From ec426a013731a335ff686718d08c595dbfc9477b Mon Sep 17 00:00:00 2001 From: bhagyapathak Date: Tue, 26 Nov 2024 09:45:24 +0530 Subject: [PATCH 1/5] Fix CVE-2023-46118 for rabbitmq-server (#10626) --- SPECS/rabbitmq-server/generate-rabbitmq-server-tarball.sh | 2 +- SPECS/rabbitmq-server/rabbitmq-server.signatures.json | 8 ++++---- SPECS/rabbitmq-server/rabbitmq-server.spec | 7 +++++-- cgmanifest.json | 4 ++-- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/SPECS/rabbitmq-server/generate-rabbitmq-server-tarball.sh b/SPECS/rabbitmq-server/generate-rabbitmq-server-tarball.sh index 0a910fdce07..ccd3d9352cf 100755 --- a/SPECS/rabbitmq-server/generate-rabbitmq-server-tarball.sh +++ b/SPECS/rabbitmq-server/generate-rabbitmq-server-tarball.sh @@ -12,7 +12,7 @@ # baseline variables for filename and temporary directory to avoid filenme collisions TEMP_TARBALL_DIR="TempRabbitmqTarball" -VENDOR_TARBALL_NAME="rabbitmq-server-hex-vendor-3.11.11" +VENDOR_TARBALL_NAME="rabbitmq-server-hex-vendor-3.11.24" #Create Hex Packag arrays and link HEX_PM_LINK="https://repo.hex.pm/tarballs" diff --git a/SPECS/rabbitmq-server/rabbitmq-server.signatures.json b/SPECS/rabbitmq-server/rabbitmq-server.signatures.json index 612aa6fc886..48c6b1e620a 100644 --- a/SPECS/rabbitmq-server/rabbitmq-server.signatures.json +++ b/SPECS/rabbitmq-server/rabbitmq-server.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { - "rabbitmq-server-3.11.11.tar.xz": "0ff32c1b4a5dd28cc8651af28e4a5e7e577bd58119180949d979492b32a90996", - "rabbitmq-server-hex-vendor-3.11.11.tar.gz": "f8176440e667f2cead0221ab139079650adcd916ef37396ff41243536b6b3f70", "mix_task_archive_deps-1.0.0.ez": "e6079c02cbbb41526ea18e8142a14093094c2f1942865f1cb64fbc4eb6212a48", - "rabbitmq-server-hex-cache-3.11.11.tar.gz": "d0e45732afb04dfd3941e8a304dc8b6ff9e5aa73f52c16af2a3f78a967f14708" + "rabbitmq-server-3.11.24.tar.xz": "11090580cb8ffedcf40d1c7c4e3dcccf17658237ca8549f51b057ba9e359ab9b", + "rabbitmq-server-hex-cache-3.11.24.tar.gz": "f3339bb5e3d1577af325799d16cb260dee8b09daf973665951676c6ab0ca0ec4", + "rabbitmq-server-hex-vendor-3.11.24.tar.gz": "f352bbcf85cf696cfda2833aceabdd485ac2e2900e8d4a0ea4d88255d8373252" } -} +} \ No newline at end of file diff --git a/SPECS/rabbitmq-server/rabbitmq-server.spec b/SPECS/rabbitmq-server/rabbitmq-server.spec index 477119e7f9a..6979e2ac094 100644 --- a/SPECS/rabbitmq-server/rabbitmq-server.spec +++ b/SPECS/rabbitmq-server/rabbitmq-server.spec @@ -1,8 +1,8 @@ %define debug_package %{nil} Summary: rabbitmq-server Name: rabbitmq-server -Version: 3.11.11 -Release: 2%{?dist} +Version: 3.11.24 +Release: 1%{?dist} License: Apache-2.0 and MPL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -115,6 +115,9 @@ done %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/* %changelog +* Tue Oct 4 2024 Bhagyashri Pathak - 3.11.24-1 +- Upgrade version to 3.11.24 to fix CVE-2023-46118 + * Wed Jan 17 2024 Harshit Gupta - 3.11.11-2 - Release bump with no changes to force a rebuild and consume new erlang build diff --git a/cgmanifest.json b/cgmanifest.json index c8de2ceae72..72b693a4655 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -25414,8 +25414,8 @@ "type": "other", "other": { "name": "rabbitmq-server", - "version": "3.11.11", - "downloadUrl": "https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.11.11/rabbitmq-server-3.11.11.tar.xz" + "version": "3.11.24", + "downloadUrl": "https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.11.24/rabbitmq-server-3.11.24.tar.xz" } } }, From de68b926adbc90cabc362bcce283ba098c6c4231 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Tue, 26 Nov 2024 09:49:19 -0800 Subject: [PATCH 2/5] Extended CVE-2024-10224 patch and fixed ptests in `perl-Module-ScanDeps`. (#11218) --- .../perl-Module-ScanDeps/CVE-2024-10224.patch | 36 +++++++++++++++++++ .../perl-Module-ScanDeps.spec | 12 +++++-- 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch b/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch index 87ed0988758..c231e72652c 100644 --- a/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch +++ b/SPECS/perl-Module-ScanDeps/CVE-2024-10224.patch @@ -243,3 +243,39 @@ index 7bc9662..dd79c65 100644 # e.g. for autosplit .ix and .al files. In the latter case, # the key may also start with "./" if found via a relative path in @INC. $key =~ s|\\|/|g; + + +From 49468814a24221affe113664899be21aef60e846 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Fri, 8 Nov 2024 19:17:30 +0100 +Subject: [PATCH] fix parsing of "use if ..." + +Fixes errors in PAR::Packer test t/90-rt59710.t +--- + lib/Module/ScanDeps.pm | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/Module/ScanDeps.pm b/lib/Module/ScanDeps.pm +index f911440..71d8b75 100644 +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -925,7 +925,7 @@ sub scan_line { + next CHUNK; + } + +- if (my ($pragma, $args) = /^use \s+ (autouse|if) \s+ (.+)/x) ++ if (my ($pragma, $args) = /^(?:use|no) \s+ (autouse|if) \s+ (.+)/x) + { + # NOTE: There are different ways the MODULE may + # be specified for the "autouse" and "if" pragmas, e.g. +@@ -938,7 +938,9 @@ sub scan_line { + else { + # The syntax of the "if" pragma is + # use if COND, MODULE => ARGUMENTS +- (undef, $module) = _parse_module_list($args); ++ # NOTE: This works only for simple conditions. ++ $args =~ s/.*? (?:,|=>) \s*//x; ++ ($module) = _parse_module_list($args); + } + $found{_mod2pm($pragma)}++; + $found{_mod2pm($module)}++ if $module; diff --git a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec index 8824833efda..77587153df0 100644 --- a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec +++ b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec @@ -2,7 +2,7 @@ Summary: Recursively scan Perl code for dependencies Name: perl-Module-ScanDeps Version: 1.35 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL+ or Artistic Group: Development/Libraries Source0: https://cpan.metacpan.org/authors/id/R/RS/RSCHUPP/Module-ScanDeps-%{version}.tar.gz @@ -15,10 +15,14 @@ BuildRequires: perl >= 5.28.0 BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl-generators %if 0%{?with_check} +BuildRequires: perl(AutoLoader) +BuildRequires: perl(blib) BuildRequires: perl(CPAN) BuildRequires: perl(CPAN::Meta) BuildRequires: perl(FindBin) +BuildRequires: perl(Test) BuildRequires: perl(Test::More) +BuildRequires: perl(Test::Pod) %endif Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) @@ -55,6 +59,7 @@ find %{buildroot} -type f -name .packlist -exec rm -f {} + export PERL_MM_USE_DEFAULT=1 cpan local::lib cpan Test::Requires +cpan IPC::Run3 make %{?_smp_mflags} test %files @@ -65,13 +70,16 @@ make %{?_smp_mflags} test %{_mandir}/man3/* %changelog +* Mon Nov 25 2024 Pawel Winogrodzki - 1.35-3 +- Fixing perl-Module-ScanDeps tests. + * Fri Nov 15 2024 Pawel Winogrodzki - 1.35-2 - Patched CVE-2024-10224. * Mon Dec 18 2023 CBL-Mariner Servicing Account - 1.35-1 - Auto-upgrade to 1.35 - Azure Linux 3.0 - package upgrades -* Tue Aug 23 2020 Muhammad Falak - 1.31-2 +* Tue Aug 23 2022 Muhammad Falak - 1.31-2 - Add BR on `perl-{(CPAN::*),(FindBin),(Test::More)}` to enable ptest * Fri Apr 22 2022 Mateusz Malisz - 1.31-1 From 4828b0c2fac43012d3a692df36b22fcbce6fb9a1 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Tue, 26 Nov 2024 10:33:13 -0800 Subject: [PATCH 3/5] Don't allow multiple build queues (#7928) (#11222) Co-authored-by: Pawel Winogrodzki --- toolkit/tools/scheduler/scheduler.go | 7 +++- .../schedulerutils/graphbuildstate.go | 22 ++++++++++ .../schedulerutils/preparerequest.go | 42 ++++++++++++++++--- 3 files changed, 65 insertions(+), 6 deletions(-) diff --git a/toolkit/tools/scheduler/scheduler.go b/toolkit/tools/scheduler/scheduler.go index 10d12a0b13b..8eec36b0fe7 100644 --- a/toolkit/tools/scheduler/scheduler.go +++ b/toolkit/tools/scheduler/scheduler.go @@ -334,7 +334,12 @@ func buildAllNodes(stopOnFailure, canUseCache bool, packagesToRebuild, testsToRe logger.Log.Debugf("Found %d unblocked nodes: %v.", len(nodesToBuild), nodesToBuild) // Each node that is ready to build must be converted into a build request and submitted to the worker pool. - newRequests := schedulerutils.ConvertNodesToRequests(pkgGraph, graphMutex, nodesToBuild, packagesToRebuild, testsToRerun, buildState, canUseCache) + newRequests, requestError := schedulerutils.ConvertNodesToRequests(pkgGraph, graphMutex, nodesToBuild, packagesToRebuild, testsToRerun, buildState, canUseCache) + if requestError != nil { + err = fmt.Errorf("failed to convert nodes to requests:\n%w", requestError) + stopBuilding = true + break + } for _, req := range newRequests { buildState.RecordBuildRequest(req) // Decide which priority the build should be. Generally we want to get any remote or prebuilt nodes out of the diff --git a/toolkit/tools/scheduler/schedulerutils/graphbuildstate.go b/toolkit/tools/scheduler/schedulerutils/graphbuildstate.go index 8159fe95405..13dd3edaee0 100644 --- a/toolkit/tools/scheduler/schedulerutils/graphbuildstate.go +++ b/toolkit/tools/scheduler/schedulerutils/graphbuildstate.go @@ -124,6 +124,11 @@ func (g *GraphBuildState) ActiveBuildFromSRPM(srpmFileName string) *BuildRequest return nil } +// IsSRPMBuildActive returns true if a given SRPM is currently queued for building. +func (g *GraphBuildState) IsSRPMBuildActive(srpmFileName string) bool { + return g.ActiveBuildFromSRPM(srpmFileName) != nil +} + // ActiveSRPMs returns a list of all SRPMs, which are currently being built. func (g *GraphBuildState) ActiveSRPMs() (builtSRPMs []string) { for _, buildRequest := range g.activeBuilds { @@ -146,6 +151,23 @@ func (g *GraphBuildState) ActiveTests() (testedSRPMs []string) { return } +// ActiveTestFromSRPM returns a test request for the queried SRPM file +// or nil if the SRPM is not among the active builds. +func (g *GraphBuildState) ActiveTestFromSRPM(srpmFileName string) *BuildRequest { + for _, buildRequest := range g.activeBuilds { + if buildRequest.Node.Type == pkggraph.TypeTest && buildRequest.Node.SRPMFileName() == srpmFileName { + return buildRequest + } + } + + return nil +} + +// IsSRPMTestActive returns true if a given SRPM is currently queued for testing. +func (g *GraphBuildState) IsSRPMTestActive(srpmFileName string) bool { + return g.ActiveTestFromSRPM(srpmFileName) != nil +} + // BuildFailures returns a slice of all failed builds. func (g *GraphBuildState) BuildFailures() []*BuildResult { return g.failures diff --git a/toolkit/tools/scheduler/schedulerutils/preparerequest.go b/toolkit/tools/scheduler/schedulerutils/preparerequest.go index cf6e0221964..6529073231f 100644 --- a/toolkit/tools/scheduler/schedulerutils/preparerequest.go +++ b/toolkit/tools/scheduler/schedulerutils/preparerequest.go @@ -4,6 +4,7 @@ package schedulerutils import ( + "fmt" "sync" "github.com/microsoft/azurelinux/toolkit/tools/internal/logger" @@ -27,7 +28,7 @@ import ( // and are queued for building in the testNodesToRequests() function. // At this point the partner build nodes for these test nodes have either already finished building or are being built, // thus the check for active and cached SRPMs inside testNodesToRequests(). -func ConvertNodesToRequests(pkgGraph *pkggraph.PkgGraph, graphMutex *sync.RWMutex, nodesToBuild []*pkggraph.PkgNode, packagesToRebuild, testsToRerun []*pkgjson.PackageVer, buildState *GraphBuildState, isCacheAllowed bool) (requests []*BuildRequest) { +func ConvertNodesToRequests(pkgGraph *pkggraph.PkgGraph, graphMutex *sync.RWMutex, nodesToBuild []*pkggraph.PkgNode, packagesToRebuild, testsToRerun []*pkgjson.PackageVer, buildState *GraphBuildState, isCacheAllowed bool) (requests []*BuildRequest, err error) { timestamp.StartEvent("generate requests", nil) defer timestamp.StopEvent(nil) @@ -57,13 +58,23 @@ func ConvertNodesToRequests(pkgGraph *pkggraph.PkgGraph, graphMutex *sync.RWMute requests = append(requests, req) } - requests = append(requests, buildNodesToRequests(pkgGraph, buildState, packagesToRebuild, testsToRerun, buildNodes, isCacheAllowed)...) - requests = append(requests, testNodesToRequests(pkgGraph, buildState, testsToRerun, testNodes)...) + newBuildReqs, err := buildNodesToRequests(pkgGraph, buildState, packagesToRebuild, testsToRerun, buildNodes, isCacheAllowed) + if err != nil { + err = fmt.Errorf("failed to convert build nodes to requests:\n%w", err) + return + } + requests = append(requests, newBuildReqs...) + newTestReqs, err := testNodesToRequests(pkgGraph, buildState, testsToRerun, testNodes) + if err != nil { + err = fmt.Errorf("failed to convert test nodes to requests:\n%w", err) + return + } + requests = append(requests, newTestReqs...) return } -func buildNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildState, packagesToRebuild, testsToRerun []*pkgjson.PackageVer, buildNodesLists map[string][]*pkggraph.PkgNode, isCacheAllowed bool) (requests []*BuildRequest) { +func buildNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildState, packagesToRebuild, testsToRerun []*pkgjson.PackageVer, buildNodesLists map[string][]*pkggraph.PkgNode, isCacheAllowed bool) (requests []*BuildRequest, err error) { for _, buildNodes := range buildNodesLists { // Check if any of the build nodes is a delta node and mark it. We will use this to determine if the // build is a delta build that might have pre-built .rpm files available. @@ -76,6 +87,17 @@ func buildNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildSta } defaultNode := buildNodes[0] + + // Check if we already queued up this build node for building. + if buildState.IsSRPMBuildActive(defaultNode.SRPMFileName()) || buildState.IsNodeProcessed(defaultNode) { + err = fmt.Errorf("unexpected duplicate build for (%s)", defaultNode.SRPMFileName()) + // Temporarily ignore the error, this state is unexpected but not fatal. Error return will be + // restored later once the underlying cause of this error is fixed. + logger.Log.Warnf(err.Error()) + err = nil + continue + } + req := buildRequest(pkgGraph, buildState, packagesToRebuild, defaultNode, buildNodes, isCacheAllowed, hasADeltaNode) requests = append(requests, req) @@ -152,13 +174,23 @@ func partnerTestNodesToRequest(pkgGraph *pkggraph.PkgGraph, buildState *GraphBui // which have already been queued to build or finished building. // // NOTE: the caller must guarantee the build state does not change while this function is running. -func testNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildState, testsToRerun []*pkgjson.PackageVer, testNodesLists map[string][]*pkggraph.PkgNode) (requests []*BuildRequest) { +func testNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildState, testsToRerun []*pkgjson.PackageVer, testNodesLists map[string][]*pkggraph.PkgNode) (requests []*BuildRequest, err error) { const isDelta = false for _, testNodes := range testNodesLists { defaultTestNode := testNodes[0] srpmFileName := defaultTestNode.SRPMFileName() + // Check if we already queued up this build node for building. + if buildState.IsSRPMBuildActive(srpmFileName) || buildState.IsNodeProcessed(defaultTestNode) { + err = fmt.Errorf("unexpected duplicate test for (%s)", srpmFileName) + // Temporarily ignore the error, this state is unexpected but not fatal. Error return will be + // restored later once the underlying cause of this error is fixed. + logger.Log.Warnf(err.Error()) + err = nil + continue + } + buildUsedCache := buildState.IsSRPMCached(srpmFileName) if buildRequest := buildState.ActiveBuildFromSRPM(srpmFileName); buildRequest != nil { buildUsedCache = buildRequest.UseCache From 73a888e47886178bd2050e830f319d80be65f179 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 26 Nov 2024 20:48:47 -0800 Subject: [PATCH 4/5] [AUTO-CHERRYPICK] Fix CVE-2024-5535 in hvloader - branch main (#11232) Co-authored-by: joejoew <111843948+joejoew@users.noreply.github.com> --- .../hvloader-signed/hvloader-signed.spec | 5 +- SPECS/hvloader/CVE-2024-5535.patch | 94 +++++++++++++++++++ SPECS/hvloader/hvloader.spec | 6 +- 3 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 SPECS/hvloader/CVE-2024-5535.patch diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec index cf8371cce40..2218c90aad6 100644 --- a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec +++ b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec @@ -6,7 +6,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: hvloader-signed-%{buildarch} Version: 1.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +69,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Mon Nov 25 2024 Zhichun Wan - 1.0.1-6 +- Update version for consistency with hvloader spec + * Wed Jun 19 2024 Archana Choudhary - 1.0.1-5 - Update version for consistency with hvloader spec diff --git a/SPECS/hvloader/CVE-2024-5535.patch b/SPECS/hvloader/CVE-2024-5535.patch new file mode 100644 index 00000000000..f5d90a79430 --- /dev/null +++ b/SPECS/hvloader/CVE-2024-5535.patch @@ -0,0 +1,94 @@ +From 7a96ccee7892abe6ee1d8b8b42d293bd5261c2ef Mon Sep 17 00:00:00 2001 +From: Zhichun Wan +Date: Tue, 26 Nov 2024 01:49:38 +0000 +Subject: [PATCH] patches + +--- + .../Library/OpensslLib/openssl/ssl/ssl_lib.c | 63 ++++++++++++------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +index 47adc321..0dca8e69 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.45.2 + diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index 6d154ce2daf..67cf716a91c 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -4,7 +4,7 @@ Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -16,6 +16,7 @@ Source1: https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}. Source2: target-x86.txt Patch0: CVE-2024-1298.patch Patch1: CVE-2023-0464.patch +Patch2: CVE-2024-5535.patch BuildRequires: bc BuildRequires: gcc BuildRequires: build-essential @@ -60,6 +61,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Mon Nov 25 2024 Zhichun Wan - 1.0.1-6 +- Add patch to resolve CVE-2024-5535 + * Wed Jun 19 2024 Archana Choudhary - 1.0.1-5 - Add patch to resolve CVE-2023-0464 From 381cbebb19fc39711910e1abcb80ffa1a6acf9db Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 26 Nov 2024 20:49:28 -0800 Subject: [PATCH 5/5] [AUTO-CHERRYPICK] cmake: Patch CVE-2024-2398, CVE-2024-7264 in bundled curl and CVE-2024-28182 in bundled nghttp2 - branch main (#11231) Co-authored-by: Vince Perri <5596945+vinceaperri@users.noreply.github.com> --- SPECS/cmake/CVE-2024-2398.patch | 94 ++++++++++++++ SPECS/cmake/CVE-2024-28182.patch | 108 ++++++++++++++++ SPECS/cmake/CVE-2024-7264.patch | 121 ++++++++++++++++++ SPECS/cmake/cmake.spec | 9 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 6 files changed, 335 insertions(+), 5 deletions(-) create mode 100644 SPECS/cmake/CVE-2024-2398.patch create mode 100644 SPECS/cmake/CVE-2024-28182.patch create mode 100644 SPECS/cmake/CVE-2024-7264.patch diff --git a/SPECS/cmake/CVE-2024-2398.patch b/SPECS/cmake/CVE-2024-2398.patch new file mode 100644 index 00000000000..d1c192e24f6 --- /dev/null +++ b/SPECS/cmake/CVE-2024-2398.patch @@ -0,0 +1,94 @@ +From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Wed, 20 Nov 2024 22:38:53 +0000 +Subject: [PATCH] http2: push headers better cleanup + +Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6 +--- + Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c +index f194c18b..50b8cd54 100644 +--- a/Utilities/cmcurl/lib/http2.c ++++ b/Utilities/cmcurl/lib/http2.c +@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data, + return bitmap; + } + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + /* + * http2_stream_free() free HTTP2 stream related data + */ +@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http) + { + if(http) { + Curl_dyn_free(&http->header_recvbuf); +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + } + +@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) + Curl_dyn_free(&http->trailer_recvbuf); + if(http->push_headers) { + /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + + if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) || +-- +2.34.1 + diff --git a/SPECS/cmake/CVE-2024-28182.patch b/SPECS/cmake/CVE-2024-28182.patch new file mode 100644 index 00000000000..9a71706148b --- /dev/null +++ b/SPECS/cmake/CVE-2024-28182.patch @@ -0,0 +1,108 @@ +From 875373fb67097281d4a4ff461e531b9bef947818 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 14:11:36 +0000 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +Original patch: https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0 +--- + Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++- + Utilities/cmnghttp2/lib/nghttp2_helper.c | 2 ++ + Utilities/cmnghttp2/lib/nghttp2_session.c | 8 ++++++++ + Utilities/cmnghttp2/lib/nghttp2_session.h | 10 ++++++++++ + 4 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h +index e4e1d4fc..a140199a 100644 +--- a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h ++++ b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h +@@ -428,7 +428,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +diff --git a/Utilities/cmnghttp2/lib/nghttp2_helper.c b/Utilities/cmnghttp2/lib/nghttp2_helper.c +index 91136a61..f150ab54 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_helper.c ++++ b/Utilities/cmnghttp2/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) { + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c +index a3c0b708..f02e3f95 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_session.c ++++ b/Utilities/cmnghttp2/lib/nghttp2_session.c +@@ -463,6 +463,7 @@ static int session_new(nghttp2_session **session_ptr, + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -6297,6 +6298,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6418,6 +6421,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + #endif /* DEBUGBUILD */ + ++ ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.h b/Utilities/cmnghttp2/lib/nghttp2_session.h +index b75294c3..f53acac7 100644 +--- a/Utilities/cmnghttp2/lib/nghttp2_session.h ++++ b/Utilities/cmnghttp2/lib/nghttp2_session.h +@@ -107,6 +107,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -277,6 +281,12 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +-- +2.34.1 + diff --git a/SPECS/cmake/CVE-2024-7264.patch b/SPECS/cmake/CVE-2024-7264.patch new file mode 100644 index 00000000000..b98a81571f9 --- /dev/null +++ b/SPECS/cmake/CVE-2024-7264.patch @@ -0,0 +1,121 @@ +From e5daecf74dd60974e7ae91e432032e6cfdaaf15e Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 14:52:49 +0000 +Subject: [PATCH 1/2] x509asn1: clean up GTime2str + +Original patch: https://github.com/curl/curl/commit/3c914bc680155b321 +--- + Utilities/cmcurl/lib/x509asn1.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c +index 281c9724..b1160102 100644 +--- a/Utilities/cmcurl/lib/x509asn1.c ++++ b/Utilities/cmcurl/lib/x509asn1.c +@@ -469,7 +469,7 @@ static const char *GTime2str(const char *beg, const char *end) + /* Convert an ASN.1 Generalized time to a printable string. + Return the dynamically allocated string, or NULL if an error occurs. */ + +- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) ++ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) + ; + + /* Get seconds digits. */ +@@ -488,17 +488,22 @@ static const char *GTime2str(const char *beg, const char *end) + return NULL; + } + +- /* Scan for timezone, measure fractional seconds. */ ++ /* timezone follows optional fractional seconds. */ + tzp = fracp; +- fracl = 0; ++ fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +- fracp++; +- do ++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */ ++ tzp = fracp++; /* should be a digit char or BAD ARGUMENT */ ++ while(tzp < end && ISDIGIT(*tzp)) + tzp++; +- while(tzp < end && *tzp >= '0' && *tzp <= '9'); +- /* Strip leading zeroes in fractional seconds. */ +- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) +- ; ++ if(tzp == fracp) /* never looped, no digit after [.,] */ ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ fracl = tzp - fracp - 1; /* number of fractional sec digits */ ++ DEBUGASSERT(fracl > 0); ++ /* Strip trailing zeroes in fractional seconds. ++ * May reduce fracl to 0 if only '0's are present. */ ++ while(fracl && fracp[fracl - 1] == '0') ++ fracl--; + } + + /* Process timezone. */ +-- +2.34.1 + +From 13e627cf5b98be84a8cead6e4518932dba7f2cb7 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Thu, 21 Nov 2024 15:02:39 +0000 +Subject: [PATCH 2/2] x509asn1: fixes for gtime2str + +Original patch: https://github.com/curl/curl/commit/27959ecce75cdb2 +--- + Utilities/cmcurl/lib/x509asn1.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c +index b1160102..ceb03e2a 100644 +--- a/Utilities/cmcurl/lib/x509asn1.c ++++ b/Utilities/cmcurl/lib/x509asn1.c +@@ -493,12 +493,13 @@ static const char *GTime2str(const char *beg, const char *end) + fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { + /* Have fractional seconds, e.g. "[.,]\d+". How many? */ +- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */ ++ fracp++; /* should be a digit char or BAD ARGUMENT */ ++ tzp = fracp; + while(tzp < end && ISDIGIT(*tzp)) + tzp++; + if(tzp == fracp) /* never looped, no digit after [.,] */ + return CURLE_BAD_FUNCTION_ARGUMENT; +- fracl = tzp - fracp - 1; /* number of fractional sec digits */ ++ fracl = tzp - fracp; /* number of fractional sec digits */ + DEBUGASSERT(fracl > 0); + /* Strip trailing zeroes in fractional seconds. + * May reduce fracl to 0 if only '0's are present. */ +@@ -507,18 +508,24 @@ static const char *GTime2str(const char *beg, const char *end) + } + + /* Process timezone. */ +- if(tzp >= end) +- ; /* Nothing to do. */ ++ if(tzp >= end) { ++ tzp = ""; ++ tzl = 0; ++ } + else if(*tzp == 'Z') { +- tzp = " GMT"; +- end = tzp + 4; ++ sep = " "; ++ tzp = "GMT"; ++ tzl = 3; ++ } ++ else if((*tzp == '+') || (*tzp == '-')) { ++ sep = " UTC"; ++ tzl = end - tzp; + } + else { + sep = " "; +- tzp++; ++ tzl = end - tzp; + } + +- tzl = end - tzp; + return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", + beg, beg + 4, beg + 6, + beg + 8, beg + 10, sec1, sec2, +-- +2.34.1 + diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index 7cbf857dc73..8a7d542b887 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.21.4 -Release: 13%{?dist} +Release: 14%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -29,6 +29,9 @@ Patch14: CVE-2023-27538.patch Patch15: CVE-2023-27535.patch Patch16: CVE-2023-23916.patch Patch17: CVE-2023-46218.patch +Patch18: CVE-2024-2398.patch +Patch19: CVE-2024-28182.patch +Patch20: CVE-2024-7264.patch BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -94,6 +97,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_prefix}/doc/%{name}-*/* %changelog +* Thu Nov 21 2024 Vince Perri - 3.21.4-14 +- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl) +- Patch CVE-2024-28182 (bundled nghttp2) + * Thu Nov 14 2024 Sharath Srikanth Chellappa - 3.21.4-13 - Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218. diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ca9f93573ff..1def4e53174 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm chkconfig-1.20-4.cm2.aarch64.rpm chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm chkconfig-lang-1.20-4.cm2.aarch64.rpm -cmake-3.21.4-13.cm2.aarch64.rpm -cmake-debuginfo-3.21.4-13.cm2.aarch64.rpm +cmake-3.21.4-14.cm2.aarch64.rpm +cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm coreutils-8.32-7.cm2.aarch64.rpm coreutils-debuginfo-8.32-7.cm2.aarch64.rpm coreutils-lang-8.32-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 0a55430a5a2..40369c9d7cc 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm chkconfig-1.20-4.cm2.x86_64.rpm chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm chkconfig-lang-1.20-4.cm2.x86_64.rpm -cmake-3.21.4-13.cm2.x86_64.rpm -cmake-debuginfo-3.21.4-13.cm2.x86_64.rpm +cmake-3.21.4-14.cm2.x86_64.rpm +cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm coreutils-8.32-7.cm2.x86_64.rpm coreutils-debuginfo-8.32-7.cm2.x86_64.rpm coreutils-lang-8.32-7.cm2.x86_64.rpm