null +++ b/SPECS/curl/CVE-2023-28322.patch @@ -0,0 +1,434 @@ +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 6 +++--- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 36 insertions(+), 38 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2679a2cdc..406fb42ac 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 51c5d07ce..c751e8861 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -240,7 +240,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index f50d7baf6..4ff68cc45 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1348,7 +1348,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3384,7 +3384,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4225,7 +4225,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index 80e43f6f3..bffdd3468 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = (Curl_HttpReq)data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index c2f675d4b..1952e66a1 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1511,11 +1511,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index ea99d720e..ccd7264b0 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -493,7 +493,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index 38f5711e4..0c3b9634d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -333,8 +333,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -664,7 +664,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + #ifndef CURL_DISABLE_MIME +@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index a1e444ee6..d68222135 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -530,7 +530,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -762,7 +762,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + void *msg = NULL; + const struct smb_nt_create_response *smb_m; + +- if(data->set.upload && (data->state.infilesize < 0)) { ++ if(data->state.upload && (data->state.infilesize < 0)) { + failf(data, "SMB upload needs to know the size up front"); + return CURLE_SEND_ERROR; + } +@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 7a030308d..c182cace7 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1419,7 +1419,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1511,7 +1511,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index 164d3c723..8ed1b887b 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -370,7 +370,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -451,7 +451,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index e9ab8fbf0..cb69f3365 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1293,6 +1293,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1732,7 +1733,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->req.no_body?"HEAD":"GET"); + } +@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index cca992a02..a8580bdb6 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1462,6 +1462,7 @@ struct UrlState { + BIT(rewindbeforesend);/* TRUE when the sending couldn't be stopped even + though it will be discarded. We must call the data + rewind callback before trying to send again. */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1838,7 +1839,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index b31f741ba..d60edaa30 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1907,7 +1907,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index f1154dc47..f2e5352d1 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2831,7 +2831,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index 17d59ecd2..2ca91b736 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -557,7 +557,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.25.1 + diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index a3b1f6df8a4..57cf2fc74c4 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -2,13 +2,14 @@ Summary: An URL retrieval utility and library Name: curl # Heads up: 7.87 breaks perl-WWW-Curl (see #4588). Version: 7.88.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/NetworkingLibraries URL: https://curl.haxx.se Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz +Patch0: CVE-2023-28322.patch BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: openssl-devel @@ -89,6 +90,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libcurl.so.4* %changelog +* Wed Jun 07 2023 Sumedh Sharma - 7.88.1-2 +- Apply patch to fix CVE-2023-28322 + * Thu Mar 09 2023 Mykhailo Bykhovtsev - 7.88.1-1 - Upgrade to version 7.88.1 to fix CVE-2023-23914, CVE-2023-23915, CVE-2023-23916 - Removing old patches that are fixed in version 7.87.0 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9247d701d86..615b5e71383 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -130,9 +130,9 @@ libsolv-0.7.20-1.cm1.aarch64.rpm libsolv-devel-0.7.20-1.cm1.aarch64.rpm libssh2-1.9.0-1.cm1.aarch64.rpm libssh2-devel-1.9.0-1.cm1.aarch64.rpm -curl-7.88.1-1.cm1.aarch64.rpm -curl-devel-7.88.1-1.cm1.aarch64.rpm -curl-libs-7.88.1-1.cm1.aarch64.rpm +curl-7.88.1-2.cm1.aarch64.rpm +curl-devel-7.88.1-2.cm1.aarch64.rpm +curl-libs-7.88.1-2.cm1.aarch64.rpm tdnf-2.1.0-8.cm1.aarch64.rpm tdnf-cli-libs-2.1.0-8.cm1.aarch64.rpm tdnf-devel-2.1.0-8.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 163b39b62fa..c324f8972db 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -130,9 +130,9 @@ libsolv-0.7.20-1.cm1.x86_64.rpm libsolv-devel-0.7.20-1.cm1.x86_64.rpm libssh2-1.9.0-1.cm1.x86_64.rpm libssh2-devel-1.9.0-1.cm1.x86_64.rpm -curl-7.88.1-1.cm1.x86_64.rpm -curl-devel-7.88.1-1.cm1.x86_64.rpm -curl-libs-7.88.1-1.cm1.x86_64.rpm +curl-7.88.1-2.cm1.x86_64.rpm +curl-devel-7.88.1-2.cm1.x86_64.rpm +curl-libs-7.88.1-2.cm1.x86_64.rpm tdnf-2.1.0-8.cm1.x86_64.rpm tdnf-cli-libs-2.1.0-8.cm1.x86_64.rpm tdnf-devel-2.1.0-8.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 89948644f48..d2167d9d41c 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -51,10 +51,10 @@ cryptsetup-debuginfo-2.3.7-1.cm1.aarch64.rpm cryptsetup-devel-2.3.7-1.cm1.aarch64.rpm cryptsetup-libs-2.3.7-1.cm1.aarch64.rpm cryptsetup-reencrypt-2.3.7-1.cm1.aarch64.rpm -curl-7.88.1-1.cm1.aarch64.rpm -curl-debuginfo-7.88.1-1.cm1.aarch64.rpm -curl-devel-7.88.1-1.cm1.aarch64.rpm -curl-libs-7.88.1-1.cm1.aarch64.rpm +curl-7.88.1-2.cm1.aarch64.rpm +curl-debuginfo-7.88.1-2.cm1.aarch64.rpm +curl-devel-7.88.1-2.cm1.aarch64.rpm +curl-libs-7.88.1-2.cm1.aarch64.rpm cyrus-sasl-2.1.28-1.cm1.aarch64.rpm cyrus-sasl-debuginfo-2.1.28-1.cm1.aarch64.rpm device-mapper-2.03.05-6.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 62fa572fc78..be92e7f5c0e 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -51,10 +51,10 @@ cryptsetup-debuginfo-2.3.7-1.cm1.x86_64.rpm cryptsetup-devel-2.3.7-1.cm1.x86_64.rpm cryptsetup-libs-2.3.7-1.cm1.x86_64.rpm cryptsetup-reencrypt-2.3.7-1.cm1.x86_64.rpm -curl-7.88.1-1.cm1.x86_64.rpm -curl-debuginfo-7.88.1-1.cm1.x86_64.rpm -curl-devel-7.88.1-1.cm1.x86_64.rpm -curl-libs-7.88.1-1.cm1.x86_64.rpm +curl-7.88.1-2.cm1.x86_64.rpm +curl-debuginfo-7.88.1-2.cm1.x86_64.rpm +curl-devel-7.88.1-2.cm1.x86_64.rpm +curl-libs-7.88.1-2.cm1.x86_64.rpm cyrus-sasl-2.1.28-1.cm1.x86_64.rpm cyrus-sasl-debuginfo-2.1.28-1.cm1.x86_64.rpm device-mapper-2.03.05-6.cm1.x86_64.rpm From 01090fe28813d0fbf7de219f1bdd994b3108eb78 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 8 Jun 2023 11:13:00 -0700 Subject: [PATCH 03/13] CVE-2023-2985 (#5655) --- SPECS/kernel/CVE-2023-2985.nopatch | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 SPECS/kernel/CVE-2023-2985.nopatch diff --git a/SPECS/kernel/CVE-2023-2985.nopatch b/SPECS/kernel/CVE-2023-2985.nopatch new file mode 100644 index 00000000000..6f578acce3b --- /dev/null +++ b/SPECS/kernel/CVE-2023-2985.nopatch @@ -0,0 +1,3 @@ +CVE-2023-2985 - patched in 5.10.173.1 - (generated by autopatch tool) +upstream 07db5e247ab5858439b14dd7cc1fe538b9efcf32 - stable ef7d71d7bd57b8b7fe514e459927696c1c6d1047 + From 904b3b639259cf56cc0c16f3e4b8cad28eefcf07 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Wed, 7 Jun 2023 09:55:35 -0400 Subject: [PATCH 04/13] CVE-2023-25725 Patch haproxy for CVE-2023-25725 --- ...p-properly-reject-empty-http-header-.patch | 166 ++++++++++++++++++ SPECS/haproxy/haproxy.spec | 7 +- 2 files changed, 171 insertions(+), 2 deletions(-) create mode 100644 SPECS/haproxy/CVE-2023-25725-http-properly-reject-empty-http-header-.patch diff --git a/SPECS/haproxy/CVE-2023-25725-http-properly-reject-empty-http-header-.patch b/SPECS/haproxy/CVE-2023-25725-http-properly-reject-empty-http-header-.patch new file mode 100644 index 00000000000..2dc7adfad5e --- /dev/null +++ b/SPECS/haproxy/CVE-2023-25725-http-properly-reject-empty-http-header-.patch @@ -0,0 +1,166 @@ +From 4a4c90c2b04444d92c58873cfb19052f20280bc2 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 9 Feb 2023 21:36:54 +0100 +Subject: [PATCH] BUG/CRITICAL: http: properly reject empty http header field + names + +The HTTP header parsers surprizingly accepts empty header field names, +and this is a leftover from the original code that was agnostic to this. + +When muxes were introduced, for H2 first, the HPACK decompressor needed +to feed headers lists, and since empty header names were strictly +forbidden by the protocol, the lists of headers were purposely designed +to be terminated by an empty header field name (a principle that is +similar to H1's empty line termination). This principle was preserved +and generalized to other protocols migrated to muxes (H1/FCGI/H3 etc) +without anyone ever noticing that the H1 parser was still able to deliver +empty header field names to this list. In addition to this it turns out +that the HPACK decompressor, despite a comment in the code, may +successfully decompress an empty header field name, and this mistake +was propagated to the QPACK decompressor as well. + +The impact is that an empty header field name may be used to truncate +the list of headers and thus make some headers disappear. While for +H2/H3 the impact is limited as haproxy sees a request with missing +headers, and headers are not used to delimit messages, in the case of +HTTP/1, the impact is significant because the presence (and sometimes +contents) of certain sensitive headers is detected during the parsing. +Thus, some of these headers may be seen, marked as present, their value +extracted, but never delivered to upper layers and obviously not +forwarded to the other side either. This can have for consequence that +certain important header fields such as Connection, Upgrade, Host, +Content-length, Transfer-Encoding etc are possibly seen as different +between what haproxy uses to parse/forward/route and what is observed +in http-request rules and of course, forwarded. One direct consequence +is that it is possible to exploit this property in HTTP/1 to make +affected versions of haproxy forward more data than is advertised on +the other side, and bypass some access controls or routing rules by +crafting extraneous requests. Note, however, that responses to such +requests will normally not be passed back to the client, but this can +still cause some harm. + +This specific risk can be mostly worked around in configuration using +the following rule that will rely on the bug's impact to precisely +detect the inconsistency between the known body size and the one +expected to be advertised to the server (the rule works from 2.0 to +2.8-dev): + + http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT } + +This will exclusively block such carefully crafted requests delivered +over HTTP/1. HTTP/2 and HTTP/3 do not need content-length, and a body +that arrives without being announced with a content-length will be +forwarded using transfer-encoding, hence will not cause discrepancies. +In HAProxy 2.0 in legacy mode ("no option http-use-htx"), this rule will +simply have no effect but will not cause trouble either. + +A clean solution would consist in modifying the loops iterating over +these headers lists to check the header name's pointer instead of its +length (since both are zero at the end of the list), but this requires +to touch tens of places and it's very easy to miss one. Functions such +as htx_add_header(), htx_add_trailer(), htx_add_all_headers() would be +good starting points for such a possible future change. + +Instead the current fix focuses on blocking empty headers where they +are first inserted, hence in the H1/HPACK/QPACK decoders. One benefit +of the current solution (for H1) is that it allows "show errors" to +report a precise diagnostic when facing such invalid HTTP/1 requests, +with the exact location of the problem and the originating address: + + $ printf "GET / HTTP/1.1\r\nHost: localhost\r\n:empty header\r\n\r\n" | nc 0 8001 + HTTP/1.1 400 Bad request + Content-length: 90 + Cache-Control: no-cache + Connection: close + Content-Type: text/html + +

400 Bad request

+ Your browser sent an invalid request. + + + $ socat /var/run/haproxy.stat <<< "show errors" + Total events captured on [10/Feb/2023:16:29:37.530] : 1 + + [10/Feb/2023:16:29:34.155] frontend decrypt (#2): invalid request + backend (#-1), server (#-1), event #0, src 127.0.0.1:31092 + buffer starts at 0 (including 0 out), 16334 free, + len 50, wraps at 16336, error at position 33 + H1 connection flags 0x00000000, H1 stream flags 0x00000810 + H1 msg state MSG_HDR_NAME(17), H1 msg flags 0x00001410 + H1 chunk len 0 bytes, H1 body len 0 bytes : + + 00000 GET / HTTP/1.1\r\n + 00016 Host: localhost\r\n + 00033 :empty header\r\n + 00048 \r\n + +I want to address sincere and warm thanks for their great work to the +team composed of the following security researchers who found the issue +together and reported it: Bahruz Jabiyev, Anthony Gavazzi, and Engin +Kirda from Northeastern University, Kaan Onarlioglu from Akamai +Technologies, Adi Peleg and Harvey Tuch from Google. And kudos to Amaury +Denoyelle from HAProxy Technologies for spotting that the HPACK and +QPACK decoders would let this pass despite the comment explicitly +saying otherwise. + +This fix must be backported as far as 2.0. The QPACK changes can be +dropped before 2.6. In 2.0 there is also the equivalent code for legacy +mode, which doesn't suffer from the list truncation, but it would better +be fixed regardless. + +CVE-2023-25725 was assigned to this issue. + +(cherry picked from commit a8598a2eb11b6c989e81f0dbf10be361782e8d32) +Signed-off-by: Willy Tarreau +(cherry picked from commit a0e561ad7f29ed50c473f5a9da664267b60d1112) +Signed-off-by: Willy Tarreau +(cherry picked from commit 73be199c4f5f1ed468161a4c5e10ca77cd5989d8) +[wt: dropped QPACK changes for 2.5] +Signed-off-by: Willy Tarreau +(cherry picked from commit f8b2b88aeae15dc3b261cd3749277ae75caf9db8) +Signed-off-by: Willy Tarreau +(cherry picked from commit 486cd730485c8a119ef65b3f792134b56e7941b4) +Signed-off-by: Willy Tarreau +--- + src/h1.c | 4 ++++ + src/hpack-dec.c | 9 +++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/src/h1.c b/src/h1.c +index bb8acfb34..83912343d 100644 +--- a/src/h1.c ++++ b/src/h1.c +@@ -669,6 +669,10 @@ int h1_headers_to_hdr_list(char *start, const char *stop, + + if (likely(*ptr == ':')) { + col = ptr - start; ++ if (col <= sol) { ++ state = H1_MSG_HDR_NAME; ++ goto http_msg_invalid; ++ } + EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_l1_sp, http_msg_ood, state, H1_MSG_HDR_L1_SP); + } + +diff --git a/src/hpack-dec.c b/src/hpack-dec.c +index 27e1797fd..dffaf6212 100644 +--- a/src/hpack-dec.c ++++ b/src/hpack-dec.c +@@ -420,6 +420,15 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len, + /* and are correctly filled here */ + } + ++ /* We must not accept empty header names (forbidden by the spec and used ++ * as a list termination). ++ */ ++ if (!name.len) { ++ hpack_debug_printf("##ERR@%d##\n", __LINE__); ++ ret = -HPACK_ERR_INVALID_ARGUMENT; ++ goto leave; ++ } ++ + /* here's what we have here : + * - name.len > 0 + * - value is filled with either const data or data allocated from tmp +-- +2.34.1 + diff --git a/SPECS/haproxy/haproxy.spec b/SPECS/haproxy/haproxy.spec index a8d533fce2b..012f12c45d0 100644 --- a/SPECS/haproxy/haproxy.spec +++ b/SPECS/haproxy/haproxy.spec @@ -1,13 +1,14 @@ Summary: A fast, reliable HA, load balancing, and proxy solution. Name: haproxy Version: 2.1.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL URL: http://www.haproxy.org Group: Applications/System Vendor: Microsoft Corporation Distribution: Mariner Source0: http://www.haproxy.org/download/2.1/src/%{name}-%{version}.tar.gz +Patch0: CVE-2023-25725-http-properly-reject-empty-http-header-.patch BuildRequires: openssl-devel BuildRequires: pcre-devel BuildRequires: lua-devel @@ -28,7 +29,7 @@ It contains the documentation and manpages for haproxy package. Requires: %{name} = %{version}-%{release} %prep -%setup -q +%autosetup -p1 %build make %{?_smp_mflags} TARGET="linux-glibc" USE_PCRE=1 USE_OPENSSL=1 \ @@ -58,6 +59,8 @@ install -vDm644 examples/transparent_proxy.cfg %{buildroot}/%{_sysconfdir}/hapr %{_mandir}/* %changelog +* Wed Jun 07 2023 Dan Streetman 2.1.5-2 +- Patch haproxy for CVE-2023-25725 * Thu Jun 04 2020 Ruying Chen 2.1.5-1 - Update to 2.1.5 * Tue May 19 2020 Nicolas Ontiveros 1.9.6-5 From 34f4f03d8f7a86b20e05fab27008551e8d2253ec Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 9 Jun 2023 09:45:48 -0700 Subject: [PATCH 05/13] Patch CVE-2023-2650 in OpenSSL (#5645) --- SPECS/openssl/CVE-2023-2650.patch | 113 ++++++++++++++++++ SPECS/openssl/openssl.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 12 +- .../manifests/package/pkggen_core_x86_64.txt | 12 +- .../manifests/package/toolchain_aarch64.txt | 12 +- .../manifests/package/toolchain_x86_64.txt | 12 +- 6 files changed, 142 insertions(+), 25 deletions(-) create mode 100644 SPECS/openssl/CVE-2023-2650.patch diff --git a/SPECS/openssl/CVE-2023-2650.patch b/SPECS/openssl/CVE-2023-2650.patch new file mode 100644 index 00000000000..e85846c422d --- /dev/null +++ b/SPECS/openssl/CVE-2023-2650.patch @@ -0,0 +1,113 @@ +From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Fri, 12 May 2023 10:00:13 +0200 +Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will + translate + +OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical +numeric text form. For gigantic sub-identifiers, this would take a very +long time, the time complexity being O(n^2) where n is the size of that +sub-identifier. + +To mitigate this, a restriction on the size that OBJ_obj2txt() will +translate to canonical numeric text form is added, based on RFC 2578 +(STD 58), which says this: + +> 3.5. OBJECT IDENTIFIER values +> +> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. +> For the SMIv2, each number in the list is referred to as a sub-identifier, +> there are at most 128 sub-identifiers in a value, and each sub-identifier +> has a maximum value of 2^32-1 (4294967295 decimal). + +Fixes otc/security#96 +Fixes CVE-2023-2650 + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + CHANGES | 26 ++++++++++++++++++++++++++ + NEWS | 2 ++ + crypto/objects/obj_dat.c | 19 +++++++++++++++++++ + 3 files changed, 47 insertions(+) + +diff --git a/CHANGES b/CHANGES +index 430e32e624e2..945a68b1b8f3 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -9,6 +9,32 @@ + + Changes between 1.1.1t and 1.1.1u [xx XXX xxxx] + ++ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic ++ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. ++ ++ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical ++ numeric text form. For gigantic sub-identifiers, this would take a very ++ long time, the time complexity being O(n^2) where n is the size of that ++ sub-identifier. (CVE-2023-2650) ++ ++ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT ++ IDENTIFIER to canonical numeric text form if the size of that OBJECT ++ IDENTIFIER is 586 bytes or less, and fail otherwise. ++ ++ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT ++ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at ++ most 128 sub-identifiers, and that the maximum value that each sub- ++ identifier may have is 2^32-1 (4294967295 decimal). ++ ++ For each byte of every sub-identifier, only the 7 lower bits are part of ++ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with ++ these restrictions may occupy is 32 * 128 / 7, which is approximately 586 ++ bytes. ++ ++ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ ++ [Richard Levitte] ++ + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case +diff --git a/NEWS b/NEWS +index 62615693fab8..d17b45ecc01a 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,8 @@ + + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development] + ++ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic ++ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 7e8de727f310..d699915b20e7 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + first = 1; + bl = NULL; + ++ /* ++ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: ++ * ++ * > 3.5. OBJECT IDENTIFIER values ++ * > ++ * > An OBJECT IDENTIFIER value is an ordered list of non-negative ++ * > numbers. For the SMIv2, each number in the list is referred to as a ++ * > sub-identifier, there are at most 128 sub-identifiers in a value, ++ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 ++ * > decimal). ++ * ++ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), ++ * i.e. 586 bytes long. ++ * ++ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ */ ++ if (len > 586) ++ goto err; ++ + while (len > 0) { + l = 0; + use_bn = 0; diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec index d7911798990..05da9310c41 100644 --- a/SPECS/openssl/openssl.spec +++ b/SPECS/openssl/openssl.spec @@ -4,7 +4,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 15%{?dist} +Release: 16%{?dist} License: OpenSSL Vendor: Microsoft Corporation Distribution: Mariner @@ -55,6 +55,7 @@ Patch32: CVE-2023-0215.patch Patch33: CVE-2023-0464.patch Patch34: CVE-2023-0465.patch Patch35: CVE-2023-0466.patch +Patch36: CVE-2023-2650.patch BuildRequires: perl-Test-Warnings BuildRequires: perl-Text-Template Requires: %{name}-libs = %{version}-%{release} @@ -334,6 +335,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %postun libs -p /sbin/ldconfig %changelog +* Tue Jun 06 2023 Daniel McIlvaney - 1.1.1k-16 +- Patch CVE-2023-2650 + * Wed Apr 12 2023 Rohit Rawat - 1.1.1k-15 - Patch CVE-2023-0465 and CVE-2023-0466 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 615b5e71383..52c2b4a245a 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -105,12 +105,12 @@ perl-5.30.3-2.cm1.aarch64.rpm texinfo-6.5-7.cm1.aarch64.rpm autoconf-2.69-10.cm1.noarch.rpm automake-1.16.1-3.cm1.noarch.rpm -openssl-1.1.1k-15.cm1.aarch64.rpm -openssl-devel-1.1.1k-15.cm1.aarch64.rpm -openssl-libs-1.1.1k-15.cm1.aarch64.rpm -openssl-perl-1.1.1k-15.cm1.aarch64.rpm -openssl-static-1.1.1k-15.cm1.aarch64.rpm -openssl-debuginfo-1.1.1k-15.cm1.aarch64.rpm +openssl-1.1.1k-16.cm1.aarch64.rpm +openssl-devel-1.1.1k-16.cm1.aarch64.rpm +openssl-libs-1.1.1k-16.cm1.aarch64.rpm +openssl-perl-1.1.1k-16.cm1.aarch64.rpm +openssl-static-1.1.1k-16.cm1.aarch64.rpm +openssl-debuginfo-1.1.1k-16.cm1.aarch64.rpm libcap-2.26-2.cm1.aarch64.rpm libcap-devel-2.26-2.cm1.aarch64.rpm libcap-ng-0.7.9-3.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index c324f8972db..d50b9ca806f 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -105,12 +105,12 @@ perl-5.30.3-2.cm1.x86_64.rpm texinfo-6.5-7.cm1.x86_64.rpm autoconf-2.69-10.cm1.noarch.rpm automake-1.16.1-3.cm1.noarch.rpm -openssl-1.1.1k-15.cm1.x86_64.rpm -openssl-devel-1.1.1k-15.cm1.x86_64.rpm -openssl-libs-1.1.1k-15.cm1.x86_64.rpm -openssl-perl-1.1.1k-15.cm1.x86_64.rpm -openssl-static-1.1.1k-15.cm1.x86_64.rpm -openssl-debuginfo-1.1.1k-15.cm1.x86_64.rpm +openssl-1.1.1k-16.cm1.x86_64.rpm +openssl-devel-1.1.1k-16.cm1.x86_64.rpm +openssl-libs-1.1.1k-16.cm1.x86_64.rpm +openssl-perl-1.1.1k-16.cm1.x86_64.rpm +openssl-static-1.1.1k-16.cm1.x86_64.rpm +openssl-debuginfo-1.1.1k-16.cm1.x86_64.rpm libcap-2.26-2.cm1.x86_64.rpm libcap-devel-2.26-2.cm1.x86_64.rpm libcap-ng-0.7.9-3.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index d2167d9d41c..7dcd3c128e7 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -300,12 +300,12 @@ openjdk8-src-1.8.0.332-2.cm1.aarch64.rpm openjre8-1.8.0.332-2.cm1.aarch64.rpm openldap-2.4.57-3.cm1.aarch64.rpm openldap-debuginfo-2.4.57-3.cm1.aarch64.rpm -openssl-1.1.1k-15.cm1.aarch64.rpm -openssl-debuginfo-1.1.1k-15.cm1.aarch64.rpm -openssl-devel-1.1.1k-15.cm1.aarch64.rpm -openssl-libs-1.1.1k-15.cm1.aarch64.rpm -openssl-perl-1.1.1k-15.cm1.aarch64.rpm -openssl-static-1.1.1k-15.cm1.aarch64.rpm +openssl-1.1.1k-16.cm1.aarch64.rpm +openssl-debuginfo-1.1.1k-16.cm1.aarch64.rpm +openssl-devel-1.1.1k-16.cm1.aarch64.rpm +openssl-libs-1.1.1k-16.cm1.aarch64.rpm +openssl-perl-1.1.1k-16.cm1.aarch64.rpm +openssl-static-1.1.1k-16.cm1.aarch64.rpm p11-kit-0.23.22-1.cm1.aarch64.rpm p11-kit-debuginfo-0.23.22-1.cm1.aarch64.rpm p11-kit-devel-0.23.22-1.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index be92e7f5c0e..073f5fe0d12 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -300,12 +300,12 @@ openjdk8-src-1.8.0.332-2.cm1.x86_64.rpm openjre8-1.8.0.332-2.cm1.x86_64.rpm openldap-2.4.57-3.cm1.x86_64.rpm openldap-debuginfo-2.4.57-3.cm1.x86_64.rpm -openssl-1.1.1k-15.cm1.x86_64.rpm -openssl-debuginfo-1.1.1k-15.cm1.x86_64.rpm -openssl-devel-1.1.1k-15.cm1.x86_64.rpm -openssl-libs-1.1.1k-15.cm1.x86_64.rpm -openssl-perl-1.1.1k-15.cm1.x86_64.rpm -openssl-static-1.1.1k-15.cm1.x86_64.rpm +openssl-1.1.1k-16.cm1.x86_64.rpm +openssl-debuginfo-1.1.1k-16.cm1.x86_64.rpm +openssl-devel-1.1.1k-16.cm1.x86_64.rpm +openssl-libs-1.1.1k-16.cm1.x86_64.rpm +openssl-perl-1.1.1k-16.cm1.x86_64.rpm +openssl-static-1.1.1k-16.cm1.x86_64.rpm p11-kit-0.23.22-1.cm1.x86_64.rpm p11-kit-debuginfo-0.23.22-1.cm1.x86_64.rpm p11-kit-devel-0.23.22-1.cm1.x86_64.rpm From 5fea42f8c99e1fd6a21859226c1479e473647070 Mon Sep 17 00:00:00 2001 From: Henry Beberman Date: Mon, 12 Jun 2023 17:07:26 -0700 Subject: [PATCH 06/13] Patch CVE-2023-2977 in opensc (#5668) --- SPECS/opensc/CVE-2023-2977.patch | 51 ++++++++++++++++++++++++++++++++ SPECS/opensc/opensc.spec | 6 +++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 SPECS/opensc/CVE-2023-2977.patch diff --git a/SPECS/opensc/CVE-2023-2977.patch b/SPECS/opensc/CVE-2023-2977.patch new file mode 100644 index 00000000000..6ebb9ebac66 --- /dev/null +++ b/SPECS/opensc/CVE-2023-2977.patch @@ -0,0 +1,51 @@ +From 3bf3ab2f9091f984cda6dd910654ccbbe3f06a40 Mon Sep 17 00:00:00 2001 +From: fullwaywang +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +Signed-off-by: Henry Beberman + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/SPECS/opensc/opensc.spec b/SPECS/opensc/opensc.spec index 5fb6fce2cc2..888b92adf6a 100644 --- a/SPECS/opensc/opensc.spec +++ b/SPECS/opensc/opensc.spec @@ -3,7 +3,7 @@ Summary: Smart card library and applications Name: opensc Version: 0.22.0 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ Source1: opensc.module # https://github.com/OpenSC/OpenSC/blob/master/tests/common.sh Source2: common.sh Patch1: opensc-0.19.0-pinpad.patch +Patch2: CVE-2023-2977.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bash-completion @@ -180,6 +181,9 @@ rm -rf %{_mandir}/man1 %{_datadir}/opensc/ %changelog +* Mon Jun 12 2023 Henry Beberman - 0.22.0-2 +- Apply upstream patch for CVE-2023-2977 + * Thu Sep 23 2021 Henry Beberman - 0.22.0-1 - Update to version 0.22.0 - Remove patches already present in version 0.22.0 From de07b68fd51ee841f030e8cd7b3588fb770724db Mon Sep 17 00:00:00 2001 From: suresh-thelkar Date: Wed, 14 Jun 2023 19:10:02 +0530 Subject: [PATCH 07/13] Patch CVE-2023-32681 in python-requests (#5672) * Patch CVE-2023-32681 in python-requests Co-authored-by: Henry Beberman --- SPECS/python-requests/CVE-2023-32681.patch | 59 ++++++++++++++++++++++ SPECS/python-requests/python-requests.spec | 7 ++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-requests/CVE-2023-32681.patch diff --git a/SPECS/python-requests/CVE-2023-32681.patch b/SPECS/python-requests/CVE-2023-32681.patch new file mode 100644 index 00000000000..5b096eb15f0 --- /dev/null +++ b/SPECS/python-requests/CVE-2023-32681.patch @@ -0,0 +1,59 @@ +From 221f3daa5b6135a791488d847fe68d6001d3e0bc Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index d73d700..a0a8c9b 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -309,7 +309,9 @@ class SessionRedirectMixin(object): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers['Proxy-Authorization'] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index f27f20b..3b3bcab 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -551,6 +551,26 @@ class TestRequests: + with pytest.raises(InvalidProxyURL): + requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'}) + ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ('user', 'pass') + wrong_auth = ('wronguser', 'wrongpass') +-- +2.38.1 + diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec index 6ff8133a955..61a38afa8a4 100644 --- a/SPECS/python-requests/python-requests.spec +++ b/SPECS/python-requests/python-requests.spec @@ -3,7 +3,7 @@ Summary: Awesome Python HTTP Library That's Actually Usable Name: python-requests Version: 2.22.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -13,6 +13,7 @@ URL: http://python-requests.org Source0: requests-%{version}.tar.gz Patch0: test_requests_typeerror_testfix.patch Patch1: test_requests_support_pytest_4.patch +Patch2: CVE-2023-32681.patch BuildRequires: python-setuptools BuildRequires: python2 @@ -93,6 +94,7 @@ Python 3 version. %setup -q -n requests-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 rm -rf ../p3dir cp -a . ../p3dir @@ -131,6 +133,9 @@ popd %{python3_sitelib}/* %changelog +* Tue Jun 13 2023 Suresh Thelkar - 2.22.0-3 +- Add patch for CVE-2023-32681 + * Mon Mar 01 2021 Andrew Phelps - 2.22.0-2 - Add patches for test issues and run tests with tox From c51dbe515c3eef2de3cda6bf214477c895b47ab0 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 9 Jun 2023 13:12:50 -0400 Subject: [PATCH 08/13] Fix openssh for CVE-2023-28531 Fix ssh-add/ssh-agent handling of smartcard details --- ...-destination-constraints-for-smartca.patch | 29 +++++++++++++++++++ SPECS/openssh/openssh.spec | 7 ++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 SPECS/openssh/CVE-2023-28531-upstream-include-destination-constraints-for-smartca.patch diff --git a/SPECS/openssh/CVE-2023-28531-upstream-include-destination-constraints-for-smartca.patch b/SPECS/openssh/CVE-2023-28531-upstream-include-destination-constraints-for-smartca.patch new file mode 100644 index 00000000000..bbde84729f6 --- /dev/null +++ b/SPECS/openssh/CVE-2023-28531-upstream-include-destination-constraints-for-smartca.patch @@ -0,0 +1,29 @@ +From 54ac4ab2b53ce9fcb66b8250dee91c070e4167ed Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 9 Mar 2023 06:58:26 +0000 +Subject: [PATCH] upstream: include destination constraints for smartcard keys + too. + +Spotted by Luci Stanescu; ok deraadt@ markus@ + +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f +--- + authfd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/authfd.c b/authfd.c +index 13f9432e..77dc3cce 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, + struct dest_constraint **dest_constraints, size_t ndest_constraints) + { + struct sshbuf *msg; +- int r, constrained = (life || confirm); ++ int r, constrained = (life || confirm || dest_constraints); + u_char type; + + if (add) { +-- +2.34.1 + diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 4f70af4953f..23726b368de 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -2,7 +2,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: 8.9p1 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -16,6 +16,7 @@ Patch0: blfs_systemd_fixes.patch # Nopatches section # Community agreed to not patch this Patch100: CVE-2007-2768.nopatch +Patch101: CVE-2023-28531-upstream-include-destination-constraints-for-smartca.patch BuildRequires: e2fsprogs-devel BuildRequires: groff BuildRequires: krb5-devel @@ -60,6 +61,7 @@ This provides the ssh server daemons, utilities, configuration and service files %setup -q tar xf %{SOURCE1} --no-same-owner %patch0 +%patch101 -p1 %build %configure \ @@ -185,6 +187,9 @@ rm -rf %{buildroot}/* %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Fri Jun 09 2023 Dan Streetman - 8.9p1-2 +- Fix ssh-add/ssh-agent smartcard handling for CVE-2023-28531 + * Mon Oct 24 2022 Aurélien Bombo - 8.9p1-1 - Update to 8.9p1 to fix CVE-2021-36368. From 861a5919166f1e39f3ffd0a7384b79ef866fa81a Mon Sep 17 00:00:00 2001 From: Henry Beberman Date: Wed, 14 Jun 2023 09:29:17 -0700 Subject: [PATCH 09/13] Patch CVE-2023-31975 in yasm (#5681) --- SPECS/yasm/CVE-2023-31975.patch | 25 +++++++++++++++++++++++++ SPECS/yasm/yasm.spec | 10 ++++++---- 2 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 SPECS/yasm/CVE-2023-31975.patch diff --git a/SPECS/yasm/CVE-2023-31975.patch b/SPECS/yasm/CVE-2023-31975.patch new file mode 100644 index 00000000000..0a924e98654 --- /dev/null +++ b/SPECS/yasm/CVE-2023-31975.patch @@ -0,0 +1,25 @@ +From 168febbc155c832439be9500452ebe39994d2309 Mon Sep 17 00:00:00 2001 +From: "K. Gondow" +Date: Sat, 10 Jun 2023 06:03:05 +0900 +Subject: [PATCH] fix issue #210 + +Signed-off-by: Henry Beberman +--- + modules/objfmts/bin/bin-objfmt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/objfmts/bin/bin-objfmt.c b/modules/objfmts/bin/bin-objfmt.c +index 18026750c..a38c3422a 100644 +--- a/modules/objfmts/bin/bin-objfmt.c ++++ b/modules/objfmts/bin/bin-objfmt.c +@@ -1680,6 +1680,10 @@ static void + bin_section_data_destroy(void *data) + { + bin_section_data *bsd = (bin_section_data *)data; ++ if (bsd->align) ++ yasm_xfree(bsd->align); ++ if (bsd->valign) ++ yasm_xfree(bsd->valign); + if (bsd->start) + yasm_expr_destroy(bsd->start); + if (bsd->vstart) diff --git a/SPECS/yasm/yasm.spec b/SPECS/yasm/yasm.spec index 835389ab8aa..99205927c2f 100644 --- a/SPECS/yasm/yasm.spec +++ b/SPECS/yasm/yasm.spec @@ -1,13 +1,14 @@ Summary: Modular Assembler Name: yasm Version: 1.3.0 -Release: 13%{?dist} +Release: 14%{?dist} License: BSD and (GPLv2+ or Artistic or LGPLv2+) and LGPLv2 URL: https://yasm.tortall.net/ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://www.tortall.net/projects/%{name}/releases/%{name}-%{version}.tar.gz Patch1: 0001-Update-elf-objfmt.c.patch +Patch2: CVE-2023-31975.patch BuildRequires: gcc BuildRequires: bison @@ -43,9 +44,7 @@ Install this package if you need to rebuild applications that use yasm. %prep -%setup -q -%patch1 -p1 - +%autosetup -p1 %build %configure @@ -74,6 +73,9 @@ make install DESTDIR=%{buildroot} %changelog +* Tue Jun 13 2023 Henry Beberman - 1.3.0-14 +- Apply upstream patch for CVE-2023-31975 + * Fri Aug 21 2020 Thomas Crain 1.3.0-13 - Initial CBL-Mariner version imported from Fedora 33 (license: MIT) - License verified From 4dda59e7b8f6bf7f1239c30cb8c2bb3c91bb32e9 Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Wed, 14 Jun 2023 10:47:39 -0700 Subject: [PATCH 10/13] [1.0] Fix qt5-qtbase CVE-2023-36762 (#5676) * fix CVE-2023-36762 in 1.0 * update release version --------- Co-authored-by: Henry Li --- SPECS/qt5-qtbase/CVE-2023-32762.patch | 47 +++++++++++++++++++++++++++ SPECS/qt5-qtbase/qt5-qtbase.spec | 9 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 SPECS/qt5-qtbase/CVE-2023-32762.patch diff --git a/SPECS/qt5-qtbase/CVE-2023-32762.patch b/SPECS/qt5-qtbase/CVE-2023-32762.patch new file mode 100644 index 00000000000..e3d26463853 --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2023-32762.patch @@ -0,0 +1,47 @@ +From 1b736a815be0222f4b24289cf17575fc15707305 Mon Sep 17 00:00:00 2001 +From: Mårten Nordheim +Date: Fri, 05 May 2023 11:07:26 +0200 +Subject: [PATCH] Hsts: match header names case insensitively + +Header field names are always considered to be case-insensitive. + +Pick-to: 6.5 6.5.1 6.2 5.15 +Fixes: QTBUG-113392 +Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 +Reviewed-by: Qt CI Bot +Reviewed-by: Edward Welbourne +Reviewed-by: Volker Hilsheimer +--- + +diff --git a/./src/network/access/qhsts.cpp b/../qtbase-new/src/network/access/qhsts.cpp +index ce70b6a..68f406d 100644 +--- a/./src/network/access/qhsts.cpp ++++ b/../qtbase-new/src/network/access/qhsts.cpp +@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // +diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp +index d72991a..c3c5f58 100644 +--- a/tests/auto/network/access/hsts/tst_qhsts.cpp ++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp +@@ -241,6 +241,12 @@ void tst_QHsts::testSTSHeaderParser() + QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); + QVERIFY(parser.includeSubDomains()); + ++ list.pop_back(); ++ list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); ++ QVERIFY(parser.parse(list)); ++ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); ++ QVERIFY(parser.includeSubDomains()); ++ + list.pop_back(); + // Invalid (includeSubDomains twice): + list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 823028a008c..6c88df2af70 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -42,7 +42,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 5%{?dist} +Release: 6%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -144,6 +144,9 @@ Patch80: qtbase-use-wayland-on-gnome.patch # Fix CVE-2023-24607 patch81: CVE-2023-24607.patch + +# Fix CVE-2023-32762 +Patch82: CVE-2023-32762.patch ## upstream patches # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. @@ -259,6 +262,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch80 -p1 -b .use-wayland-on-gnome.patch %endif %patch81 -p1 +%patch82 -p1 ## upstream patches @@ -765,6 +769,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Mon Jun 12 2023 Henry Li - 5.12.11-6 +- Add patch to resolve CVE-2023-36762 + * Fri May 12 2023 Thien Trung Vuong - 5.12.11-5 - Update patch for CVE-2023-24607 From 0d3f345d34f2b6bcd09902c02709cbb8490aa897 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 14 Jun 2023 11:11:18 -0700 Subject: [PATCH 11/13] [AUTOPATCHER-kernel] Kernel upgrade to version 5.10.183.1 - branch 1.0-dev - (#5673) * Kernel upgrade to 5.10.183.1 version * Apply config changes to ARM64 --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel-hyperv/config | 2 +- .../kernel-hyperv/kernel-hyperv.signatures.json | 4 ++-- SPECS/kernel-hyperv/kernel-hyperv.spec | 5 ++++- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 5 ++++- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 5 ++++- cgmanifest.json | 16 ++++++++-------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- toolkit/scripts/toolchain/container/Dockerfile | 2 +- .../toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_in_chroot.sh | 2 +- .../container/toolchain_build_temp_tools.sh | 2 +- 21 files changed, 49 insertions(+), 31 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index d5e6e5c9bb6..5d9601dbbde 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.10.181.1 +Version: 5.10.183.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 +- Auto-upgrade to 5.10.183.1 + * Fri Jun 02 2023 CBL-Mariner Servicing Account - 5.10.181.1-1 - Auto-upgrade to 5.10.181.1 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 7f7640a5f2d..a3a32030bb6 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.181.1.tar.gz": "91bfcb493da9bdcae9492e87b43bd7363ca28410b3192f83feea8cdf369d1896" + "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 4c2491e7e9b..8e8e46ae5f9 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.181.1 +Version: 5.10.183.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 +- Auto-upgrade to 5.10.183.1 + * Fri Jun 02 2023 CBL-Mariner Servicing Account - 5.10.181.1-1 - Auto-upgrade to 5.10.181.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 924945f4581..4b3b272f700 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.181.1.tar.gz": "91bfcb493da9bdcae9492e87b43bd7363ca28410b3192f83feea8cdf369d1896" + "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 9a3dee57c0a..4eaaa522cb0 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,6 +1,6 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.181.1 +Version: 5.10.183.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 +- Auto-upgrade to 5.10.183.1 + * Fri Jun 02 2023 CBL-Mariner Servicing Account - 5.10.181.1-1 - Auto-upgrade to 5.10.181.1 diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index a4daa2e4ff7..c97901bc6fe 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.181.1 Kernel Configuration +# Linux/x86_64 5.10.183.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index b1167401717..e8f9830cf13 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "e7ae473bac6faa0b84d3ddb1b3eece38376b7e0ea945c2b023d1bde205d70044", + "config": "3387855f3a5d67d9640385ca53da09a56d6f82c42ef1917d85185572e42bb6f5", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.181.1.tar.gz": "91bfcb493da9bdcae9492e87b43bd7363ca28410b3192f83feea8cdf369d1896" + "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 29e98591f6f..b68ba2e613f 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -3,7 +3,7 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.181.1 +Version: 5.10.183.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -270,6 +270,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 +- Auto-upgrade to 5.10.183.1 + * Fri Jun 02 2023 CBL-Mariner Servicing Account - 5.10.181.1-1 - Auto-upgrade to 5.10.181.1 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 6cc19f7d006..2e335aeb401 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.181.1 Kernel Configuration +# Linux/x86_64 5.10.183.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 2127841b032..e3f15c6f4a1 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.181.1 Kernel Configuration +# Linux/arm64 5.10.183.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -2630,6 +2630,7 @@ CONFIG_SCSI_MVSAS=m CONFIG_SCSI_MVSAS_DEBUG=y CONFIG_SCSI_MVSAS_TASKLET=y CONFIG_SCSI_MVUMI=m +# CONFIG_SCSI_DPT_I2O is not set CONFIG_SCSI_ADVANSYS=m CONFIG_SCSI_ARCMSR=m CONFIG_SCSI_ESAS2R=m @@ -5925,8 +5926,10 @@ CONFIG_DRM_UDL=m CONFIG_DRM_AST=m CONFIG_DRM_MGAG200=m CONFIG_DRM_RCAR_DU=m +CONFIG_DRM_RCAR_USE_CMM=y CONFIG_DRM_RCAR_CMM=m CONFIG_DRM_RCAR_DW_HDMI=m +CONFIG_DRM_RCAR_USE_LVDS=y CONFIG_DRM_RCAR_LVDS=m CONFIG_DRM_RCAR_WRITEBACK=y CONFIG_DRM_SUN4I=m diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 2d8293d0c96..22bf81988a3 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "e99db915ceba845daf62d6e74c61f6698858d877e13127b7e99cc82b09c4aa4e", - "config_aarch64": "6be232d973432160c5b28ad2f271eecea8fdc87fa37aed6f06b7051a4ff21c23", + "config": "907da610602c9e52b693da67777e4f22ecdaf44c7c79b24a67093e29e4f61ebc", + "config_aarch64": "1c3abe3a51d951ce5fee3b3fe9d376840854baa36df5dc6c8acf2835eac831d6", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.181.1.tar.gz": "91bfcb493da9bdcae9492e87b43bd7363ca28410b3192f83feea8cdf369d1896" + "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" } } \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 32d68dae109..d5ff5438af6 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -3,7 +3,7 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.181.1 +Version: 5.10.183.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -634,6 +634,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 +- Auto-upgrade to 5.10.183.1 + * Fri Jun 02 2023 CBL-Mariner Servicing Account - 5.10.181.1-1 - Auto-upgrade to 5.10.181.1 diff --git a/cgmanifest.json b/cgmanifest.json index 7f035d76a9f..da2087a1715 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2156,8 +2156,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.181.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.181.1.tar.gz" + "version": "5.10.183.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" } } }, @@ -2476,8 +2476,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.181.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.181.1.tar.gz" + "version": "5.10.183.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" } } }, @@ -2486,8 +2486,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.181.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.181.1.tar.gz" + "version": "5.10.183.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" } } }, @@ -2496,8 +2496,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.181.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.181.1.tar.gz" + "version": "5.10.183.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 52c2b4a245a..cea5d299668 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.181.1-1.cm1.noarch.rpm +kernel-headers-5.10.183.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.aarch64.rpm glibc-devel-2.28-24.cm1.aarch64.rpm glibc-i18n-2.28-24.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index d50b9ca806f..720db3a0120 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.181.1-1.cm1.noarch.rpm +kernel-headers-5.10.183.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.x86_64.rpm glibc-devel-2.28-24.cm1.x86_64.rpm glibc-i18n-2.28-24.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7dcd3c128e7..374f9ebeb42 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-7.cm1.aarch64.rpm kbd-debuginfo-2.0.4-7.cm1.aarch64.rpm -kernel-headers-5.10.181.1-1.cm1.noarch.rpm +kernel-headers-5.10.183.1-1.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 073f5fe0d12..0bd5119961f 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-7.cm1.x86_64.rpm kbd-debuginfo-2.0.4-7.cm1.x86_64.rpm -kernel-headers-5.10.181.1-1.cm1.noarch.rpm +kernel-headers-5.10.183.1-1.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 0a6bf3ca6c5..01a24660687 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -69,7 +69,7 @@ COPY [ "./toolchain-sha256sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.181.1.tar.gz -O kernel-5.10.181.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz -O kernel-5.10.183.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 6b2813c7263..d37a1f56944 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -59,7 +59,7 @@ b725c9b2e9793df7bf5d4d300390db11aa27bd98df9f33021d539be9bd603846 jdk8u212-b04-j 13ae78908151ad88ee3b375c72ca3f55a82b5265a3faba97f224f2a9b9d486fc jdk8u212-b04-nashorn.tar.bz2 6d28bdd752c056de98f6faf897b338d6ce8938810d72a69c2f5c1d81d628d44a jdk8u212-b04.tar.bz2 f882210b76376e3fa006b11dbd890e56ec0942bc56e65d1249ff4af86f90b857 kbproto-1.0.7.tar.bz2 -91bfcb493da9bdcae9492e87b43bd7363ca28410b3192f83feea8cdf369d1896 kernel-5.10.181.1.tar.gz +1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125 kernel-5.10.183.1.tar.gz c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2 libarchive-3.6.1.tar.gz b630b7c484271b3ba867680d6a14b10a86cfa67247a14631b14c06731d5a458b libcap-2.26.tar.xz c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index 4ba40a0bbb7..bfd0b302ada 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,7 +57,7 @@ set -e # cd /sources -KERNEL_VERSION="5.10.181.1" +KERNEL_VERSION="5.10.183.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 4ddd29c41ec..4a5846fd4e3 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -114,7 +114,7 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="5.10.181.1" +KERNEL_VERSION="5.10.183.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} From 98b6bacc9139c9a702320832fc7966865bc8e524 Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:47:20 -0700 Subject: [PATCH 12/13] [1.0] Fix qt5-qtbase CVE-2023-32763 (#5685) * fix CVE-2023-32763 on 1.0 * modify patch to fix variable type * modify patch file that matches with the current source version * update patch to fix patching failure --------- Co-authored-by: Henry Li --- SPECS/qt5-qtbase/CVE-2023-32763.patch | 49 +++++++++++++++++++++++++++ SPECS/qt5-qtbase/qt5-qtbase.spec | 9 ++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 SPECS/qt5-qtbase/CVE-2023-32763.patch diff --git a/SPECS/qt5-qtbase/CVE-2023-32763.patch b/SPECS/qt5-qtbase/CVE-2023-32763.patch new file mode 100644 index 00000000000..23a5ef078ce --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2023-32763.patch @@ -0,0 +1,49 @@ +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h +index 8465928..57d750a 100644 +--- a/src/gui/painting/qfixed_p.h ++++ b/src/gui/painting/qfixed_p.h +@@ -54,6 +54,7 @@ + #include + #include "QtCore/qdebug.h" + #include "QtCore/qpoint.h" ++#include + #include "QtCore/qsize.h" + + QT_BEGIN_NAMESPACE +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 < + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; } + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); } + ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = add_overflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ + #ifndef QT_NO_DEBUG_STREAM + inline QDebug &operator<<(QDebug &dbg, const QFixed &f) + { return dbg << f.toReal(); } +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp +index 03f2acd..d34e3d9 100644 +--- a/src/gui/text/qtextlayout.cpp ++++ b/src/gui/text/qtextlayout.cpp +@@ -2099,11 +2099,14 @@ found: + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); + } else { + eng->minWidth = qMax(eng->minWidth, lbh.minw); +- eng->maxWidth += line.textWidth; ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; + } + +- if (line.textWidth > 0 && item < eng->layoutData->items.size()) +- eng->maxWidth += lbh.spaceData.textWidth; ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) { ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; ++ } + if (eng->option.flags() & QTextOption::IncludeTrailingSpaces) + line.textWidth += lbh.spaceData.textWidth; + if (lbh.spaceData.length) { diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 6c88df2af70..b1dc0b8ab92 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -42,7 +42,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 6%{?dist} +Release: 7%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -147,6 +147,9 @@ patch81: CVE-2023-24607.patch # Fix CVE-2023-32762 Patch82: CVE-2023-32762.patch + +# Fix CVE-2023-32763 +Patch83: CVE-2023-32763.patch ## upstream patches # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. @@ -263,6 +266,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. %endif %patch81 -p1 %patch82 -p1 +%patch83 -p1 ## upstream patches @@ -769,6 +773,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Wed Jun 14 2023 Henry Li - 5.12.11-7 +- Add patch to resolve CVE-2023-36763 + * Mon Jun 12 2023 Henry Li - 5.12.11-6 - Add patch to resolve CVE-2023-36762 From 4eb2dce6ef56c3c7dc50e62098672a22bf2aaa80 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 15 Jun 2023 12:40:48 -0700 Subject: [PATCH 13/13] Prepare June 2023 Update 2 (#5695) --- SPECS/mariner-release/mariner-release.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index 39ef72a7ebd..4c810129f3b 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 1.0 -Release: 63%{?dist} +Release: 64%{?dist} License: MIT Group: System Environment/Base URL: https://aka.ms/cbl-mariner @@ -67,6 +67,9 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/issue.net %changelog +* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.0-64 +- Bump release for June 2023 Update 2 + * Sat Jun 03 2023 CBL-Mariner Servicing Account - 1.0-63 - Bump release for June 2023 Update diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index cea5d299668..dd5ec835200 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.aarch64.rpm gettext-0.19.8.1-5.cm1.aarch64.rpm gzip-1.12-1.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm -mariner-release-1.0-63.cm1.noarch.rpm +mariner-release-1.0-64.cm1.noarch.rpm patch-2.7.6-7.cm1.aarch64.rpm util-linux-2.32.1-7.cm1.aarch64.rpm util-linux-devel-2.32.1-7.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 720db3a0120..b1861fa815d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.x86_64.rpm gettext-0.19.8.1-5.cm1.x86_64.rpm gzip-1.12-1.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm -mariner-release-1.0-63.cm1.noarch.rpm +mariner-release-1.0-64.cm1.noarch.rpm patch-2.7.6-7.cm1.x86_64.rpm util-linux-2.32.1-7.cm1.x86_64.rpm util-linux-devel-2.32.1-7.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 374f9ebeb42..3ce7cebeeff 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm make-debuginfo-4.2.1-5.cm1.aarch64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-63.cm1.noarch.rpm +mariner-release-1.0-64.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 0bd5119961f..ae2ec02b040 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm make-debuginfo-4.2.1-5.cm1.x86_64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-63.cm1.noarch.rpm +mariner-release-1.0-64.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm