Skip to content

Commit

Permalink
Merge pull request #5303 from microsoft/anphel/1.0-april-2023-update
Browse files Browse the repository at this point in the history
Merge for Mariner 1.0 April 2023 update
  • Loading branch information
anphel31 authored Apr 14, 2023
2 parents 073df86 + fd47ae3 commit e96d12e
Show file tree
Hide file tree
Showing 44 changed files with 934 additions and 3,333 deletions.
6 changes: 3 additions & 3 deletions SPECS/c-ares/c-ares.signatures.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"Signatures": {
"c-ares-1.18.1.tar.gz": "1a7d52a8a84a9fbffb1be9133c0f6e17217d91ea5a6fa61f6b4729cda78ebbcf"
}
"Signatures": {
"c-ares-1.19.0.tar.gz": "bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3"
}
}
5 changes: 4 additions & 1 deletion SPECS/c-ares/c-ares.spec
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Summary: A library that performs asynchronous DNS operations
Name: c-ares
Version: 1.18.1
Version: 1.19.0
Release: 1%{?dist}
License: MIT
Vendor: Microsoft Corporation
Expand Down Expand Up @@ -70,6 +70,9 @@ rm -rf %{buildroot}
%{_mandir}/man3/ares_*

%changelog
* Tue Apr 04 2023 CBL-Mariner Servicing Account <[email protected]> - 1.19.0-1
- Auto-upgrade to 1.19.0 - To Address CVE-2022-4904

* Sun Nov 28 2021 Muhammad Falak <[email protected]> - 1.18.1-1
- Bump version to fix CVE-2021-3672

Expand Down
2 changes: 1 addition & 1 deletion SPECS/ca-certificates/ca-certificates.signatures.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
"bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
"certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
"certdata.microsoft.txt": "7c9a314f528f5f353b478caaea8be051ad6b2ff99dca2754206afb632093fe47",
"certdata.microsoft.txt": "53fa416b306459da67127b12c17fb33d9598f0c085148578689066e84b00018e",
"certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
"pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
"trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
Expand Down
5 changes: 4 additions & 1 deletion SPECS/ca-certificates/ca-certificates.spec
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Name: ca-certificates

# When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
Version: 20200720
Release: 29%{?dist}
Release: 30%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -319,6 +319,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh

%changelog
* Thu Mar 30 2023 CBL-Mariner Service Account <[email protected]> - 20200720-30
- Updating Microsoft trusted root CAs.

* Mon Dec 12 2022 Pawel Winogrodzki <[email protected]> - 20200720-29
- Adding 'Obsoletes' for the old 'ca-certificates-microsoft' packages before release 19.

Expand Down
3,423 changes: 219 additions & 3,204 deletions SPECS/ca-certificates/certdata.microsoft.txt

Large diffs are not rendered by default.

56 changes: 56 additions & 0 deletions SPECS/cloud-hypervisor/CVE-2023-28448.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs
--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs 2021-04-25 17:00:00.000000000 -0700
+++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs 2023-04-05 15:33:56.893718099 -0700
@@ -367,6 +367,16 @@
let entries: Vec<<T as FamStruct>::Entry> =
Vec::deserialize(reader, version_map, app_version)
.map_err(|ref err| VersionizeError::Deserialize(format!("{:?}", err)))?;
+ if header.len() != entries.len() {
+ let msg = format!(
+ "Mismatch between length of FAM specified in FamStruct header ({}) \
+ and actual size of FAM ({})",
+ header.len(),
+ entries.len()
+ );
+
+ return Err(VersionizeError::Deserialize(msg));
+ }
// Construct the object from the array items.
// Header(T) fields will be initialized by Default trait impl.
let mut object = FamStructWrapper::from_entries(&entries)
diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs
--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs 2021-04-25 17:00:00.000000000 -0700
+++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs 2023-04-05 15:34:57.145737780 -0700
@@ -1321,6 +1321,32 @@
type Message2FamStructWrapper = FamStructWrapper<Message2>;

#[test]
+fn test_deserialize_famstructwrapper_invalid_len() {
+ let mut vm = VersionMap::new();
+ vm.new_version()
+ .set_type_version(Message::type_id(), 2)
+ .new_version()
+ .set_type_version(Message::type_id(), 3)
+ .new_version()
+ .set_type_version(Message::type_id(), 4);
+
+ // Create FamStructWrapper with len 2
+ let state = MessageFamStructWrapper::new(0).unwrap();
+ let mut buffer = [0; 256];
+
+ state.serialize(&mut buffer.as_mut_slice(), &vm, 2).unwrap();
+
+ // the `len` field of the header is the first serialized field.
+ // Let's corrupt it by making it bigger than the actual number of serialized elements
+ buffer[0] = 255;
+
+ assert_eq!(
+ MessageFamStructWrapper::deserialize(&mut buffer.as_slice(), &vm, 2).unwrap_err(),
+ VersionizeError::Deserialize("Mismatch between length of FAM specified in FamStruct header (255) and actual size of FAM (0)".to_string())
+ );
+}
+
+#[test]
fn test_versionize_famstructwrapper() {
let mut vm = VersionMap::new();
vm.new_version()
7 changes: 6 additions & 1 deletion SPECS/cloud-hypervisor/cloud-hypervisor.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: A Rust-VMM based cloud hypervisor from Intel
Name: cloud-hypervisor
Version: 22.0
Release: 1%{?dist}
Release: 2%{?dist}
License: ASL 2.0 or BSD
URL: https://github.com/cloud-hypervisor/cloud-hypervisor
Group: Development/Tools
Expand All @@ -12,6 +12,7 @@ Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# To update the cache run:
# [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz
Source1: %{name}-%{version}-cargo.tar.gz
Patch0: CVE-2023-28448.patch
ExclusiveArch: x86_64

BuildRequires: gcc
Expand All @@ -28,6 +29,7 @@ A Rust-VMM based cloud hypervisor from Intel.
mkdir -p $HOME
pushd $HOME
tar xf %{SOURCE1} --no-same-owner
%patch0 -p1
popd
%setup -q

Expand All @@ -49,6 +51,9 @@ install -d %{buildroot}%{_libdir}/cloud-hypervisor
%exclude %{_libdir}/debug

%changelog
* Wed Apr 05 2023 Henry Beberman <[email protected]> - 22.0-2
- Patch CVE-2023-28448 in vendored versionize crate

* Wed Mar 09 2022 Pawel Winogrodzki <[email protected]> - 22.0-1
- Updating to version 22.0 to build with 'rust' 1.59.0.

Expand Down
3 changes: 3 additions & 0 deletions SPECS/kernel/CVE-2023-1079.nopatch
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
CVE-2023-1079 - patched in 5.10.173 - (generated by autopatch tool)
upstream 4ab3a086d10eeec1424f2e8a968827a6336203df - stable 21a2eec4a440060a6eb294dc890eaf553101ba09

3 changes: 3 additions & 0 deletions SPECS/kernel/CVE-2023-1281.nopatch
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
CVE-2023-1281 - patched in 5.10.169 - (generated by autopatch tool)
upstream ee059170b1f7e94e55fa6cadee544e176a6e59c2 - stable eb8e9d8572d1d9df17272783ad8a84843ce559d4

3 changes: 3 additions & 0 deletions SPECS/kernel/CVE-2023-1390.nopatch
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
CVE-2023-1390 - patched in 5.10.10 - (generated by autopatch tool)
upstream b77413446408fdd256599daf00d5be72b5f3e7c6 - stable 60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd

3 changes: 3 additions & 0 deletions SPECS/kernel/CVE-2023-1513.nopatch
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
CVE-2023-1513 - patched in 5.10.169 - (generated by autopatch tool)
upstream 2c10b61421a28e95a46ab489fd56c0f442ff6952 - stable 6416c2108ba54d569e4c98d3b62ac78cb12e7107

3 changes: 3 additions & 0 deletions SPECS/kernel/CVE-2023-28772.nopatch
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
CVE-2023-28772 - patched in 5.10.51 - (generated by autopatch tool)
upstream d3b16034a24a112bb83aeb669ac5b9b01f744bb7 - stable f9fb4986f4d81182f938d16beb4f983fe71212aa

4 changes: 3 additions & 1 deletion SPECS/mariner-release/mariner-release.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: CBL-Mariner release files
Name: mariner-release
Version: 1.0
Release: 59%{?dist}
Release: 60%{?dist}
License: MIT
Group: System Environment/Base
URL: https://aka.ms/cbl-mariner
Expand Down Expand Up @@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) /etc/issue.net

%changelog
* Thu Apr 13 2023 Andrew Phelps <[email protected]> - 1.0-60
- Updating version for April update.
* Wed Mar 29 2023 Jon Slobodzian <[email protected]> - 1.0-59
- Updating version for March update2.
* Mon Mar 06 2023 Jon Slobodzian <[email protected]> - 1.0-58
Expand Down
4 changes: 2 additions & 2 deletions SPECS/moby-runc/generate-sources.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
# Git clone is a standard practice of producing source files for moby-* packages.

RUNC_REPO=https://github.com/opencontainers/runc.git
RUNC_COMMIT=a916309fff0f838eb94e928713dbc3c0d0ac7aa4
VERSION=v1.1.2
RUNC_COMMIT=f19387a6bec4944c770f7668ab51c4348d9c2f38
VERSION=v1.1.5

mkdir -p /build/runc-src
cd /build/runc-src
Expand Down
4 changes: 2 additions & 2 deletions SPECS/moby-runc/moby-runc.signatures.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"golang-crypto-c07d793c2f9aacf728fe68cbd7acd73adbd04159.tar.gz": "b7e8935189ea46c67eedafe6a97aefbdc2bf71dd9097fb7ee8a2a8ebc7556e7e",
"golang-sys-b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d.tar.gz": "23703a84893a1cb53d3efbb46143451431b95b78d29ef1e02132cd580bb3a445",
"logrus-v1.8.1.tar.gz": "e9492c08ac8f202b438ccfb992bf81b7860739cf8f2266958e0c574c7abfdd74",
"runc-v1.1.2.tar.gz": "1a14bb492b562a6f7a27248e65a699790a6964923de64612e9bafc06124a30a2",
"runc-v1.1.5.tar.gz": "4bbc7703f4a5273e4b3d2c0ef233c784d116e92722e05fa11aa93ccf51aed4b9",
"runtime-spec-v1.0.2.tar.gz": "0933a1ba6e418fe020993e80426107da8de3572f3f20b4cd1ef296de6e62bb61",
"urfave-cli-v2.3.0.tar.gz": "b17376246f1477157daab86d4a1562d6b004f5be0d15dfc61ebd8bb129384e6b"
}
}
}
11 changes: 7 additions & 4 deletions SPECS/moby-runc/moby-runc.spec
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
Summary: CLI tool for spawning and running containers per OCI spec.
Name: moby-runc
Version: 1.1.2+azure
Release: 4%{?dist}
Version: 1.1.5+azure
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Virtualization/Libraries
URL: https://runc.io/
# See generate-sources.sh for creating runc source tarball
#Source0: https://github.com/opencontainers/runc/archive/refs/tags/v1.1.2.tar.gz
Source0: runc-v1.1.2.tar.gz
#Source0: https://github.com/opencontainers/runc/archive/refs/tags/v1.1.5.tar.gz
Source0: runc-v1.1.5.tar.gz
#Source1: https://github.com/sirupsen/logrus/archive/v1.8.1.tar.gz
Source1: logrus-v1.8.1.tar.gz
#Source2: https://github.com/opencontainers/runtime-spec/archive/v1.0.2.tar.gz
Expand Down Expand Up @@ -108,6 +108,9 @@ cp %{SOURCE7} %{buildroot}%{_docdir}/%{name}-%{version}/LICENSE
%{_mandir}/*/*

%changelog
* Thu Apr 13 2023 Rohit Rawat <[email protected]> - 1.1.5+azure-1
- Bump release to fix CVE-2023-28642, CVE-2023-27561, CVE-2023-25809

* Tue Dec 13 2022 Suresh Babu Chalamalasetty <[email protected]> - 1.1.2+azure-4
- Bump release to rebuild with go 1.18.8-2

Expand Down
Loading

0 comments on commit e96d12e

Please sign in to comment.