Merge pull request #5303 from microsoft/anphel/1.0-april-2023-update

Merge for Mariner 1.0 April 2023 update

Author: anphel31

SPECS/c-ares/c-ares.signatures.json

@@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "c-ares-1.18.1.tar.gz": "1a7d52a8a84a9fbffb1be9133c0f6e17217d91ea5a6fa61f6b4729cda78ebbcf"
- }
+  "Signatures": {
+    "c-ares-1.19.0.tar.gz": "bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3"
+  }
 }

SPECS/c-ares/c-ares.spec

@@ -1,6 +1,6 @@
 Summary:        A library that performs asynchronous DNS operations
 Name:           c-ares
-Version:        1.18.1
+Version:        1.19.0
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
@@ -70,6 +70,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/ares_*
 
 %changelog
+* Tue Apr 04 2023 CBL-Mariner Servicing Account <[email protected]> - 1.19.0-1
+- Auto-upgrade to 1.19.0 - To Address CVE-2022-4904
+
 * Sun Nov 28 2021 Muhammad Falak <[email protected]> - 1.18.1-1
 - Bump version to fix CVE-2021-3672
 

SPECS/ca-certificates/ca-certificates.signatures.json

@@ -11,7 +11,7 @@
   "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
   "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
   "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
-  "certdata.microsoft.txt": "7c9a314f528f5f353b478caaea8be051ad6b2ff99dca2754206afb632093fe47",
+  "certdata.microsoft.txt": "53fa416b306459da67127b12c17fb33d9598f0c085148578689066e84b00018e",
   "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
   "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
   "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",

SPECS/ca-certificates/ca-certificates.spec

@@ -44,7 +44,7 @@ Name:           ca-certificates
 
 # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
 Version:        20200720
-Release:        29%{?dist}
+Release:        30%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -319,6 +319,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Thu Mar 30 2023 CBL-Mariner Service Account <[email protected]> - 20200720-30
+- Updating Microsoft trusted root CAs.
+
 * Mon Dec 12 2022 Pawel Winogrodzki <[email protected]> - 20200720-29
 - Adding 'Obsoletes' for the old 'ca-certificates-microsoft' packages before release 19.
 

SPECS/ca-certificates/certdata.microsoft.txt

@@ -0,0 +1,56 @@
+diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs
+--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs	2021-04-25 17:00:00.000000000 -0700
++++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs	2023-04-05 15:33:56.893718099 -0700
+@@ -367,6 +367,16 @@
+         let entries: Vec<<T as FamStruct>::Entry> =
+             Vec::deserialize(reader, version_map, app_version)
+                 .map_err(|ref err| VersionizeError::Deserialize(format!("{:?}", err)))?;
++        if header.len() != entries.len() {
++            let msg = format!(
++                "Mismatch between length of FAM specified in FamStruct header ({}) \
++                and actual size of FAM ({})",
++                header.len(),
++                entries.len()
++            );
++
++            return Err(VersionizeError::Deserialize(msg));
++        }
+         // Construct the object from the array items.
+         // Header(T) fields will be initialized by Default trait impl.
+         let mut object = FamStructWrapper::from_entries(&entries)
+diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs
+--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs	2021-04-25 17:00:00.000000000 -0700
++++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs	2023-04-05 15:34:57.145737780 -0700
+@@ -1321,6 +1321,32 @@
+ type Message2FamStructWrapper = FamStructWrapper<Message2>;
+ 
+ #[test]
++fn test_deserialize_famstructwrapper_invalid_len() {
++    let mut vm = VersionMap::new();
++    vm.new_version()
++        .set_type_version(Message::type_id(), 2)
++        .new_version()
++        .set_type_version(Message::type_id(), 3)
++        .new_version()
++        .set_type_version(Message::type_id(), 4);
++
++    // Create FamStructWrapper with len 2
++    let state = MessageFamStructWrapper::new(0).unwrap();
++    let mut buffer = [0; 256];
++
++    state.serialize(&mut buffer.as_mut_slice(), &vm, 2).unwrap();
++
++    // the `len` field of the header is the first serialized field.
++    // Let's corrupt it by making it bigger than the actual number of serialized elements
++    buffer[0] = 255;
++
++    assert_eq!(
++        MessageFamStructWrapper::deserialize(&mut buffer.as_slice(), &vm, 2).unwrap_err(),
++        VersionizeError::Deserialize("Mismatch between length of FAM specified in FamStruct header (255) and actual size of FAM (0)".to_string())
++    );
++}
++
++#[test]
+ fn test_versionize_famstructwrapper() {
+     let mut vm = VersionMap::new();
+     vm.new_version()

SPECS/cloud-hypervisor/CVE-2023-28448.patch

@@ -1,7 +1,7 @@
 Summary:        A Rust-VMM based cloud hypervisor from Intel
 Name:           cloud-hypervisor
 Version:        22.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0 or BSD
 URL:            https://github.com/cloud-hypervisor/cloud-hypervisor
 Group:          Development/Tools
@@ -12,6 +12,7 @@ Source0:       %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # To update the cache run:
 #   [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz
 Source1:        %{name}-%{version}-cargo.tar.gz
+Patch0:         CVE-2023-28448.patch
 ExclusiveArch:  x86_64
 
 BuildRequires:  gcc
@@ -28,6 +29,7 @@ A Rust-VMM based cloud hypervisor from Intel.
 mkdir -p $HOME
 pushd $HOME
 tar xf %{SOURCE1} --no-same-owner
+%patch0 -p1
 popd
 %setup -q
 
@@ -49,6 +51,9 @@ install -d %{buildroot}%{_libdir}/cloud-hypervisor
 %exclude %{_libdir}/debug
 
 %changelog
+* Wed Apr 05 2023 Henry Beberman <[email protected]> - 22.0-2
+- Patch CVE-2023-28448 in vendored versionize crate
+
 * Wed Mar 09 2022 Pawel Winogrodzki <[email protected]> - 22.0-1
 - Updating to version 22.0 to build with 'rust' 1.59.0.
 

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -0,0 +1,3 @@
+CVE-2023-1079 - patched in 5.10.173 - (generated by autopatch tool)
+upstream 4ab3a086d10eeec1424f2e8a968827a6336203df - stable 21a2eec4a440060a6eb294dc890eaf553101ba09
+

SPECS/kernel/CVE-2023-1079.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-1281 - patched in 5.10.169 - (generated by autopatch tool)
+upstream ee059170b1f7e94e55fa6cadee544e176a6e59c2 - stable eb8e9d8572d1d9df17272783ad8a84843ce559d4
+

SPECS/kernel/CVE-2023-1281.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-1390 - patched in 5.10.10 - (generated by autopatch tool)
+upstream b77413446408fdd256599daf00d5be72b5f3e7c6 - stable 60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd
+