October 2022 CVE fixes update.

PawelWMS · web-flow · commit 1a94296f0df6 · 2022-10-25T17:36:45.000-07:00
diff --git a/SPECS/libtasn1/libtasn1.signatures.json b/SPECS/libtasn1/libtasn1.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "libtasn1-4.18.0.tar.gz": "4365c154953563d64c67a024b607d1ee75c6db76e0d0f65709ea80a334cd1898"
+  "libtasn1-4.19.0.tar.gz": "1613f0ac1cf484d6ec0ce3b8c06d56263cc7242f1c23b30d82d23de345a63f7a"
  }
 }
diff --git a/SPECS/libtasn1/libtasn1.spec b/SPECS/libtasn1/libtasn1.spec
@@ -1,7 +1,7 @@
 Summary:        ASN.1 library
 Name:           libtasn1
-Version:        4.18.0
-Release:        2%{?dist}
+Version:        4.19.0
+Release:        1%{?dist}
 License:        GPLv3+ AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -57,6 +57,9 @@ make %{?_smp_mflags} check
 %{_mandir}/man3/*
 
 %changelog
+* Tue Oct 25 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.19.0-1
+- Updating to version 4.19.0 to fix CVE-2021-46848.
+
 * Tue Feb 08 2022 Thomas Crain <thcrain@microsoft.com> - 4.18.0-2
 - Remove manual pkgconfig(*) provides in toolchain specs
 
diff --git a/SPECS/libtiff/CVE-2022-3570.patch b/SPECS/libtiff/CVE-2022-3570.patch
diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:        TIFF libraries and associated utilities.
 Name:           libtiff
 Version:        4.4.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        libtiff
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Source0:        https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff
 Patch0:         CVE-2022-2056.patch
 Patch1:         CVE-2022-34526.patch
 Patch2:         CVE-2022-2953.patch
+Patch3:         CVE-2022-3570.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libjpeg-turbo-devel
@@ -66,6 +67,9 @@ make %{?_smp_mflags} -k check
 %{_mandir}/man3/*
 
 %changelog
+* Mon Oct 24 2022 Sean Dougherty <sdougherty@microsoft.com> - 4.4.0-5
+- Patch CVE-2022-3570
+
 * Wed Sep 14 2022 Nan Liu <liunan@microsoft.com> - 4.4.0-4
 - Patch CVE-2022-2953
 
diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec
@@ -1,7 +1,7 @@
 Summary:        CBL-Mariner release files
 Name:           mariner-release
 Version:        2.0
-Release:        23%{?dist}
+Release:        24%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -62,6 +62,9 @@ EOF
 %config(noreplace) %{_sysconfdir}/issue.net
 
 %changelog
+* Tue Oct 25 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.0-24
+- Updating version for October update.
+
 * Fri Oct 07 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.0-23
 - Updating version for October release.
 
diff --git a/SPECS/nodejs/nodejs.signatures.json b/SPECS/nodejs/nodejs.signatures.json
@@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "node-v16.16.0.tar.xz": "327688a0d6dafbf7b32324069f16e3d893dcb6654c889c24240e976441c20ffe"
- }
+  "Signatures": {
+    "node-v16.17.1.tar.xz": "def33a26ed76ad308c9fdf04028cbbd4ace7c5de2fa8c866be79836c12f3251d"
+  }
 }
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
@@ -1,11 +1,11 @@
 # Retrieved from 'deps/npm/package.json' inside the sources tarball.
-%define npm_version 8.11.0
+%define npm_version 8.15.0
 
 Summary:        A JavaScript runtime built on Chrome's V8 JavaScript engine.
 Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
-Version:        16.16.0
+Version:        16.17.1
 Release:        2%{?dist}
 License:        BSD and MIT and Public Domain and naist-2003
 Group:          Applications/System
@@ -114,6 +114,12 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Tue Oct 25 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 16.17.1-2
+- Change npm_version to 8.15.0 to reflect the actual version of npm bundled with v16.17.1
+
+* Mon Oct 24 2022 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 16.17.1-1
+- Upgrade to 16.17.1
+
 * Thu Aug 18 2022 Cameron Baird <cameronbaird@microsoft.com> - 16.16.0-2
 - Change npm_version to 8.11.0 to reflect the actual version of npm bundled with v16.16.0
 
diff --git a/SPECS/rubygem-minitest/rubygem-minitest.spec b/SPECS/rubygem-minitest/rubygem-minitest.spec
@@ -3,7 +3,7 @@
 Summary:        Minitest provides a complete suite of testing facilities
 Name:           rubygem-%{gem_name}
 Version:        5.15.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 # minitest source is licensed under MIT and minitest.gemspec is taken from ruby source, licensed under the rest
 License:        MIT AND (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
@@ -13,11 +13,17 @@ URL:            https://github.com/seattlerb/minitest
 Source0:        https://github.com/minitest/minitest/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
 # When updating the version, please make necessary changes in this .gemspec, e.g. update version, dependencies (use https://rubygems.org/gems/minitest)
 Source1:        minitest.gemspec
+BuildArch:      noarch
+
 BuildRequires:  git
 BuildRequires:  ruby
+
 Requires:       ruby(release)
+
+# This package used to be bundled with older versions of Ruby.
+Obsoletes:      ruby <= 3.1.2-2%{?dist}
+
 Provides:       rubygem(minitest) = %{version}-%{release}
-BuildArch:      noarch
 
 %description
 minitest/unit is a small and incredibly fast unit testing framework.
@@ -47,6 +53,9 @@ cp README.rdoc %{buildroot}%{gem_instdir}/
 %{gemdir}
 
 %changelog
+* Mon Oct 24 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.15.0-2
+- Adding 'Obsoletes: ruby <= 3.1.2-2'.
+
 * Tue May 24 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 5.15.0-1
 - Update to v5.15.0
 - Get source.tar.gz from upstream, get initial .gemspec from ruby2.7.4 source (license (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD)
diff --git a/SPECS/rubygem-power_assert/rubygem-power_assert.spec b/SPECS/rubygem-power_assert/rubygem-power_assert.spec
@@ -2,18 +2,23 @@
 Summary:        Power Assert for Ruby
 Name:           rubygem-%{gem_name}
 Version:        2.0.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://github.com/ruby/power_assert/
 Source0:        https://github.com/ruby/power_assert/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
 Patch0:         fix-file_list.patch
+BuildArch:      noarch
+
 BuildRequires:  git
 BuildRequires:  ruby
+
+# This package used to be bundled with older versions of Ruby.
+Obsoletes:      ruby <= 3.1.2-2%{?dist}
+
 Provides:       rubygem(power_assert) = %{version}-%{release}
-BuildArch:      noarch
 
 %description
 Power Assert shows each value of variables and method calls in the expression.
@@ -36,6 +41,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Mon Oct 24 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.0.1-4
+- Adding 'Obsoletes: ruby <= 3.1.2-2'.
+
 * Wed Jul 06 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 2.0.1-3
 - Added missing lib files
 
diff --git a/SPECS/rubygem-rake/rubygem-rake.spec b/SPECS/rubygem-rake/rubygem-rake.spec
@@ -2,14 +2,13 @@
 Summary:        Rake is a Make-like program implemented in Ruby
 Name:           rubygem-%{gem_name}
 Version:        13.0.6
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://ruby.github.io/rake/
 Source0:        https://github.com/ruby/rake/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
 BuildArch:      noarch
-Provides:       rubygem(%{gem_name}) = %{version}-%{release}
 
 BuildRequires:  ruby
 BuildRequires:  ruby(release)
@@ -18,6 +17,11 @@ BuildRequires:  rubygems-devel
 BuildRequires:  rubygem(minitest) >= 5
 %endif
 
+# This package used to be bundled with older versions of Ruby.
+Obsoletes:      ruby <= 3.1.2-2%{?dist}
+
+Provides:       rubygem(%{gem_name}) = %{version}-%{release}
+
 %description
 Rake is a Make-like program implemented in Ruby. Tasks and dependencies are
 specified in standard Ruby syntax.
@@ -75,6 +79,9 @@ popd
 %doc %{gem_instdir}/*.rdoc
 
 %changelog
+* Mon Oct 24 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 13.0.6-6
+- Adding 'Obsoletes: ruby <= 3.1.2-2'.
+
 * Wed Jun 22 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 13.0.6-5
 - Add provides.
 
diff --git a/SPECS/rubygem-test-unit/rubygem-test-unit.spec b/SPECS/rubygem-test-unit/rubygem-test-unit.spec
@@ -2,18 +2,24 @@
 Summary:        An xUnit family unit testing framework for Ruby
 Name:           rubygem-%{gem_name}
 Version:        3.5.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        PSF AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://test-unit.github.io/
 Source0:        https://github.com/test-unit/test-unit/archive/refs/tags/%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+BuildArch:      noarch
+
 BuildRequires:  git
 BuildRequires:  ruby
+
 Requires:       rubygem-power_assert
+
+# This package used to be bundled with older versions of Ruby.
+Obsoletes:      ruby <= 3.1.2-2%{?dist}
+
 Provides:       rubygem(test-unit) = %{version}-%{release}
-BuildArch:      noarch
 
 %description
 Test::Unit (test-unit) is unit testing framework for Ruby, based on xUnit
@@ -42,6 +48,9 @@ cp PSFL %{buildroot}%{gem_instdir}/
 %{gemdir}
 
 %changelog
+* Mon Oct 24 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.5.3-3
+- Adding 'Obsoletes: ruby <= 3.1.2-2'.
+
 * Wed Apr 20 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 3.5.3-2
 - Add provides
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -10061,8 +10061,8 @@
         "type": "other",
         "other": {
           "name": "libtasn1",
-          "version": "4.18.0",
-          "downloadUrl": "https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.18.0.tar.gz"
+          "version": "4.19.0",
+          "downloadUrl": "https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz"
         }
       }
     },
@@ -12853,8 +12853,8 @@
         "type": "other",
         "other": {
           "name": "nodejs",
-          "version": "16.16.0",
-          "downloadUrl": "https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.xz"
+          "version": "16.17.1",
+          "downloadUrl": "https://nodejs.org/download/release/v16.17.1/node-v16.17.1.tar.xz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -224,7 +224,7 @@ mariner-repos-shared-2.0-8.cm2.noarch.rpm
 mariner-repos-2.0-8.cm2.noarch.rpm
 libffi-3.4.2-2.cm2.aarch64.rpm
 libffi-devel-3.4.2-2.cm2.aarch64.rpm
-libtasn1-4.18.0-2.cm2.aarch64.rpm
+libtasn1-4.19.0-1.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-trust-0.24.1-1.cm2.aarch64.rpm
 ca-certificates-shared-2.0.0-8.cm2.noarch.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -224,7 +224,7 @@ mariner-repos-shared-2.0-8.cm2.noarch.rpm
 mariner-repos-2.0-8.cm2.noarch.rpm
 libffi-3.4.2-2.cm2.x86_64.rpm
 libffi-devel-3.4.2-2.cm2.x86_64.rpm
-libtasn1-4.18.0-2.cm2.x86_64.rpm
+libtasn1-4.19.0-1.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-trust-0.24.1-1.cm2.x86_64.rpm
 ca-certificates-shared-2.0.0-8.cm2.noarch.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -199,9 +199,9 @@ libssh2-debuginfo-1.9.0-2.cm2.aarch64.rpm
 libssh2-devel-1.9.0-2.cm2.aarch64.rpm
 libstdc++-11.2.0-2.cm2.aarch64.rpm
 libstdc++-devel-11.2.0-2.cm2.aarch64.rpm
-libtasn1-4.18.0-2.cm2.aarch64.rpm
-libtasn1-debuginfo-4.18.0-2.cm2.aarch64.rpm
-libtasn1-devel-4.18.0-2.cm2.aarch64.rpm
+libtasn1-4.19.0-1.cm2.aarch64.rpm
+libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm
+libtasn1-devel-4.19.0-1.cm2.aarch64.rpm
 libtool-2.4.6-8.cm2.aarch64.rpm
 libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
 libxml2-2.10.0-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -199,9 +199,9 @@ libssh2-debuginfo-1.9.0-2.cm2.x86_64.rpm
 libssh2-devel-1.9.0-2.cm2.x86_64.rpm
 libstdc++-11.2.0-2.cm2.x86_64.rpm
 libstdc++-devel-11.2.0-2.cm2.x86_64.rpm
-libtasn1-4.18.0-2.cm2.x86_64.rpm
-libtasn1-debuginfo-4.18.0-2.cm2.x86_64.rpm
-libtasn1-devel-4.18.0-2.cm2.x86_64.rpm
+libtasn1-4.19.0-1.cm2.x86_64.rpm
+libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm
+libtasn1-devel-4.19.0-1.cm2.x86_64.rpm
 libtool-2.4.6-8.cm2.x86_64.rpm
 libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
 libxml2-2.10.0-1.cm2.x86_64.rpm
diff --git a/toolkit/tools/pkggen/worker/create_worker_chroot.sh b/toolkit/tools/pkggen/worker/create_worker_chroot.sh
@@ -2,6 +2,9 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
+set -e
+set -o pipefail
+
 # $1 path to create worker base
 # $2 path to text file containing the worker core packages
 # $3 path to find RPMs. May be in PATH/<arch>/*.rpm
@@ -50,29 +53,44 @@ mkdir -p "$log_path"
 ORIGINAL_HOME=$HOME
 HOME=/root
 
+# These nodes are required in the chroot for certain tools (most importantly, gpg key import when installing 'mariner-repos-shared' package)
+# This is also required to check the rpm db version to see if rebuilding the db is necessary
+mkdir -pv $chroot_builder_folder/dev
+mknod -m 600 $chroot_builder_folder/dev/console c 5 1
+mknod -m 666 $chroot_builder_folder/dev/null c 1 3
+mknod -m 444 $chroot_builder_folder/dev/urandom c 1 9
+
 while read -r package || [ -n "$package" ]; do
     install_one_toolchain_rpm "$package"
 done < "$packages"
 
-TEMP_DB_PATH=/temp_db
-echo "Setting up a clean RPM database before the Berkeley DB -> SQLite conversion under '$TEMP_DB_PATH'." | tee -a "$chroot_log"
-chroot "$chroot_builder_folder" mkdir -p "$TEMP_DB_PATH"
-chroot "$chroot_builder_folder" rpm --initdb --dbpath="$TEMP_DB_PATH"
-
-# Popularing the SQLite database with package info.
-while read -r package || [ -n "$package" ]; do
-    full_rpm_path=$(find "$rpm_path" -name "$package" -type f 2>>"$chroot_log")
-    cp $full_rpm_path $chroot_builder_folder/$package
-
-    echo "Adding RPM DB entry to worker chroot: $package." | tee -a "$chroot_log"
+# If the host machine rpm version is >= 4.16 (such as Mariner 2.0), it will create an "sqlite" rpm database backend incompatible with Mariner 1.0 (which uses "bdb")
+# To resolve this, enter the 1.0 chroot after the packages are installed, and use the older rpm tool in the chroot to re-create the database in "bdb" format.
+HOST_RPM_VERSION="$(rpm --version)"
+HOST_RPM_DB_BACKEND="$(rpm -E '%{_db_backend}')"
+GUEST_RPM_VERSION="$(chroot "$chroot_builder_folder" rpm --version)"
+GUEST_RPM_DB_BACKEND="$(chroot "$chroot_builder_folder" rpm -E '%{_db_backend}')"
+echo "Current host '$HOST_RPM_VERSION' with rpm db '$HOST_RPM_DB_BACKEND', guest has '$GUEST_RPM_VERSION' with rpm db '$GUEST_RPM_DB_BACKEND'" | tee -a "$chroot_log"
 
-    chroot "$chroot_builder_folder" rpm -i -v --nodeps --noorder --force --dbpath="$TEMP_DB_PATH" --justdb "$package" &>> "$chroot_log"
-    chroot "$chroot_builder_folder" rm $package
-done < "$packages"
-
-echo "Overwriting old RPM database with the results of the conversion." | tee -a "$chroot_log"
-chroot "$chroot_builder_folder" rm -rf /var/lib/rpm
-chroot "$chroot_builder_folder" mv "$TEMP_DB_PATH" /var/lib/rpm
+if [[ "$HOST_RPM_DB_BACKEND" == "$GUEST_RPM_DB_BACKEND" ]]; then
+    echo "The host rpm db '$HOST_RPM_DB_BACKEND' matches the guest. Not rebuilding the database." | tee -a "$chroot_log"
+else
+    echo "The host rpm db ('$HOST_RPM_DB_BACKEND') differs from the guest ('$GUEST_RPM_DB_BACKEND'). Rebuilding database for compatibility" | tee -a "$chroot_log"
+    TEMP_DB_PATH="/temp_db"
+    chroot "$chroot_builder_folder" mkdir -p "$TEMP_DB_PATH"
+    chroot "$chroot_builder_folder" rpm --initdb --dbpath="$TEMP_DB_PATH"
+    # Populating the SQLite database with package info.
+    while read -r package || [ -n "$package" ]; do
+        full_rpm_path=$(find "$rpm_path" -name "$package" -type f 2>>"$chroot_log")
+        cp $full_rpm_path $chroot_builder_folder/$package
+        echo "Adding RPM DB entry to worker chroot: $package." | tee -a "$chroot_log"
+        chroot "$chroot_builder_folder" rpm -i -v --nodeps --noorder --force --dbpath="$TEMP_DB_PATH" --justdb "$package" &>> "$chroot_log"
+        chroot "$chroot_builder_folder" rm $package
+    done < "$packages"
+    echo "Overwriting old RPM database with the results of the conversion." | tee -a "$chroot_log"
+    chroot "$chroot_builder_folder" rm -rf /var/lib/rpm
+    chroot "$chroot_builder_folder" mv "$TEMP_DB_PATH" /var/lib/rpm
+fi
 
 echo "Importing CBL-Mariner GPG keys." | tee -a "$chroot_log"
 for gpg_key in $(chroot "$chroot_builder_folder" rpm -q -l mariner-repos-shared | grep "rpm-gpg")

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "libtasn1-4.18.0.tar.gz": "4365c154953563d64c67a024b607d1ee75c6db76e0d0f65709ea80a334cd1898"`
	`3`	`+ "libtasn1-4.19.0.tar.gz": "1613f0ac1cf484d6ec0ce3b8c06d56263cc7242f1c23b30d82d23de345a63f7a"`
`4`	`4`	`}`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "Signatures": {`
`3`		`- "node-v16.16.0.tar.xz": "327688a0d6dafbf7b32324069f16e3d893dcb6654c889c24240e976441c20ffe"`
`4`		`- }`
	`2`	`+ "Signatures": {`
	`3`	`+ "node-v16.17.1.tar.xz": "def33a26ed76ad308c9fdf04028cbbd4ace7c5de2fa8c866be79836c12f3251d"`
	`4`	`+ }`
`5`	`5`	`}`