diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json index 72aede72c77..e9c666280bf 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "SymCrypt-OpenSSL-1.5.1.tar.gz": "946ac1bdd4d3e0d0381bca0df1b7281f9f7735430dfb6fce56344c7f2f3a7ecb" + "SymCrypt-OpenSSL-1.6.0.tar.gz": "7265ddd737b582418a7f0c29144ab11af1bdfd8ea65fbb1a92711068fa606f61" } } diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec index 8789f31fc54..55ad3e8e8b4 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec @@ -1,7 +1,7 @@ Summary: The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations Name: SymCrypt-OpenSSL -Version: 1.5.1 -Release: 2%{?dist} +Version: 1.6.0 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,12 +9,12 @@ Group: System/Libraries URL: https://github.com/microsoft/SymCrypt-OpenSSL Source0: https://github.com/microsoft/SymCrypt-OpenSSL/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: openssl-devel -BuildRequires: SymCrypt +BuildRequires: SymCrypt >= 103.6.0 BuildRequires: cmake BuildRequires: gcc BuildRequires: make -Requires: SymCrypt +Requires: SymCrypt >= 103.6.0 Requires: openssl %description @@ -67,6 +67,9 @@ install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/sy %{_sysconfdir}/pki/tls/symcrypt_prov.cnf %changelog +* Mon Nov 25 2024 Tobias Brick - 1.6.0-1 +- Upgrade to SymCrypt-OpenSSL 1.6.0 + * Wed Oct 02 2024 Tobias Brick - 1.5.1-2 - Add sources to debuginfo package diff --git a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch b/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch deleted file mode 100644 index 3706904d559..00000000000 --- a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 15 Oct 2024 16:21:27 +0000 -Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and - post processing - -## Description: -Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems. - ----- -#### AI description (iteration 1) -#### PR Classification -New feature - -#### PR Summary -This pull request introduces build flags to control binary stripping and FIPS postprocessing. -- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`. -- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options. -- `BUILD.md`: Updated documentation to include the new build options. -- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing. ---- - BUILD.md | 2 ++ - CMakeLists.txt | 14 ++++++++++++++ - modules/linux/common/ModuleCommon.cmake | 4 ++-- - scripts/build.py | 8 ++++++++ - 4 files changed, 26 insertions(+), 2 deletions(-) - -diff --git a/BUILD.md b/BUILD.md -index f6c781d..e8eaa88 100644 ---- a/BUILD.md -+++ b/BUILD.md -@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks. - * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake` - * `-DSYMCRYPT_USE_ASM=` to choose whether to use assembly optimizations. Defaults to `ON`. - * `-DSYMCRYPT_FIPS_BUILD=` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds. -+ * `-DSYMCRYPT_STRIP_BINARY=` to choose whether to strip the binary. Defaults to `ON`. -+ * `-DSYMCRYPT_FIPS_POSTPROCESS=` to choose whether to run the FIPS postprocess script. Defaults to `ON`. - * For a release build, specify `-DCMAKE_BUILD_TYPE=RelWithDebInfo` - 1. `cmake --build bin` - * Optionally, for a release build on Windows, specify `--config Release` -diff --git a/CMakeLists.txt b/CMakeLists.txt -index cd9aa15..9e0c599 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD) - add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1) - endif() - -+option( -+ SYMCRYPT_STRIP_BINARY -+ "When enabled, SymCrypt will strip the binary in release mode." -+ ON -+) -+ -+option( -+ SYMCRYPT_FIPS_POSTPROCESS -+ "When enabled, SymCrypt will do postprocessing the binary for FIPS integrity verification." -+ ON -+) -+ - option( - SYMCRYPT_TEST_LEGACY_IMPL - "When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy -@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}") - message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}") - message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}") - message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}") -+message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}") -+message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}") - - # Validate compiler versions - if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") -diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake -index e6db214..fbe1421 100644 ---- a/modules/linux/common/ModuleCommon.cmake -+++ b/modules/linux/common/ModuleCommon.cmake -@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION}) - set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR}) - - --if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") -+if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo" AND SYMCRYPT_STRIP_BINARY) - add_custom_command( - TARGET ${TARGET_NAME} - POST_BUILD -@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") - ) - endif() - --if(SYMCRYPT_FIPS_BUILD) -+if(SYMCRYPT_FIPS_BUILD AND SYMCRYPT_FIPS_POSTPROCESS) - add_custom_command( - TARGET ${TARGET_NAME} - POST_BUILD -diff --git a/scripts/build.py b/scripts/build.py -index af9b0bc..3a70b84 100755 ---- a/scripts/build.py -+++ b/scripts/build.py -@@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None: - if not args.fips: - cmake_args.append("-DSYMCRYPT_FIPS_BUILD=OFF") - -+ if not args.strip_binary: -+ cmake_args.append("-DSYMCRYPT_STRIP_BINARY=OFF") -+ -+ if not args.fips_postprocess: -+ cmake_args.append("-DSYMCRYPT_FIPS_POSTPROCESS=OFF") -+ - if args.test_legacy_impl: - cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON") - -@@ -218,6 +224,8 @@ def main() -> None: - parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.") - parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True) - parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True) -+ parser_cmake.add_argument("--no-strip-binary", action = "store_false", dest = "strip_binary", help = "Disable stripping of binary.", default = True) -+ parser_cmake.add_argument("--no-fips-postprocess", action = "store_false", dest = "fips_postprocess", help = "Disable FIPS postprocessing of binary.", default = True) - parser_cmake.add_argument("--test-legacy-impl", action = "store_true", - help = "Build unit tests with support for legacy Windows cryptographic implementations. Requires access to private static libraries.", - default = False) --- -2.39.4 - diff --git a/SPECS/SymCrypt/0001-add-parameter-to-process_fips_module-to-specify-the-.patch b/SPECS/SymCrypt/0001-add-parameter-to-process_fips_module-to-specify-the-.patch deleted file mode 100644 index 932afbe1edd..00000000000 --- a/SPECS/SymCrypt/0001-add-parameter-to-process_fips_module-to-specify-the-.patch +++ /dev/null @@ -1,58 +0,0 @@ -From a3741fb82606395f3ef7f079f7bd6ed4891107ce Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Sat, 12 Oct 2024 00:32:43 +0000 -Subject: [PATCH] add parameter to process_fips_module to specify the - processing directory - ---- - scripts/process_fips_module.py | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/scripts/process_fips_module.py b/scripts/process_fips_module.py -index 53dcaad..87f521a 100755 ---- a/scripts/process_fips_module.py -+++ b/scripts/process_fips_module.py -@@ -16,6 +16,7 @@ import io - import logging - import os - import secrets -+import shutil - import stat - import struct - -@@ -382,6 +383,8 @@ def main(): - - parser = argparse.ArgumentParser(description = "Postprocess SymCrypt shared object module") - parser.add_argument("input", type=str, help = "Path to SymCrypt module") -+ parser.add_argument("-p", "--processing-dir", type=str, default=None, -+ help = "Directory to store temporary debug files during processing. If unspecified, will use the processing directory in the same folder as input.") - parser.add_argument("-d", "--debug", action = "store_true", - help = "Enable debug output (also dumps hashable module contents to file)") - -@@ -392,8 +395,8 @@ def main(): - else: - logging.basicConfig(level = logging.INFO) - -- debug_files_basename = os.path.join( -- os.path.dirname(args.input), "processing", os.path.basename(args.input)) -+ processing_dir = args.processing_dir or os.path.join(os.path.dirname(args.input), "processing") -+ debug_files_basename = os.path.join(processing_dir, os.path.basename(args.input)) - with open(args.input, "rb") as input_file: - buffer = input_file.read() - buffer_stream = io.BytesIO(buffer) -@@ -463,7 +466,11 @@ def main(): - reset_jump_slots(elf_file, original_jump_slot_values) - - # Copy the original input file to a backup file before writing our changes back to the original -- os.replace(args.input, debug_files_basename + ".bak") -+ # os.replace doesn't work across mount points so we manually delete and move the file. -+ backup_file = debug_files_basename + ".bak" -+ if os.path.exists(backup_file): -+ os.remove(backup_file) -+ shutil.move(args.input, backup_file) - - with open(args.input, "wb") as output_file: - output_file.write(buffer_stream.getbuffer()) --- -2.39.4 - diff --git a/SPECS/SymCrypt/SymCrypt.signatures.json b/SPECS/SymCrypt/SymCrypt.signatures.json index ac72e9252ed..41675a980f2 100644 --- a/SPECS/SymCrypt/SymCrypt.signatures.json +++ b/SPECS/SymCrypt/SymCrypt.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { - "SymCrypt-103.5.1.tar.gz": "1c4d41972f7683cb2c053ddc58452d6f4b56c1b556b7499f9fedbd7706ccd0fe", + "SymCrypt-103.6.0.tar.gz": "ce03f03cfea76c38336c67f175ca316f0377b98e2617a3561e0a2dc91114e9ee", "find-debuginfo": "356800f19b755879993103c121c83fb4cc97d0e8656ea34d051daa310f54cedf", "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487", - "symcrypt-build-environment-variables-v103.5.1.sh": "6f6e162011e8203de66be6af59c0b4511992b731370a152044b028e8075578a7" + "symcrypt-build-environment-variables-v103.6.0.sh": "860e849274bd742c752df74baa3fe9502101f53d43b3a72463a2ffb122221296" } } \ No newline at end of file diff --git a/SPECS/SymCrypt/SymCrypt.spec b/SPECS/SymCrypt/SymCrypt.spec index 07543a0bc28..e1ae52f64cf 100644 --- a/SPECS/SymCrypt/SymCrypt.spec +++ b/SPECS/SymCrypt/SymCrypt.spec @@ -1,6 +1,6 @@ Summary: A core cryptographic library written by Microsoft Name: SymCrypt -Version: 103.5.1 +Version: 103.6.0 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -13,8 +13,6 @@ Source2: find-debuginfo # Use ./generate-env-file.sh --release-tag to generate this. For example: # ./generate-env-file.sh --release-tag v103.5.1 Source3: symcrypt-build-environment-variables-v%{version}.sh -Patch1: 0001-add-build-flags-to-prevent-stripping-and-post-proces.patch -Patch2: 0001-add-parameter-to-process_fips_module-to-specify-the-.patch BuildRequires: cmake %ifarch aarch64 BuildRequires: clang >= 12.0.1-4 @@ -105,6 +103,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version} %{_includedir}/* %changelog +* Mon Nov 25 2024 Tobias Brick - 103.6.0-1 +- Upgrde to 103.6.0 + * Mon Oct 21 2024 Tobias Brick - 103.5.1-1 - Update 103.5.1 diff --git a/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch b/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch deleted file mode 100644 index 560123550cf..00000000000 --- a/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 1425f9e27cb1bae39e0b22e25fce50daa47618ca Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 15 Oct 2024 22:59:08 +0000 -Subject: [PATCH] Merged PR 11618838: add parameter to version script to print - the commit info environment variables - -Add parameter to version script to print the commit info environment variables. This makes it easier to get those right for builds based on the source tarball rather than from a git clone. - ----- -#### AI description (iteration 1) -#### PR Classification -New feature - -#### PR Summary -Added a new parameter to the version script to print commit information as environment variables. -- `scripts/version.py`: Introduced `--commit-info` argument to print commit hash and timestamp as environment variables. Added `print_commit_info` function to handle this new feature. ---- - scripts/version.py | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/scripts/version.py b/scripts/version.py -index 49edf9b..4ac1862 100644 ---- a/scripts/version.py -+++ b/scripts/version.py -@@ -180,27 +180,43 @@ def print_devops_vars(version_info: SymCryptVersion) -> None: - set_task_variable("VER_MINOR", version_info.minor) - set_task_variable("VER_PATCH", version_info.patch) - -+def print_commit_info(version_info: SymCryptVersion) -> None: -+ """ -+ Prints the commit information as environment variables that would override the commit hash and timestamp. -+ """ -+ -+ print("export {}={}".format(ENV_SYMCRYPT_BRANCH, version_info.branch)) -+ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_HASH, version_info.commit_hash)) -+ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_TIMESTAMP, version_info.commit_timestamp.isoformat(timespec = "seconds"))) -+ - def main() -> None: - """ - Entrypoint - """ - - parser = argparse.ArgumentParser(description = "Versioning helper script for SymCrypt.") -+ parser.add_argument("--no-print-version-number", dest = "print_version_number", help = "Do not print the version number", action = "store_false", default = True) - group = parser.add_mutually_exclusive_group() - group.add_argument("-b", "--build-info", help = "Generate buildInfo.h", action = "store_true") - group.add_argument("--devops", help = "Format output to set Azure DevOps variables", action = "store_true") -+ group.add_argument("--commit-info", -+ help = "Format commit info as environment variables that would override the commit hash and timestamp, which can then be used when building from the source tarball rather than a git clone.", -+ action = "store_true") - - args = parser.parse_args() - - # Parse the version information from the SymCrypt headers - version_info = get_version_info() - -- print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) -+ if args.print_version_number: -+ print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) - - if args.build_info: - generate_build_info(version_info) - elif args.devops: - print_devops_vars(version_info) -+ elif args.commit_info: -+ print_commit_info(version_info) - - if __name__ == "__main__": -- main() -\ No newline at end of file -+ main() --- -2.39.4 - diff --git a/SPECS/SymCrypt/generate-env-file.sh b/SPECS/SymCrypt/generate-env-file.sh index fd3864727cb..cc5b327ec7a 100755 --- a/SPECS/SymCrypt/generate-env-file.sh +++ b/SPECS/SymCrypt/generate-env-file.sh @@ -73,9 +73,6 @@ fi echo "Tag commit is '${TAG_COMMIT}'" git reset --hard "${TAG_COMMIT}" -# Patching the version script; will be unneeded as of v103.5.2 -git apply "${CURRENT_DIR}/add-parameter-to-version-script-to-print-the-commit-info.patch" - # Call the version script to get the properly formmatted git info ENV_SCRIPT_FILE_NAME="symcrypt-build-environment-variables-${RELEASE_TAG}.sh" echo "#!/bin/bash" > "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" diff --git a/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh deleted file mode 100644 index d454862c5c5..00000000000 --- a/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# Generated by 'generate-env-file.sh' -export SYMCRYPT_BRANCH=main -export SYMCRYPT_COMMIT_HASH=907622c -export SYMCRYPT_COMMIT_TIMESTAMP=2024-09-18T20:38:10+00:00 diff --git a/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.6.0.sh b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.6.0.sh new file mode 100644 index 00000000000..b67fbcb2728 --- /dev/null +++ b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.6.0.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# Generated by 'generate-env-file.sh' +export SYMCRYPT_BRANCH=main +export SYMCRYPT_COMMIT_HASH=1d7e34b +export SYMCRYPT_COMMIT_TIMESTAMP=2024-11-23T02:26:24+00:00 diff --git a/SPECS/busybox/CVE-2023-42366.patch b/SPECS/busybox/CVE-2023-42366.patch new file mode 100644 index 00000000000..a129c90b2e2 --- /dev/null +++ b/SPECS/busybox/CVE-2023-42366.patch @@ -0,0 +1,32 @@ +From 5cf8b332429a1dd9afef3337bae92aeddaeff993 Mon Sep 17 00:00:00 2001 +From: Valery Ushakov +Date: Wed, 24 Jan 2024 22:24:41 +0300 +Subject: [PATCH] awk.c: fix CVE-2023-42366 (bug #15874) + +Make sure we don't read past the end of the string in next_token() +when backslash is the last character in an (invalid) regexp. +--- + editors/awk.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 728ee8685..be48df7c7 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -1165,9 +1165,11 @@ static uint32_t next_token(uint32_t expected) + s[-1] = bb_process_escape_sequence((const char **)&pp); + if (*p == '\\') + *s++ = '\\'; +- if (pp == p) ++ if (pp == p) { ++ if (*p == '\0') ++ syntax_error(EMSG_UNEXP_EOS); + *s++ = *p++; +- else ++ } else + p = pp; + } + } +-- +2.34.1 + diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec index f82819150ce..6a2673d37a3 100644 --- a/SPECS/busybox/busybox.spec +++ b/SPECS/busybox/busybox.spec @@ -1,7 +1,7 @@ Summary: Statically linked binary providing simplified versions of system commands Name: busybox Version: 1.36.1 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,9 +12,10 @@ Source2: busybox-petitboot.config Patch0: busybox-1.31.1-stime-fix.patch Patch1: CVE-2022-28391.patch Patch2: CVE-2021-42380.patch -# Also Fixes CVE-2023-42364 Patch3: CVE-2023-42363.patch +# Also Fixes CVE-2023-42364 Patch4: CVE-2023-42365.patch +Patch5: CVE-2023-42366.patch BuildRequires: gcc BuildRequires: glibc-static >= 2.38-8%{?dist} BuildRequires: libselinux-devel >= 1.27.7-2 @@ -103,6 +104,9 @@ SKIP_KNOWN_BUGS=1 ./runtest %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Tue Nov 12 2024 Ankita Pareek - 1.36.1-9 +- Address CVE-2023-42366 + * Mon Aug 26 2024 Rachel Menge - 1.36.1-8 - Update to build dep latest glibc-static version diff --git a/SPECS/libsoup/CVE-2024-52530.patch b/SPECS/libsoup/CVE-2024-52530.patch new file mode 100644 index 00000000000..2d174f2db8f --- /dev/null +++ b/SPECS/libsoup/CVE-2024-52530.patch @@ -0,0 +1,145 @@ +From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 8 Jul 2024 12:33:15 -0500 +Subject: [PATCH] headers: Strictly don't allow NUL bytes + +In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. +--- + libsoup/soup-headers.c | 15 +++------ + tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- + 2 files changed, 32 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index a0cf351ac..f30ee467a 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index edf8eebb3..715c2c6f2 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + +-- +GitLab + diff --git a/SPECS/libsoup/CVE-2024-52531.patch b/SPECS/libsoup/CVE-2024-52531.patch new file mode 100644 index 00000000000..2be11a41df6 --- /dev/null +++ b/SPECS/libsoup/CVE-2024-52531.patch @@ -0,0 +1,336 @@ +From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 12:18:58 -0500 +Subject: [PATCH 1/4] fuzzing: Cover soup_header_parse_param_list + +--- + fuzzing/fuzz.h | 9 +++++++-- + fuzzing/fuzz_header_parsing.c | 19 +++++++++++++++++++ + fuzzing/fuzz_header_parsing.dict | 8 ++++++++ + fuzzing/meson.build | 2 ++ + 4 files changed, 36 insertions(+), 2 deletions(-) + create mode 100644 fuzzing/fuzz_header_parsing.c + create mode 100644 fuzzing/fuzz_header_parsing.dict + +diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h +index 0d3802856..f3bd28eee 100644 +--- a/fuzzing/fuzz.h ++++ b/fuzzing/fuzz.h +@@ -1,13 +1,14 @@ + #include "libsoup/soup.h" + + int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size); ++static int set_logger = 0; + + #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + static GLogWriterOutput + empty_logging_func (GLogLevelFlags log_level, const GLogField *fields, + gsize n_fields, gpointer user_data) + { +- return G_LOG_WRITER_HANDLED; ++ return G_LOG_WRITER_HANDLED; + } + #endif + +@@ -16,6 +17,10 @@ static void + fuzz_set_logging_func (void) + { + #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- g_log_set_writer_func (empty_logging_func, NULL, NULL); ++ if (!set_logger) ++ { ++ set_logger = 1; ++ g_log_set_writer_func (empty_logging_func, NULL, NULL); ++ } + #endif + } +diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c +new file mode 100644 +index 000000000..a8e5c1f9f +--- /dev/null ++++ b/fuzzing/fuzz_header_parsing.c +@@ -0,0 +1,19 @@ ++#include "fuzz.h" ++ ++int ++LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) ++{ ++ GHashTable *elements; ++ ++ // We only accept NUL terminated strings ++ if (!size || data[size - 1] != '\0') ++ return 0; ++ ++ fuzz_set_logging_func (); ++ ++ elements = soup_header_parse_param_list((char*)data); ++ ++ g_hash_table_unref(elements); ++ ++ return 0; ++} +\ No newline at end of file +diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict +new file mode 100644 +index 000000000..1562ca3a6 +--- /dev/null ++++ b/fuzzing/fuzz_header_parsing.dict +@@ -0,0 +1,8 @@ ++"*=UTF-8''" ++"*=iso-8859-1''" ++"'" ++"''" ++"=" ++"*=" ++""" ++";" +\ No newline at end of file +diff --git a/fuzzing/meson.build b/fuzzing/meson.build +index b14cbb509..5dd0f4173 100644 +--- a/fuzzing/meson.build ++++ b/fuzzing/meson.build +@@ -5,6 +5,7 @@ fuzz_targets = [ + 'fuzz_cookie_parse', + 'fuzz_content_sniffer', + 'fuzz_date_time', ++ 'fuzz_header_parsing', + ] + + fuzzing_args = '-fsanitize=fuzzer,address,undefined' +@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto()) + '-runs=200000', + '-artifact_prefix=meson-logs/' + target + '-', + '-print_final_stats=1', ++ '-max_len=4096', + ] + extra_args, + env: [ + 'ASAN_OPTIONS=fast_unwind_on_malloc=0', +-- +GitLab + + +From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:52:08 -0500 +Subject: [PATCH 2/4] tests: Add test for passing invalid UTF-8 to + soup_header_parse_semi_param_list() + +--- + tests/header-parsing-test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 715c2c6f2..5e423d2b2 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -825,6 +825,17 @@ static struct ParamListTest { + { "filename", "t\xC3\xA9st.txt" }, + }, + }, ++ ++ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */ ++ { TRUE, ++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo", ++ { ++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "foo", NULL }, ++ ++ }, ++ } + }; + static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests); + +-- +GitLab + + +From 3c54033634ae537b52582900a7ba432c52ae8174 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 16 Sep 2024 13:56:09 -0500 +Subject: [PATCH 3/4] Define GLIB_VERSION_MAX_ALLOWED and + GLIB_VERSION_MIN_REQUIRED + +--- + meson.build | 3 +++ + tests/hsts-db-test.c | 3 ++- + tests/proxy-test.c | 3 ++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index f7c633891..08b0d764d 100644 +--- a/meson.build ++++ b/meson.build +@@ -112,6 +112,9 @@ glib_deps = [glib_dep, gmodule_dep, gobject_dep, gio_dep] + + cdata = configuration_data() + ++cdata.set('GLIB_VERSION_MAX_ALLOWED', 'GLIB_VERSION_2_70') ++cdata.set('GLIB_VERSION_MIN_REQUIRED', 'GLIB_VERSION_2_70') ++ + libnghttp2_dep = dependency('libnghttp2') + if (libnghttp2_dep.version() == 'unknown' and (libnghttp2_dep.type_name() == 'internal' or cc.has_function('nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation', prefix : '#include ', dependencies : libnghttp2_dep))) or libnghttp2_dep.version().version_compare('>=1.50') + cdata.set('HAVE_NGHTTP2_OPTION_SET_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION', '1') +diff --git a/tests/hsts-db-test.c b/tests/hsts-db-test.c +index 1149a044f..04d7c4f12 100644 +--- a/tests/hsts-db-test.c ++++ b/tests/hsts-db-test.c +@@ -1,8 +1,9 @@ ++#include "test-utils.h" ++ + #include + #include + + #include +-#include "test-utils.h" + #include "soup-uri-utils-private.h" + + #define DB_FILE "hsts-db.sqlite" +diff --git a/tests/proxy-test.c b/tests/proxy-test.c +index ec0393671..d730c8a7b 100644 +--- a/tests/proxy-test.c ++++ b/tests/proxy-test.c +@@ -1,8 +1,9 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + +-#include + #include "test-utils.h" + ++#include ++ + typedef struct { + const char *explanation; + const char *url; +-- +GitLab + + +From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:53:26 -0500 +Subject: [PATCH 4/4] headers: Be more robust against invalid input when + parsing params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. +--- + libsoup/soup-headers.c | 46 ++++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index f30ee467a..613e1905e 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token) + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string) + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict) + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; ++ + item = iter->data; + override = FALSE; + +@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict) + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); +-- +GitLab + diff --git a/SPECS/libsoup/CVE-2024-52532.patch b/SPECS/libsoup/CVE-2024-52532.patch new file mode 100644 index 00000000000..7ee26f8e462 --- /dev/null +++ b/SPECS/libsoup/CVE-2024-52532.patch @@ -0,0 +1,114 @@ +From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 11 Sep 2024 11:52:11 +0200 +Subject: [PATCH 1/2] websocket: process the frame as soon as we read data + +Otherwise we can enter in a read loop because we were not +validating the data until the all the data was read. + +Fixes #391 +--- + libsoup/websocket/soup-websocket-connection.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index a1a730473..a14481340 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -1199,9 +1199,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) + } + + priv->incoming->len = len + count; +- } while (count > 0); + +- process_incoming (self); ++ process_incoming (self); ++ } while (count > 0 && !priv->close_sent && !priv->io_closing); + + if (end) { + if (!priv->close_sent || !priv->close_received) { +-- +GitLab + + +From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 2 Oct 2024 11:17:19 +0200 +Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends + +Otherwise the server will have already sent a few more wrong +bytes and the client will continue getting errors to copy +but the error is already != NULL and it will assert +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 06c443bb5..6a48c1f9b 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 127(\x7f) as payload length with 65535 extended length */ +@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + + +From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 13 Nov 2024 14:14:23 +0000 +Subject: [PATCH] websocket-test: Disconnect error signal in another place + +This is the same change as commit 29b96fab "websocket-test: disconnect +error copy after the test ends", and is done for the same reason, but +replicating it into a different function. + +Fixes: 6adc0e3e "websocket: process the frame as soon as we read data" +Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399 +Signed-off-by: Simon McVittie +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 6a48c1f9..723f2857 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 126(~) as payload length with 125 extended length */ +@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index 0e6a25ab783..c936c6d8395 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -4,7 +4,7 @@ Summary: libsoup HTTP client/server library Name: libsoup Version: 3.4.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -41,6 +41,10 @@ Requires: glib-networking Requires: libpsl Requires: libxml2 +Patch: CVE-2024-52530.patch +Patch: CVE-2024-52531.patch +Patch: CVE-2024-52532.patch + %description libsoup is HTTP client/server library for GNOME @@ -62,7 +66,7 @@ Requires: %{name} = %{version}-%{release} These are the additional language files of libsoup. %prep -%autosetup +%autosetup -p1 %build %meson \ @@ -107,6 +111,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %defattr(-,root,root) %changelog +* Fri Nov 15 2024 Thien Trung Vuong - 3.4.4-2 +- Add patches for CVE-2024-52530, CVE-2024-52531, CVE-2024-52532 + * Wed Dec 13 2023 Andrew Phelps - 3.4.4-1 - Upgrade to version 3.4.4 - Remove doc subpackage diff --git a/SPECS/nano/CVE-2024-5742.patch b/SPECS/nano/CVE-2024-5742.patch new file mode 100644 index 00000000000..68550b5faf2 --- /dev/null +++ b/SPECS/nano/CVE-2024-5742.patch @@ -0,0 +1,89 @@ +From 1a0861639022a9237a22349e0f07f2b61e89d244 Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Thu, 21 Nov 2024 14:30:20 +0530 +Subject: [PATCH] Fix CVE-2024-5742 + +--- + src/definitions.h | 2 +- + src/files.c | 13 ++++++++++++- + src/nano.c | 12 +----------- + 3 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/src/definitions.h b/src/definitions.h +index 5c517a3..f308043 100644 +--- a/src/definitions.h ++++ b/src/definitions.h +@@ -275,7 +275,7 @@ typedef enum { + } message_type; + + typedef enum { +- OVERWRITE, APPEND, PREPEND ++ OVERWRITE, APPEND, PREPEND, EMERGENCY + } kind_of_writing_type; + + typedef enum { +diff --git a/src/files.c b/src/files.c +index e2bbfe1..561d36b 100644 +--- a/src/files.c ++++ b/src/files.c +@@ -1729,6 +1729,8 @@ bool write_file(const char *name, FILE *thefile, bool normal, + #endif + char *realname = real_dir_from_tilde(name); + /* The filename after tilde expansion. */ ++ int fd = 0; ++ /* The descriptor that is assigned when opening the file. */ + char *tempname = NULL; + /* The name of the temporary file we use when prepending. */ + linestruct *line = openfile->filetop; +@@ -1812,7 +1814,6 @@ bool write_file(const char *name, FILE *thefile, bool normal, + * For an emergency file, access is restricted to just the owner. */ + if (thefile == NULL) { + mode_t permissions = (normal ? RW_FOR_ALL : S_IRUSR|S_IWUSR); +- int fd; + + #ifndef NANO_TINY + block_sigwinch(TRUE); +@@ -1939,6 +1940,16 @@ bool write_file(const char *name, FILE *thefile, bool normal, + } + #endif + ++#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN) ++ /* Change permissions and owner of an emergency save file to the values ++ * of the original file, but ignore any failure as we are in a hurry. */ ++ if (method == EMERGENCY && fd && openfile->statinfo) { ++ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode)); ++ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid, ++ openfile->statinfo->st_gid)); ++ } ++#endif ++ + if (fclose(thefile) != 0) { + statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno)); + +diff --git a/src/nano.c b/src/nano.c +index 35f466b..9c2f0b2 100644 +--- a/src/nano.c ++++ b/src/nano.c +@@ -337,18 +337,8 @@ void emergency_save(const char *filename) + + if (*targetname == '\0') + fprintf(stderr, _("\nToo many .save files\n")); +- else if (write_file(targetname, NULL, SPECIAL, OVERWRITE, NONOTES)) { ++ else if (write_file(targetname, NULL, SPECIAL, EMERGENCY, NONOTES)) + fprintf(stderr, _("\nBuffer written to %s\n"), targetname); +-#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN) +- /* Try to chmod/chown the saved file to the values of the original file, +- * but ignore any failure as we are in a hurry to get out. */ +- if (openfile->statinfo) { +- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode)); +- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid, +- openfile->statinfo->st_gid)); +- } +-#endif +- } + + free(targetname); + free(plainname); +-- +2.34.1 + diff --git a/SPECS/nano/nano.spec b/SPECS/nano/nano.spec index 34d2d50bd92..9bb005be8bc 100644 --- a/SPECS/nano/nano.spec +++ b/SPECS/nano/nano.spec @@ -1,13 +1,15 @@ Summary: Text editor Name: nano Version: 6.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/Editors URL: https://www.nano-editor.org/ Source0: http://www.nano-editor.org/dist/v6/%{name}-%{version}.tar.xz +Patch0: CVE-2024-5742.patch + BuildRequires: ncurses-devel Requires: ncurses @@ -22,7 +24,7 @@ Requires: %{name} = %{version}-%{release} Lang for nano %prep -%setup -q +%autosetup -p1 %build %configure --enable-utf8 \ @@ -52,6 +54,9 @@ make %{?_smp_mflags} check %{_docdir}/%{name}-%{version}/* %changelog +* Thu Nov 21 2024 Kavya Sree Kaitepalli - 6.4-2 +- Patch for CVE-2024-5742 + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 6.4-1 - Auto-upgrade to 6.4 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch b/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch new file mode 100644 index 00000000000..87ed0988758 --- /dev/null +++ b/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch @@ -0,0 +1,245 @@ +From 9a46eab1c78656386ba9d18bc4b341f4b2561635 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Mon, 21 Oct 2024 14:03:19 +0200 +Subject: [PATCH] use three-argument open() + +--- + lib/Module/ScanDeps.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Module/ScanDeps.pm b/lib/Module/ScanDeps.pm +index cabab58..7bc9662 100644 +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -868,7 +868,7 @@ sub scan_deps_runtime { + sub scan_file{ + my $file = shift; + my %found; +- open my $fh, $file or die "Cannot open $file: $!"; ++ open my $fh, "<", $file or die "Cannot open $file: $!"; + + $SeenTk = 0; + # Line-by-line scanning + + +From bc57e5072fc7ace1d206246999dd852652939335 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Mon, 21 Oct 2024 14:08:01 +0200 +Subject: [PATCH] replace 'eval "..."' constructs + +--- + lib/Module/ScanDeps.pm | 122 ++++++++++++++++++++++++++--------------- + 1 file changed, 78 insertions(+), 44 deletions(-) + +diff --git a/lib/Module/ScanDeps.pm b/lib/Module/ScanDeps.pm +index 7bc9662..dd79c65 100644 +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -226,8 +226,8 @@ my $SeenTk; + my %SeenRuntimeLoader; + + # match "use LOADER LIST" chunks; sets $1 to LOADER and $2 to LIST +-my $LoaderRE = +- qr/^ use \s+ ++my $LoaderRE = ++ qr/^ use \s+ + ( asa + | base + | parent +@@ -714,19 +714,14 @@ sub scan_deps { + require FindBin; + + local $FindBin::Bin; +- local $FindBin::RealBin; +- local $FindBin::Script; +- local $FindBin::RealScript; ++ #local $FindBin::RealBin; ++ #local $FindBin::Script; ++ #local $FindBin::RealScript; + + my $_0 = $args{files}[0]; + local *0 = \$_0; + FindBin->again(); + +- our $Bin = $FindBin::Bin; +- our $RealBin = $FindBin::RealBin; +- our $Script = $FindBin::Script; +- our $RealScript = $FindBin::RealScript; +- + scan_deps_static(\%args); + } + +@@ -936,40 +931,26 @@ sub scan_line { + # be specified for the "autouse" and "if" pragmas, e.g. + # use autouse Module => qw(func1 func2); + # use autouse "Module", qw(func1); +- # To avoid to parse them ourself, we simply try to eval the +- # string after the pragma (in a list context). The MODULE +- # should be the first ("autouse") or second ("if") element +- # of the list. + my $module; +- { +- no strict; no warnings; +- if ($pragma eq "autouse") { +- ($module) = eval $args; +- } +- else { +- # The syntax of the "if" pragma is +- # use if COND, MODULE => ARGUMENTS +- # The COND may contain undefined functions (i.e. undefined +- # in Module::ScanDeps' context) which would throw an +- # exception. Sneak "1 || " in front of COND so that +- # COND will not be evaluated. This will work in most +- # cases, but there are operators with lower precedence +- # than "||" which will cause this trick to fail. +- (undef, $module) = eval "1 || $args"; +- } +- # punt if there was a syntax error +- return if $@ or !defined $module; +- }; ++ if ($pragma eq "autouse") { ++ ($module) = _parse_module_list($args); ++ } ++ else { ++ # The syntax of the "if" pragma is ++ # use if COND, MODULE => ARGUMENTS ++ (undef, $module) = _parse_module_list($args); ++ } + $found{_mod2pm($pragma)}++; +- $found{_mod2pm($module)}++; ++ $found{_mod2pm($module)}++ if $module; + next CHUNK; + } + +- if (my ($how, $libs) = /^(use \s+ lib \s+ | (?:unshift|push) \s+ \@INC \s+ ,) (.+)/x) ++ if (my ($how, $libs) = /^(use \s+ lib \s+ | (?:unshift|push) \s+ \@INC \s*,\s*) (.+)/x) + { + my $archname = defined($Config{archname}) ? $Config{archname} : ''; + my $ver = defined($Config{version}) ? $Config{version} : ''; +- foreach my $dir (do { no strict; no warnings; eval $libs }) { ++ while ((my $dir, $libs) = _parse_libs($libs)) ++ { + next unless defined $dir; + my @dirs = $dir; + push @dirs, "$dir/$ver", "$dir/$archname", "$dir/$ver/$archname" +@@ -995,8 +976,8 @@ sub _mod2pm { + return "$mod.pm"; + } + +-# parse a comma-separated list of string literals and qw() lists +-sub _parse_list { ++# parse a comma-separated list of module names (as string literals or qw() lists) ++sub _parse_module_list { + my $list = shift; + + # split $list on anything that's not a word character or ":" +@@ -1004,6 +985,59 @@ sub _parse_list { + return grep { length and !/^:|^q[qw]?$/ } split(/[^\w:]+/, $list); + } + ++# incrementally parse a comma separated list library paths: ++# returning a pair: the contents of the first strings literal and the remainder of the string ++# - for "string", 'string', q/string/, qq/string/ also unescape \\ and \) ++# - for qw(foo bar quux) return ("foo", qw(bar quux)) ++# - otherwise skip over the first comma and return (undef, "remainder") ++# - return () if the string is exhausted ++# - as a special case, if the string starts with $FindBin::Bin, replace it with our $Bin ++sub _parse_libs { ++ local $_ = shift; ++ ++ s/^[\s,]*//; ++ return if $_ eq ""; ++ ++ if (s/^(['"]) ((?:\\.|.)*?) \1//x) { ++ return (_unescape($1, $2), $_); ++ } ++ if (s/^qq? \s* (\W)//x) { ++ my $opening_delim = $1; ++ (my $closing_delim = $opening_delim) =~ tr:([{<:)]}>:; ++ s/^((?:\\.|.)*?) \Q$closing_delim\E//x; ++ return (_unescape($opening_delim, $1), $_); ++ } ++ ++ if (s/^qw \s* (\W)//x) { ++ my $opening_delim = $1; ++ (my $closing_delim = $opening_delim) =~ tr:([{<:)]}>:; ++ s/^((?:\\.|.)*?) \Q$closing_delim\E//x; ++ my $contents = $1; ++ my @list = split(" ", $contents); ++ return (undef, $_) unless @list; ++ my $first = shift @list; ++ return (_unescape($opening_delim, $first), ++ @list ? "qw${opening_delim}@list${closing_delim}$_" : $_); ++ } ++ ++ # nothing recognizable in the first list item, skip to the next ++ if (s/^.*? ,//x) { ++ return (undef, $_); ++ } ++ return; # list exhausted ++} ++ ++ ++sub _unescape { ++ my ($delim, $str) = @_; ++ $str =~ s/\\([\\\Q$delim\E])/$1/g; ++ $str =~ s/^\$FindBin::Bin\b/$FindBin::Bin/; ++ ++ return $str; ++} ++ ++ ++ + sub scan_chunk { + my $chunk = shift; + +@@ -1025,14 +1059,14 @@ sub scan_chunk { + # "use LOADER LIST" + # TODO: There's many more of these "loader" type modules on CPAN! + if (my ($loader, $list) = $_ =~ $LoaderRE) { +- my @mods = _parse_list($list); ++ my @mods = _parse_module_list($list); + + if ($loader eq "Catalyst") { + # "use Catalyst 'Foo'" looks for "Catalyst::Plugin::Foo", + # but "use Catalyst +Foo" looks for "Foo" + @mods = map { + ($list =~ /([+-])\Q$_\E(?:$|[^\w:])/) +- ? ($1 eq "-" ++ ? ($1 eq "-" + ? () # "-Foo": it's a flag, eg. "-Debug", skip it + : $_) # "+Foo": look for "Foo" + : "Catalyst::Plugin::$_" +@@ -1044,12 +1078,12 @@ sub scan_chunk { + + if (/^use \s+ Class::Autouse \b \s* (.*)/sx + or /^Class::Autouse \s* -> \s* autouse \s* (.*)/sx) { +- return [ map { _mod2pm($_) } "Class::Autouse", _parse_list($1) ]; ++ return [ map { _mod2pm($_) } "Class::Autouse", _parse_module_list($1) ]; + } + + # generic "use ..." + if (s/^(?:use|no) \s+//x) { +- my ($mod) = _parse_list($_); # just the first word ++ my ($mod) = _parse_module_list($_); # just the first word + return _mod2pm($mod); + } + +@@ -1068,7 +1102,7 @@ sub scan_chunk { + + # Moose/Moo/Mouse style inheritance or composition + if (s/^(with|extends)\s+//) { +- return [ map { _mod2pm($_) } _parse_list($_) ]; ++ return [ map { _mod2pm($_) } _parse_module_list($_) ]; + } + + # check for stuff like +@@ -1629,7 +1663,7 @@ sub _info2rv { + foreach my $key (keys %{ $info->{'%INC'} }) { + (my $path = $info->{'%INC'}{$key}) =~ s|\\|/|g; + +- # NOTE: %INC may contain (as keys) absolute pathnames, ++ # NOTE: %INC may contain (as keys) absolute pathnames, + # e.g. for autosplit .ix and .al files. In the latter case, + # the key may also start with "./" if found via a relative path in @INC. + $key =~ s|\\|/|g; diff --git a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec index 64806d62b71..0004cef4881 100644 --- a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec +++ b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec @@ -2,10 +2,11 @@ Summary: Recursively scan Perl code for dependencies Name: perl-Module-ScanDeps Version: 1.35 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL+ or Artistic Group: Development/Libraries Source0: https://cpan.metacpan.org/authors/id/R/RS/RSCHUPP/Module-ScanDeps-%{version}.tar.gz +Patch0: CVE-2024-10224.patch URL: http://search.cpan.org/dist/Module-ScanDeps/ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -39,7 +40,7 @@ hash reference. Its keys are the module names as they appear in %%INC (e.g. Test/More.pm). The values are hash references. %prep -%setup -q -n Module-ScanDeps-%{version} +%autosetup -n Module-ScanDeps-%{version} -p1 %build perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 @@ -64,6 +65,9 @@ make %{?_smp_mflags} test %{_mandir}/man3/* %changelog +* Fri Nov 15 2024 Pawel Winogrodzki - 1.35-2 +- Patched CVE-2024-10224. + * Mon Dec 18 2023 CBL-Mariner Servicing Account - 1.35-1 - Auto-upgrade to 1.35 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/python-pip/CVE-2024-37891.patch b/SPECS/python-pip/CVE-2024-37891.patch new file mode 100644 index 00000000000..cc716afe137 --- /dev/null +++ b/SPECS/python-pip/CVE-2024-37891.patch @@ -0,0 +1,27 @@ +From 06d1284366921615eeadcb388ac7c89c3224f1cb Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Tue, 19 Nov 2024 17:01:29 +0530 +Subject: [PATCH] Fix CVE-2024-37891 + +--- + src/pip/_vendor/urllib3/util/retry.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py +index 60ef6c4..9a1e90d 100644 +--- a/src/pip/_vendor/urllib3/util/retry.py ++++ b/src/pip/_vendor/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +-- +2.34.1 + diff --git a/SPECS/python-pip/python-pip.spec b/SPECS/python-pip/python-pip.spec index 937f94d1e9b..3c634e5bbc9 100644 --- a/SPECS/python-pip/python-pip.spec +++ b/SPECS/python-pip/python-pip.spec @@ -5,13 +5,14 @@ A tool for installing and managing Python packages} Summary: A tool for installing and managing Python packages Name: python-pip Version: 24.2 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause) Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Tools URL: https://pip.pypa.io/ Source0: https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz +Patch0: CVE-2024-37891.patch BuildArch: noarch @@ -51,6 +52,9 @@ BuildRequires: python3-wheel %{python3_sitelib}/pip* %changelog +* Fri Nov 22 2024 Kavya Sree Kaitepalli - 24.2-2 +- Patch for CVE-2024-37891 + * Wed Oct 23 2024 Bala - 24.2.1 - Upgrade to 24.2 for fixing CVE-2024-6345 - Update build and install steps for toml based build diff --git a/SPECS/tdnf/tdnf-add-installonlypkgs-config.patch b/SPECS/tdnf/tdnf-add-installonlypkgs-config.patch index 8bafdf9eead..ad95b0dfc2f 100644 --- a/SPECS/tdnf/tdnf-add-installonlypkgs-config.patch +++ b/SPECS/tdnf/tdnf-add-installonlypkgs-config.patch @@ -15,7 +15,7 @@ index 67c4d51..8ec4003 100644 [main] gpgcheck=1 installonly_limit=3 -+installonlypkgs=kernel kernel-mshv kernel-uvm kernel-uki ++installonlypkgs=kernel kernel-mshv kernel-uvm kernel-uki kernel-64k clean_requirements_on_remove=0 repodir=/etc/yum.repos.d cachedir=/var/cache/tdnf diff --git a/SPECS/tdnf/tdnf.spec b/SPECS/tdnf/tdnf.spec index 69132508572..58efe746533 100644 --- a/SPECS/tdnf/tdnf.spec +++ b/SPECS/tdnf/tdnf.spec @@ -4,7 +4,7 @@ Summary: dnf equivalent using C libs Name: tdnf Version: 3.5.8 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2.1 AND GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -241,6 +241,9 @@ fi /%{_lib}/systemd/system/tdnf* %changelog +* Tue Nov 19 2024 Sam Meluch - 3.5.8-6 +- Add kernel-64k installonlypkgs entry + * Tue Nov 12 2024 Sam Meluch - 3.5.8-5 - Add install only implementation to v3.5.8 from upstream diff --git a/SPECS/unzip/CVE-2022-0529.patch b/SPECS/unzip/CVE-2022-0529.patch new file mode 100644 index 00000000000..16cb0e33e0a --- /dev/null +++ b/SPECS/unzip/CVE-2022-0529.patch @@ -0,0 +1,183 @@ +From 246a2f17066dff57d4a5253de258374a7e99154a Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Mon, 25 Nov 2024 10:50:21 +0530 +Subject: [PATCH] Fix CVE-2022-0529 and CVE-2022-0530 +Reference: https://git.launchpad.net/ubuntu/+source/unzip/commit/?h=applied/ubuntu/devel&id=d5d5037f4ca1b40578015085b77ae322d1406f56 +--- + fileio.c | 34 +++++++++++++++++++++++++--------- + process.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ + 2 files changed, 68 insertions(+), 21 deletions(-) + +diff --git a/fileio.c b/fileio.c +index eb2a115..285f7fe 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -171,8 +171,10 @@ static ZCONST char Far ReadError[] = "error: zipfile read error\n"; + static ZCONST char Far FilenameTooLongTrunc[] = + "warning: filename too long--truncating.\n"; + #ifdef UNICODE_SUPPORT ++ static ZCONST char Far UFilenameCorrupt[] = ++ "error: Unicode filename corrupt.\n"; + static ZCONST char Far UFilenameTooLongTrunc[] = +- "warning: Converted unicode filename too long--truncating.\n"; ++ "warning: Converted Unicode filename too long--truncating.\n"; + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; +@@ -2355,16 +2357,30 @@ int do_string(__G__ length, option) /* return PK-type error code */ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); +- /* make sure filename is short enough */ +- if (strlen(fn) >= FILNAMSIZ) { +- fn[FILNAMSIZ - 1] = '\0'; ++ ++ /* 2022-07-22 SMS, et al. CVE-2022-0530 ++ * Detect conversion failure, emit message. ++ * Continue with unconverted name. ++ */ ++ if (fn == NULL) ++ { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(UFilenameTooLongTrunc))); +- error = PK_WARN; ++ LoadFarString(UFilenameCorrupt))); ++ error = PK_ERR; ++ } ++ else ++ { ++ /* make sure filename is short enough */ ++ if (strlen(fn) >= FILNAMSIZ) { ++ fn[FILNAMSIZ - 1] = '\0'; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(UFilenameTooLongTrunc))); ++ error = PK_WARN; ++ } ++ /* replace filename with converted UTF-8 */ ++ strcpy(G.filename, fn); ++ free(fn); + } +- /* replace filename with converted UTF-8 */ +- strcpy(G.filename, fn); +- free(fn); + } + # endif /* UNICODE_WCHAR */ + if (G.unipath_filename != G.filename_full) +diff --git a/process.c b/process.c +index 4e06a35..09d54f7 100644 +--- a/process.c ++++ b/process.c +@@ -222,6 +222,8 @@ static ZCONST char Far ZipfileCommTrunc1[] = + "\nwarning: Unicode Path version > 1\n"; + static ZCONST char Far UnicodeMismatchError[] = + "\nwarning: Unicode Path checksum invalid\n"; ++ static ZCONST char Far UFilenameTooLongTrunc[] = ++ "warning: filename too long (P1) -- truncating.\n"; + #endif + + +@@ -1902,7 +1904,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. + +- 2014-12-05 SMS. ++ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141. + Added checks to ensure that enough data are available before calling + makeint64() or makelong(). Replaced various sizeof() values with + simple ("4" or "8") constants. (The Zip64 structures do not depend +@@ -1937,8 +1939,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + + if (eb_id == EF_PKSZ64) + { +- int offset = EB_HEADSIZE; +- ++ unsigned offset = EB_HEADSIZE; + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) + { + if (offset+ 8 > ef_len) +@@ -2036,7 +2037,7 @@ int getUnicodeData(__G__ ef_buf, ef_len) + } + if (eb_id == EF_UNIPATH) { + +- int offset = EB_HEADSIZE; ++ unsigned offset = EB_HEADSIZE; + ush ULen = eb_len - 5; + ulg chksum = CRCVAL_INITIAL; + +@@ -2492,16 +2493,17 @@ char *wide_to_local_string(wide_string, escape_all) + int state_dependent; + int wsize = 0; + int max_bytes = MB_CUR_MAX; +- char buf[9]; ++ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */ + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; /* CVE-2022-0529 */ + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; +- +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; /* Reused below. */ ++ if ((buffer = (char *)malloc( buffer_size)) == NULL) { + return NULL; + } + +@@ -2539,8 +2541,28 @@ char *wide_to_local_string(wide_string, escape_all) + } else { + /* no MB for this wide */ + /* use escape for wide character */ +- char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len; ++ size_t escape_string_len; ++ char *escape_string; ++ int err_msg = 0; ++ ++ escape_string = wide_to_escape_string(wide_string[i]); ++ buffer_len = strlen( buffer); ++ escape_string_len = strlen( escape_string); ++ ++ /* Append escape string, as space allows. */ ++ /* 2022-07-18 SMS, et al. CVE-2022-0529 */ ++ if (escape_string_len > buffer_size- buffer_len- 1) ++ { ++ escape_string_len = buffer_size- buffer_len- 1; ++ if (err_msg == 0) ++ { ++ err_msg = 1; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( UFilenameTooLongTrunc))); ++ } ++ } ++ strncat( buffer, escape_string, escape_string_len); + free(escape_string); + } + } +@@ -2592,9 +2614,18 @@ char *utf8_to_local_string(utf8_string, escape_all) + ZCONST char *utf8_string; + int escape_all; + { +- zwchar *wide = utf8_to_wide_string(utf8_string); +- char *loc = wide_to_local_string(wide, escape_all); +- free(wide); ++ zwchar *wide; ++ char *loc = NULL; ++ ++ wide = utf8_to_wide_string( utf8_string); ++ ++ /* 2022-07-25 SMS, et al. CVE-2022-0530 */ ++ if (wide != NULL) ++ { ++ loc = wide_to_local_string( wide, escape_all); ++ free( wide); ++ } ++ + return loc; + } + +-- +2.34.1 + diff --git a/SPECS/unzip/unzip.spec b/SPECS/unzip/unzip.spec index cf7c9945fed..63af46eb06b 100644 --- a/SPECS/unzip/unzip.spec +++ b/SPECS/unzip/unzip.spec @@ -1,7 +1,7 @@ Summary: Unzip-6.0 Name: unzip Version: 6.0 -Release: 20%{?dist} +Release: 21%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -23,6 +23,7 @@ Patch11: unzip-zipbomb-part3.patch Patch12: unzip-zipbomb-manpage.patch Patch13: CVE-2015-7697.patch Patch14: CVE-2018-1000035.patch +Patch15: CVE-2022-0529.patch %description The UnZip package contains ZIP extraction utilities. These are useful @@ -57,6 +58,9 @@ ln -sf unzip %{buildroot}%{_bindir}/zipinfo %{_bindir}/* %changelog +* Mon Nov 25 2024 Kavya Sree Kaitepalli - 6.0-21 +- Fix CVE-2022-0529 and CVE-2022-0530 + * Thu Oct 06 2022 Olivia Crain - 6.0-20 - Compile with large file support, zip64 support - Remove i*86 configuration- Mariner doesn't build for those architectures diff --git a/cgmanifest.json b/cgmanifest.json index 408da01c723..9c5e6085948 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -28236,8 +28236,8 @@ "type": "other", "other": { "name": "SymCrypt", - "version": "103.5.1", - "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.5.1.tar.gz" + "version": "103.6.0", + "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.6.0.tar.gz" } } }, @@ -28246,8 +28246,8 @@ "type": "other", "other": { "name": "SymCrypt-OpenSSL", - "version": "1.5.1", - "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.5.1.tar.gz" + "version": "1.6.0", + "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.6.0.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 834db6a6137..9f2b39a8149 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -211,10 +211,10 @@ lua-5.4.6-1.azl3.aarch64.rpm lua-libs-5.4.6-1.azl3.aarch64.rpm azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm azurelinux-check-macros-3.0-7.azl3.noarch.rpm -tdnf-3.5.8-5.azl3.aarch64.rpm -tdnf-cli-libs-3.5.8-5.azl3.aarch64.rpm -tdnf-devel-3.5.8-5.azl3.aarch64.rpm -tdnf-plugin-repogpgcheck-3.5.8-5.azl3.aarch64.rpm +tdnf-3.5.8-6.azl3.aarch64.rpm +tdnf-cli-libs-3.5.8-6.azl3.aarch64.rpm +tdnf-devel-3.5.8-6.azl3.aarch64.rpm +tdnf-plugin-repogpgcheck-3.5.8-6.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm libgpg-error-1.47-1.azl3.aarch64.rpm @@ -239,7 +239,7 @@ ca-certificates-tools-3.0.0-7.azl3.noarch.rpm ca-certificates-base-3.0.0-7.azl3.noarch.rpm ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm -unzip-6.0-20.azl3.aarch64.rpm +unzip-6.0-21.azl3.aarch64.rpm python3-3.12.3-4.azl3.aarch64.rpm python3-devel-3.12.3-4.azl3.aarch64.rpm python3-libs-3.12.3-4.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index e2da1e67cfe..d04a85e54f2 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -211,10 +211,10 @@ lua-5.4.6-1.azl3.x86_64.rpm lua-libs-5.4.6-1.azl3.x86_64.rpm azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm azurelinux-check-macros-3.0-7.azl3.noarch.rpm -tdnf-3.5.8-5.azl3.x86_64.rpm -tdnf-cli-libs-3.5.8-5.azl3.x86_64.rpm -tdnf-devel-3.5.8-5.azl3.x86_64.rpm -tdnf-plugin-repogpgcheck-3.5.8-5.azl3.x86_64.rpm +tdnf-3.5.8-6.azl3.x86_64.rpm +tdnf-cli-libs-3.5.8-6.azl3.x86_64.rpm +tdnf-devel-3.5.8-6.azl3.x86_64.rpm +tdnf-plugin-repogpgcheck-3.5.8-6.azl3.x86_64.rpm libassuan-2.5.6-1.azl3.x86_64.rpm libassuan-devel-2.5.6-1.azl3.x86_64.rpm libgpg-error-1.47-1.azl3.x86_64.rpm @@ -239,7 +239,7 @@ ca-certificates-tools-3.0.0-7.azl3.noarch.rpm ca-certificates-base-3.0.0-7.azl3.noarch.rpm ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.x86_64.rpm -unzip-6.0-20.azl3.x86_64.rpm +unzip-6.0-21.azl3.x86_64.rpm python3-3.12.3-4.azl3.x86_64.rpm python3-devel-3.12.3-4.azl3.x86_64.rpm python3-libs-3.12.3-4.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 6160102d641..088a86f006a 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -547,7 +547,7 @@ python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.aarch64.rpm python3-newt-0.52.23-1.azl3.aarch64.rpm python3-packaging-23.2-3.azl3.noarch.rpm -python3-pip-24.2-1.azl3.noarch.rpm +python3-pip-24.2-2.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.aarch64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm @@ -584,18 +584,18 @@ systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm tar-1.35-1.azl3.aarch64.rpm tar-debuginfo-1.35-1.azl3.aarch64.rpm -tdnf-3.5.8-5.azl3.aarch64.rpm -tdnf-autoupdate-3.5.8-5.azl3.aarch64.rpm -tdnf-cli-libs-3.5.8-5.azl3.aarch64.rpm -tdnf-debuginfo-3.5.8-5.azl3.aarch64.rpm -tdnf-devel-3.5.8-5.azl3.aarch64.rpm -tdnf-plugin-metalink-3.5.8-5.azl3.aarch64.rpm -tdnf-plugin-repogpgcheck-3.5.8-5.azl3.aarch64.rpm -tdnf-python-3.5.8-5.azl3.aarch64.rpm +tdnf-3.5.8-6.azl3.aarch64.rpm +tdnf-autoupdate-3.5.8-6.azl3.aarch64.rpm +tdnf-cli-libs-3.5.8-6.azl3.aarch64.rpm +tdnf-debuginfo-3.5.8-6.azl3.aarch64.rpm +tdnf-devel-3.5.8-6.azl3.aarch64.rpm +tdnf-plugin-metalink-3.5.8-6.azl3.aarch64.rpm +tdnf-plugin-repogpgcheck-3.5.8-6.azl3.aarch64.rpm +tdnf-python-3.5.8-6.azl3.aarch64.rpm texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm -unzip-6.0-20.azl3.aarch64.rpm -unzip-debuginfo-6.0-20.azl3.aarch64.rpm +unzip-6.0-21.azl3.aarch64.rpm +unzip-debuginfo-6.0-21.azl3.aarch64.rpm util-linux-2.40.2-1.azl3.aarch64.rpm util-linux-debuginfo-2.40.2-1.azl3.aarch64.rpm util-linux-devel-2.40.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4b5f3d5611e..d8e73e33940 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -553,7 +553,7 @@ python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.x86_64.rpm python3-newt-0.52.23-1.azl3.x86_64.rpm python3-packaging-23.2-3.azl3.noarch.rpm -python3-pip-24.2-1.azl3.noarch.rpm +python3-pip-24.2-2.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.x86_64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm @@ -590,18 +590,18 @@ systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm tar-1.35-1.azl3.x86_64.rpm tar-debuginfo-1.35-1.azl3.x86_64.rpm -tdnf-3.5.8-5.azl3.x86_64.rpm -tdnf-autoupdate-3.5.8-5.azl3.x86_64.rpm -tdnf-cli-libs-3.5.8-5.azl3.x86_64.rpm -tdnf-debuginfo-3.5.8-5.azl3.x86_64.rpm -tdnf-devel-3.5.8-5.azl3.x86_64.rpm -tdnf-plugin-metalink-3.5.8-5.azl3.x86_64.rpm -tdnf-plugin-repogpgcheck-3.5.8-5.azl3.x86_64.rpm -tdnf-python-3.5.8-5.azl3.x86_64.rpm +tdnf-3.5.8-6.azl3.x86_64.rpm +tdnf-autoupdate-3.5.8-6.azl3.x86_64.rpm +tdnf-cli-libs-3.5.8-6.azl3.x86_64.rpm +tdnf-debuginfo-3.5.8-6.azl3.x86_64.rpm +tdnf-devel-3.5.8-6.azl3.x86_64.rpm +tdnf-plugin-metalink-3.5.8-6.azl3.x86_64.rpm +tdnf-plugin-repogpgcheck-3.5.8-6.azl3.x86_64.rpm +tdnf-python-3.5.8-6.azl3.x86_64.rpm texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm -unzip-6.0-20.azl3.x86_64.rpm -unzip-debuginfo-6.0-20.azl3.x86_64.rpm +unzip-6.0-21.azl3.x86_64.rpm +unzip-debuginfo-6.0-21.azl3.x86_64.rpm util-linux-2.40.2-1.azl3.x86_64.rpm util-linux-debuginfo-2.40.2-1.azl3.x86_64.rpm util-linux-devel-2.40.2-1.azl3.x86_64.rpm