Merge branch 'main' into 2.0

Author: jslobodzian

.github/CODEOWNERS

@@ -93,3 +93,6 @@
 /toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins
 /toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins
 /toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins
+
+# Modifications to the trusted CA certificates require admin approval.
+/SPECS/*ca-certificates*/*

.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh

@@ -204,12 +204,14 @@ function initialization {
     # the below value of DISTRO_IDENTIFIER in the image tag.
     # TODO: We may need to update this value for Azure Linux 3.0.
     DISTRO_IDENTIFIER="cm"
+    END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
 
     echo "Golden Image Name             -> $GOLDEN_IMAGE_NAME"
     echo "Base ACR Container Name       -> $BASE_IMAGE_NAME"
     echo "Base ACR Container Tag        -> $BASE_IMAGE_TAG"
     echo "Azure Linux Version           -> $AZURE_LINUX_VERSION"
     echo "Distro Identifier             -> $DISTRO_IDENTIFIER"
+    echo "End of Life                   -> $END_OF_LIFE_1_YEAR"
 }
 
 function prepare_dockerfile {
@@ -322,16 +324,31 @@ function finalize {
     echo "$GOLDEN_IMAGE_NAME_FINAL" >> "$OUTPUT_DIR/PublishedContainers-$IMAGE.txt"
 }
 
+function oras_attach {
+    local image_name=$1
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
+
 function publish_to_acr {
     CONTAINER_IMAGE=$1
     if [[ ! "$PUBLISH_TO_ACR" =~ [Tt]rue ]]; then
         echo "+++ Skip publishing to ACR"
         return
     fi
+    local oras_access_token
+
+    echo "+++ az login into Azure ACR $ACR"
+    oras_access_token=$(az acr login --name "$ACR" --expose-token --output tsv --query accessToken)
+    oras login "$ACR.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+
     echo "+++ Publish container $CONTAINER_IMAGE"
-    echo "login into ACR: $ACR"
-    az acr login --name "$ACR"
     docker image push "$CONTAINER_IMAGE"
+    oras_attach "$CONTAINER_IMAGE"
 }
 
 function generate_image_sbom {

.pipelines/containerSourceData/scripts/PublishContainers.sh

@@ -264,13 +264,11 @@ do
 
         amd64_image=${image_name%-*}-amd64
         docker pull "$amd64_image"
-        oras_attach "$amd64_image"
 
         # Some container images are only built for AMD64 architecture.
         if [[ $ARCHITECTURE_TO_BUILD == *"ARM64"*  ]]; then
             arm64_image=${image_name%-*}-arm64
             docker pull "$arm64_image"
-            oras_attach "$arm64_image"
         fi
 
         if [[ $container_registry != "$TARGET_ACR" ]]; then

SPECS/ca-certificates/ca-certificates.signatures.json

@@ -11,11 +11,11 @@
     "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
     "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
     "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
-    "certdata.microsoft.txt": "71599549e0fd94f5afe074ef553cb102d0b38eb94fd8ce11fe9c29c33492ed24",
+    "certdata.microsoft.txt": "89655788a99b61c94aa18ad060b7e032d3e63b9db1417b1496e767662126c75a",
     "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
     "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
     "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
     "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd",
     "update-ca-trust.8.txt": "2470551bd11cc393ddf4cf43cf101c29d9f308c15469ee5e78908cfcf2437579"
   }
-}
+}

SPECS/ca-certificates/ca-certificates.spec

@@ -45,7 +45,7 @@ Name:           ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
 Epoch:          1
 Version:        2.0.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Mon Apr 22 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-17
+- Updating Microsoft trusted root CAs.
+
 * Fri Mar 29 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-16
 - Updating Microsoft trusted root CAs.
 

SPECS/ca-certificates/certdata.microsoft.txt

@@ -0,0 +1,89 @@
+From 18bc0c1f8e741738490aa0a8415c372db4b20d62 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <[email protected]>
+Date: Tue, 23 Apr 2024 10:07:19 +0530
+Subject: [PATCH] http2: close connections when receiving too many headers
+
+Adapted by @mfrw to apply on vendor directory for v0.17 to drop test
+files
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes golang/go#65051
+
+Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
+Reviewed-by: Roland Shoemaker <[email protected]>
+Reviewed-by: Tatiana Bradley <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+Auto-Submit: Dmitri Shuralyov <[email protected]>
+Reviewed-by: Than McIntosh <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+Signed-off-by: Muhammad Falak R Wani <[email protected]>
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index c1f6b90..175c154 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.40.1
+

SPECS/git-lfs/CVE-2023-45288.patch

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "git-lfs-3.4.1-vendor.tar.gz": "a7b525a15b71a92ab789853a172345a4e4815de71ebe3486d5b843651b74cf1e",
-  "git-lfs-3.4.1.tar.gz": "2a36239d7968ae18e1ba2820dc664c4ef753f10bf424f98bccaf44d527f19a17"
+  "git-lfs-3.5.1-vendor.tar.gz": "ebe825559dba3bdc835ad510ed8c3468c9933f945086406a4ec6b79fd31bc104",
+  "git-lfs-3.5.1.tar.gz": "d682a12c0bc48d08d28834dd0d575c91d53dd6c6db63c45c2db7c3dd2fb69ea4"
  }
-}
+}

SPECS/git-lfs/git-lfs.signatures.json

@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Summary:       Git extension for versioning large files
 Name:          git-lfs
-Version:       3.4.1
+Version:       3.5.1
 Release:       1%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
@@ -28,6 +28,7 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
+Patch0:        CVE-2023-45288.patch
 
 BuildRequires: golang
 BuildRequires: which
@@ -41,10 +42,11 @@ Requires:      git
 Git LFS is a command line extension and specification for managing large files with Git
 
 %prep
-%autosetup
+%autosetup -N
 
 %build
 tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1 
 export GOPATH=%{our_gopath}
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
 go generate ./commands
@@ -77,6 +79,10 @@ git lfs uninstall
 %{_mandir}/man5/*
 
 %changelog
+* Tue Apr 23 2024 Muhammad Falak <[email protected]> - 3.5.1-1
+- Bump version to 3.5.1 to address CVE-2023-39325
+- Introduce patch to address CVE-2023-45288
+
 * Thu Apr 18 2024 Andrew Phelps <[email protected]> - 3.4.1-1
 - Bump version to 3.4.1 based on AZL3 spec
 - Add BR on asciidoctor & drop un-needed BR

SPECS/git-lfs/git-lfs.spec

@@ -0,0 +1,67 @@
+From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman <[email protected]>
+Date: Thu, 11 Apr 2024 17:49:48 -0700
+Subject: [PATCH] Fix bug when viewing a file whose name contains a newline.
+
+---
+ filename.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index f90e0e82..a52c6354 100644
+--- a/filename.c
++++ b/filename.c
+@@ -133,6 +133,15 @@ static constant char * metachars(void)
+ 	return (strchr(metachars(), c) != NULL);
+ }
+ 
++/*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static int must_quote(char c)
++{
++	/* {{ Maybe the set of must_quote chars should be configurable? }} */
++	return (c == '\n'); 
++}
++
+ /*
+  * Insert a backslash before each metacharacter in a string.
+  */
+@@ -164,6 +173,9 @@ public char * shell_quoten(constant char *s, size_t slen)
+ 				 * doesn't support escape chars.  Use quotes.
+ 				 */
+ 				use_quotes = 1;
++			} else if (must_quote(*p))
++			{
++				len += 3; /* open quote + char + close quote */
+ 			} else
+ 			{
+ 				/*
+@@ -193,15 +205,22 @@ public char * shell_quoten(constant char *s, size_t slen)
+ 	{
+ 		while (*s != '\0')
+ 		{
+-			if (metachar(*s))
++			if (!metachar(*s))
+ 			{
+-				/*
+-				 * Add the escape char.
+-				 */
++				*p++ = *s++;
++			} else if (must_quote(*s))
++			{
++				/* Surround the char with quotes. */
++				*p++ = openquote;
++				*p++ = *s++;
++				*p++ = closequote;
++			} else
++			{
++				/* Insert an escape char before the char. */
+ 				strcpy(p, esc);
+ 				p += esclen;
++				*p++ = *s++;
+ 			}
+-			*p++ = *s++;
+ 		}
+ 		*p = '\0';
+ 	}