diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index 361e932e2e8..2f49dad31d2 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index 0019e0b0414..890a8afa7c8 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index a653691a317..979dc0316da 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/R/CVE-2024-27322.patch b/SPECS/R/CVE-2024-27322.patch new file mode 100644 index 00000000000..a3426977e09 --- /dev/null +++ b/SPECS/R/CVE-2024-27322.patch @@ -0,0 +1,49 @@ +From f7c46500f455eb4edfc3656c3fa20af61b16abb7 Mon Sep 17 00:00:00 2001 +From: luke +Date: Sun, 31 Mar 2024 19:35:58 +0000 +Subject: [PATCH] readRDS() and unserialize() now signal an errorr instead of + returning a PROMSXP. + +git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 +--- + src/main/serialize.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f713116..a190fbf8f3c 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); diff --git a/SPECS/R/R.spec b/SPECS/R/R.spec index 89b468962a9..595dae024f2 100644 --- a/SPECS/R/R.spec +++ b/SPECS/R/R.spec @@ -2,7 +2,7 @@ Summary: A language for data analysis and graphics Name: R Version: 4.1.0 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -13,6 +13,7 @@ Source0: https://cran.r-project.org/src/base/R-4/R-%{version}.tar.gz # in 2018. Given curl 8.0.0 is not an actual breaking change, this patch should be fine. # We should drop this when R eventually gets official support for build with curl >= 8.0.0 Patch0: 0001-configure-fix-compilation-with-curl-8.0.0.patch +Patch1: CVE-2024-27322.patch BuildRequires: build-essential BuildRequires: bzip2-devel BuildRequires: curl-devel @@ -121,6 +122,9 @@ TZ="Europe/Paris" make check -k -i %endif %changelog +* Wed Jun 19 2024 Saul Paredes - 4.1.0-5 +- Patch CVE-2024-27322 + * Wed Sep 20 2023 Jon Slobodzian - 4.1.0-4 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/conntrack-tools/conntrack-tools.signatures.json b/SPECS/conntrack-tools/conntrack-tools.signatures.json index b6e539f861f..b38e5097028 100644 --- a/SPECS/conntrack-tools/conntrack-tools.signatures.json +++ b/SPECS/conntrack-tools/conntrack-tools.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "conntrack-tools-1.4.5.tar.bz2": "36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462", + "conntrack-tools-1.4.8.tar.xz": "067677f4c5f6564819e78ed3a9d4a8980935ea9273f3abb22a420ea30ab5ded6", "conntrackd.conf": "dc7fa36293263d0674508cba4499c90d20df15eabea7a7d901f2050094ede38b", "conntrackd.service": "c18f00e7b76df6dce5b7b46e1bb35e6c34f5d1fe329892c1f0327c2712282778" } diff --git a/SPECS/conntrack-tools/conntrack-tools.spec b/SPECS/conntrack-tools/conntrack-tools.spec index ded0b947553..72710425c71 100644 --- a/SPECS/conntrack-tools/conntrack-tools.spec +++ b/SPECS/conntrack-tools/conntrack-tools.spec @@ -1,19 +1,19 @@ Summary: Manipulate netfilter connection tracking table and run High Availability Name: conntrack-tools -Version: 1.4.5 -Release: 8%{?dist} +Version: 1.4.8 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner URL: https://conntrack-tools.netfilter.org/ -Source0: https://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 +Source0: https://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz Source1: conntrackd.service Source2: conntrackd.conf BuildRequires: bison BuildRequires: flex BuildRequires: gcc BuildRequires: libmnl-devel >= 1.0.3 -BuildRequires: libnetfilter_conntrack-devel >= 1.0.7 +BuildRequires: libnetfilter_conntrack-devel >= 1.0.9 BuildRequires: libnetfilter_cthelper-devel >= 1.0.0 BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0 BuildRequires: libnetfilter_queue-devel >= 1.0.2 @@ -96,6 +96,11 @@ echo "disable conntrackd.service" > %{buildroot}%{_libdir}/systemd/system-preset %systemd_postun conntrackd.service %changelog +* Wed Jun 12 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 1.4.8-1 +- Update to version 1.4.8 +- Updating source from tar.bz2 to tar.xz +- Build requires libnetfilter_conntrack >= 1.0.9 + * Wed Sep 20 2023 Jon Slobodzian - 1.4.5-8 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/cri-o/CVE-2024-3727.patch b/SPECS/cri-o/CVE-2024-3727.patch new file mode 100644 index 00000000000..01ecc0cff64 --- /dev/null +++ b/SPECS/cri-o/CVE-2024-3727.patch @@ -0,0 +1,638 @@ +From: Francisco Huelsz Prince +Date: Tue, 19 Jun 2024 01:15:36 +0000 +Subject: [PATCH] apply CVE-2024-3727 fix to v5.15.2 + +This is a backport of https://github.com/containers/image/pull/2403 to v5.15.2. + +diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go +index e3280aa2..3c443b54 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go +@@ -189,7 +189,10 @@ func (d *dirImageDestination) PutBlob(ctx context.Context, stream io.Reader, inp + } + } + +- blobPath := d.ref.layerPath(computedDigest) ++ blobPath, err := d.ref.layerPath(computedDigest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } + // need to explicitly close the file, since a rename won't otherwise not work on Windows + blobFile.Close() + explicitClosed = true +@@ -213,7 +216,10 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + if info.Digest == "" { + return false, types.BlobInfo{}, errors.Errorf(`"Can not check for a blob with unknown digest`) + } +- blobPath := d.ref.layerPath(info.Digest) ++ blobPath, err := d.ref.layerPath(info.Digest) ++ if err != nil { ++ return false, types.BlobInfo{}, err ++ } + finfo, err := os.Stat(blobPath) + if err != nil && os.IsNotExist(err) { + return false, types.BlobInfo{}, nil +@@ -233,7 +239,11 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema), + // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError. + func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error { +- return ioutil.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644) ++ path, err := d.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return err ++ } ++ return ioutil.WriteFile(path, manifest, 0644) + } + + // PutSignatures writes a set of signatures to the destination. +@@ -241,7 +251,11 @@ func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, + // (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list. + func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error { + for i, sig := range signatures { +- if err := ioutil.WriteFile(d.ref.signaturePath(i, instanceDigest), sig, 0644); err != nil { ++ path, err := d.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return err ++ } ++ if err := ioutil.WriteFile(path, sig, 0644); err != nil { + return err + } + } +diff --git a/vendor/github.com/containers/image/v5/directory/directory_src.go b/vendor/github.com/containers/image/v5/directory/directory_src.go +index ad9129d4..420cee2f 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_src.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_src.go +@@ -37,7 +37,11 @@ func (s *dirImageSource) Close() error { + // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list); + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { +- m, err := ioutil.ReadFile(s.ref.manifestPath(instanceDigest)) ++ path, err := s.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } ++ m, err := ioutil.ReadFile(path) + if err != nil { + return nil, "", err + } +@@ -53,7 +57,11 @@ func (s *dirImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- r, err := os.Open(s.ref.layerPath(info.Digest)) ++ path, err := s.ref.layerPath(info.Digest) ++ if err != nil { ++ return nil, -1, err ++ } ++ r, err := os.Open(path) + if err != nil { + return nil, -1, err + } +@@ -71,7 +79,11 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache + func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) { + signatures := [][]byte{} + for i := 0; ; i++ { +- signature, err := ioutil.ReadFile(s.ref.signaturePath(i, instanceDigest)) ++ path, err := s.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return nil, err ++ } ++ signature, err := ioutil.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { + break +diff --git a/vendor/github.com/containers/image/v5/directory/directory_transport.go b/vendor/github.com/containers/image/v5/directory/directory_transport.go +index e542d888..ea280707 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_transport.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_transport.go +@@ -162,25 +162,34 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex + } + + // manifestPath returns a path for the manifest within a directory using our conventions. +-func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string { ++func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json") ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil + } +- return filepath.Join(ref.path, "manifest.json") ++ return filepath.Join(ref.path, "manifest.json"), nil + } + + // layerPath returns a path for a layer tarball within a directory using our conventions. +-func (ref dirReference) layerPath(digest digest.Digest) string { ++func (ref dirReference) layerPath(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } + // FIXME: Should we keep the digest identification? +- return filepath.Join(ref.path, digest.Encoded()) ++ return filepath.Join(ref.path, digest.Encoded()), nil + } + + // signaturePath returns a path for a signature within a directory using our conventions. +-func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string { ++func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)) ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil + } +- return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)) ++ return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil + } + + // versionPath returns a path for the version file within a directory using our conventions. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 3fe9a11d..ea15c9f7 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -796,6 +796,9 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { + // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, + // using the original data structures. + func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { ++ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) + if err != nil { +@@ -818,3 +821,19 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe + } + return &parsedBody, nil + } ++ ++// sigstoreAttachmentTag returns a sigstore attachment tag for the specified digest. ++func sigstoreAttachmentTag(d digest.Digest) (string, error) { ++ if err := d.Validate(); err != nil { // Make sure d.String() doesn’t contain any unexpected characters ++ return "", err ++ } ++ return strings.Replace(d.String(), ":", "-", 1) + ".sig", nil ++} ++ ++// Close removes resources associated with an initialized dockerClient, if any. ++func (c *dockerClient) Close() error { ++ if c.client != nil { ++ c.client.CloseIdleConnections() ++ } ++ return nil ++} +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index c84bb37d..284b39f5 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -83,7 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index 360a7122..77ef1490 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -213,6 +213,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader, + // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); + // it returns a non-nil error only on an unexpected failure. + func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return false, -1, err ++ } + checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) + logrus.Debugf("Checking %s", checkPath) + res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) +@@ -390,6 +393,7 @@ func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte, inst + // particular instance. + refTail = instanceDigest.String() + // Double-check that the manifest we've been given matches the digest we've been given. ++ // This also validates the format of instanceDigest. + matches, err := manifest.MatchesDigest(m, *instanceDigest) + if err != nil { + return errors.Wrapf(err, "digesting manifest in PutManifest") +@@ -518,11 +522,17 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m + + // NOTE: Keep this in sync with docs/signature-protocols.md! + for i, signature := range signatures { +- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i) +- err := d.putOneSignature(url, signature) ++ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } ++ err = d.putOneSignature(url, signature) + if err != nil { + return err + } ++ if err := d.putOneSignature(url, signature); err != nil { ++ return err ++ } + } + // Remove any other signatures, if present. + // We stop at the first missing signature; if a previous deleting loop aborted +@@ -530,7 +540,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m + // is enough for dockerImageSource to stop looking for other signatures, so that + // is sufficient. + for i := len(signatures); ; i++ { +- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i) ++ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := d.c.deleteOneSignature(url) + if err != nil { + return err +@@ -639,6 +652,7 @@ sigExists: + return err + } + ++ // manifestDigest is known to be valid because it was not rejected by getExtensionsSignatures above. + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), manifestDigest.String()) + res, err := d.c.makeRequest(ctx, http.MethodPut, path, nil, bytes.NewReader(body), v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index 5dc8e7b1..cf353b43 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string { + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, "", err ++ } + return s.fetchManifest(ctx, instanceDigest.String()) + } + err := s.ensureManifestIsLoaded(ctx) +@@ -187,6 +190,8 @@ func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *dig + return s.cachedManifest, s.cachedManifestMIMEType, nil + } + ++// fetchManifest fetches a manifest for tagOrDigest. ++// The caller is responsible for ensuring tagOrDigest uses the expected format. + func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest string) ([]byte, string, error) { + path := fmt.Sprintf(manifestPath, reference.Path(s.physicalRef.ref), tagOrDigest) + headers := map[string][]string{ +@@ -293,6 +298,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo, + return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt") + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, nil, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil) +@@ -423,7 +431,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst + // NOTE: Keep this in sync with docs/signature-protocols.md! + signatures := [][]byte{} + for i := 0; ; i++ { +- url := signatureStorageURL(s.c.signatureBase, manifestDigest, i) ++ url, err := signatureStorageURL(s.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return nil, err ++ } + signature, missing, err := s.getOneSignature(ctx, url) + if err != nil { + return nil, err +@@ -564,7 +575,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere + } + + for i := 0; ; i++ { +- url := signatureStorageURL(c.signatureBase, manifestDigest, i) ++ url, err := signatureStorageURL(c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := c.deleteOneSignature(url) + if err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +index a558657b..2bb63a36 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +@@ -143,11 +143,19 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t + return types.BlobInfo{}, errors.Wrap(err, "reading Config file stream") + } + d.config = buf +- if err := d.archive.sendFileLocked(d.archive.configPath(inputInfo.Digest), inputInfo.Size, bytes.NewReader(buf)); err != nil { ++ configPath, err := d.archive.configPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } ++ if err := d.archive.sendFileLocked(configPath, inputInfo.Size, bytes.NewReader(buf)); err != nil { + return types.BlobInfo{}, errors.Wrap(err, "writing Config file") + } + } else { +- if err := d.archive.sendFileLocked(d.archive.physicalLayerPath(inputInfo.Digest), inputInfo.Size, stream); err != nil { ++ layerPath, err := d.archive.physicalLayerPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } ++ if err := d.archive.sendFileLocked(layerPath, inputInfo.Size, stream); err != nil { + return types.BlobInfo{}, err + } + } +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +index 255f0d35..742f977c 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +@@ -92,7 +92,10 @@ func (w *Writer) ensureSingleLegacyLayerLocked(layerID string, layerDigest diges + if _, ok := w.legacyLayers[layerID]; !ok { + // Create a symlink for the legacy format, where there is one subdirectory per layer ("image"). + // See also the comment in physicalLayerPath. +- physicalLayerPath := w.physicalLayerPath(layerDigest) ++ physicalLayerPath, err := w.physicalLayerPath(layerDigest) ++ if err != nil { ++ return err ++ } + if err := w.sendSymlinkLocked(filepath.Join(layerID, legacyLayerFileName), filepath.Join("..", physicalLayerPath)); err != nil { + return errors.Wrap(err, "creating layer symbolic link") + } +@@ -136,6 +139,9 @@ func (w *Writer) writeLegacyMetadataLocked(layerDescriptors []manifest.Schema2De + } + + // This chainID value matches the computation in docker/docker/layer.CreateChainID … ++ if err := l.Digest.Validate(); err != nil { // This should never fail on this code path, still: make sure the chainID computation is unambiguous. ++ return err ++ } + if chainID == "" { + chainID = l.Digest + } else { +@@ -206,12 +212,20 @@ func checkManifestItemsMatch(a, b *ManifestItem) error { + func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Descriptor, configDigest digest.Digest, repoTags []reference.NamedTagged) error { + layerPaths := []string{} + for _, l := range layerDescriptors { +- layerPaths = append(layerPaths, w.physicalLayerPath(l.Digest)) ++ p, err := w.physicalLayerPath(l.Digest) ++ if err != nil { ++ return err ++ } ++ layerPaths = append(layerPaths, p) + } + + var item *ManifestItem ++ configPath, err := w.configPath(configDigest) ++ if err != nil { ++ return err ++ } + newItem := ManifestItem{ +- Config: w.configPath(configDigest), ++ Config: configPath, + RepoTags: []string{}, + Layers: layerPaths, + Parent: "", // We don’t have this information +@@ -296,21 +310,27 @@ func (w *Writer) Close() error { + // configPath returns a path we choose for storing a config with the specified digest. + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) configPath(configDigest digest.Digest) string { +- return configDigest.Hex() + ".json" ++func (w *Writer) configPath(configDigest digest.Digest) (string, error) { ++ if err := configDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } ++ return configDigest.Hex() + ".json", nil + } + + // physicalLayerPath returns a path we choose for storing a layer with the specified digest + // (the actual path, i.e. a regular file, not a symlink that may be used in the legacy format). + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) physicalLayerPath(layerDigest digest.Digest) string { ++func (w *Writer) physicalLayerPath(layerDigest digest.Digest) (string, error) { ++ if err := layerDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } + // Note that this can't be e.g. filepath.Join(l.Digest.Hex(), legacyLayerFileName); due to the way + // writeLegacyMetadata constructs layer IDs differently from inputinfo.Digest values (as described + // inside it), most of the layers would end up in subdirectories alone without any metadata; (docker load) + // tries to load every subdirectory as an image and fails if the config is missing. So, keep the layers + // in the root of the tarball. +- return layerDigest.Hex() + ".tar" ++ return layerDigest.Hex() + ".tar", nil + } + + type tarFI struct { +diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go +index 515e5932..2e400c09 100644 +--- a/vendor/github.com/containers/image/v5/docker/lookaside.go ++++ b/vendor/github.com/containers/image/v5/docker/lookaside.go +@@ -229,8 +229,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string { + // signatureStorageURL returns an URL usable for accessing signature index in base with known manifestDigest. + // base is not nil from the caller + // NOTE: Keep this in sync with docs/signature-protocols.md! +-func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL { ++func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) { ++ if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return nil, err ++ } + url := *base + url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1) +- return &url ++ return &url, nil + } +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +index c91a49c5..54ea740e 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +@@ -352,6 +352,10 @@ func (d *ostreeImageDestination) TryReusingBlob(ctx context.Context, info types. + } + d.repo = repo + } ++ ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, so validate explicitly. ++ return false, private.ReusedBlob{}, err ++ } + branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex()) + + found, data, err := readMetadata(d.repo, branch, "docker.uncompressed_digest") +@@ -472,12 +476,18 @@ func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) er + return nil + } + for _, layer := range d.schema.LayersDescriptors { ++ if err := layer.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.Digest.Hex() + if err = checkLayer(hash); err != nil { + return err + } + } + for _, layer := range d.schema.FSLayers { ++ if err := layer.BlobSum.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.BlobSum.Hex() + if err = checkLayer(hash); err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_src.go b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +index 4948ec66..9c4b5396 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_src.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +@@ -272,7 +272,9 @@ func (s *ostreeImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, -1, err ++ } + blob := info.Digest.Hex() + + // Ensure s.compressed is initialized. It is build by LayerInfosForCopy. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_image.go b/vendor/github.com/containers/image/v5/storage/storage_image.go +index 6b0fea61..8164e3a2 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_image.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_image.go +@@ -1,3 +1,4 @@ ++//go:build !containers_image_storage_stub + // +build !containers_image_storage_stub + + package storage +@@ -23,7 +24,7 @@ import ( + "github.com/containers/image/v5/pkg/blobinfocache/none" + "github.com/containers/image/v5/types" + "github.com/containers/storage" +- "github.com/containers/storage/drivers" ++ graphdriver "github.com/containers/storage/drivers" + "github.com/containers/storage/pkg/archive" + "github.com/containers/storage/pkg/chunked" + "github.com/containers/storage/pkg/ioutils" +@@ -96,14 +97,20 @@ type storageImageCloser struct { + // manifestBigDataKey returns a key suitable for recording a manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; + // for compatibility, if a manifest is not available under this key, check also storage.ImageDigestBigDataKey +-func manifestBigDataKey(digest digest.Digest) string { +- return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++func manifestBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // Make sure info.Digest.String() uses the expected format and does not collide with other BigData keys. ++ return "", err ++ } ++ return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String(), nil + } + + // signatureBigDataKey returns a key suitable for recording the signatures associated with the manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; +-func signatureBigDataKey(digest digest.Digest) string { +- return "signature-" + digest.Encoded() ++func signatureBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return "", err ++ } ++ return "signature-" + digest.Encoded(), nil + } + + // newImageSource sets up an image for reading. +@@ -240,7 +247,10 @@ func (s *storageImageSource) getBlobAndLayerID(info types.BlobInfo) (rc io.ReadC + // GetManifest() reads the image's manifest. + func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, MIMEType string, err error) { + if instanceDigest != nil { +- key := manifestBigDataKey(*instanceDigest) ++ key, err := manifestBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil { + return nil, "", errors.Wrapf(err, "reading manifest for image instance %q", *instanceDigest) +@@ -252,7 +262,10 @@ func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *di + // Prefer the manifest corresponding to the user-specified digest, if available. + if s.imageRef.named != nil { + if digested, ok := s.imageRef.named.(reference.Digested); ok { +- key := manifestBigDataKey(digested.Digest()) ++ key, err := manifestBigDataKey(digested.Digest()) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil && !os.IsNotExist(err) { // os.IsNotExist is true if the image exists but there is no data corresponding to key + return nil, "", err +@@ -365,7 +378,10 @@ func (s *storageImageSource) GetSignatures(ctx context.Context, instanceDigest * + instance := "default instance" + if instanceDigest != nil { + signatureSizes = s.SignaturesSizes[*instanceDigest] +- key = signatureBigDataKey(*instanceDigest) ++ key, err = signatureBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, err ++ } + instance = instanceDigest.Encoded() + } + if len(signatureSizes) > 0 { +@@ -1140,7 +1156,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + if err != nil { + return errors.Wrapf(err, "digesting top-level manifest") + } +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return err ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, toplevelManifest, manifest.Digest); err != nil { + logrus.Debugf("error saving top-level manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving top-level manifest for image %q", img.ID) +@@ -1149,7 +1168,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + // Save the image's manifest. Allow looking it up by digest by using the key convention defined by the Store. + // Record the manifest twice: using a digest-specific key to allow references to that specific digest instance, + // and using storage.ImageDigestBigDataKey for future users that don’t specify any digest and for compatibility with older readers. +- key := manifestBigDataKey(s.manifestDigest) ++ key, err := manifestBigDataKey(s.manifestDigest) ++ if err != nil { ++ return err ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, s.manifest, manifest.Digest); err != nil { + logrus.Debugf("error saving manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving manifest for image %q", img.ID) +@@ -1167,7 +1189,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + } + } + for instanceDigest, signatures := range s.signatureses { +- key := signatureBigDataKey(instanceDigest) ++ key, err := signatureBigDataKey(instanceDigest) ++ if err != nil { ++ return err ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, signatures, manifest.Digest); err != nil { + logrus.Debugf("error saving signatures for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving signatures for image %q", img.ID) +diff --git a/vendor/github.com/containers/image/v5/storage/storage_reference.go b/vendor/github.com/containers/image/v5/storage/storage_reference.go +index 1aafe906..ea484634 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_reference.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_reference.go +@@ -72,7 +72,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + // We don't need to care about storage.ImageDigestBigDataKey because + // manifests lists are only stored into storage by c/image versions + // that know about manifestBigDataKey, and only using that key. +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return false // This should never happen, manifestDigest comes from a reference.Digested, and that validates the format. ++ } + manifestBytes, err := store.ImageBigData(img.ID, key) + if err != nil { + return false +@@ -94,7 +97,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + if err != nil { + return false + } +- key = manifestBigDataKey(chosenInstance) ++ key, err = manifestBigDataKey(chosenInstance) ++ if err != nil { ++ return false ++ } + _, err = store.ImageBigData(img.ID, key) + return err == nil // true if img.ID is based on chosenInstance. + } diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec index 2ac295d4ac8..766b3e91ef9 100644 --- a/SPECS/cri-o/cri-o.spec +++ b/SPECS/cri-o/cri-o.spec @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa # Define macros for further referenced sources Name: cri-o Version: 1.22.3 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -64,6 +64,7 @@ Patch8: CVE-2023-44487.patch Patch9: CVE-2024-28180.patch Patch10: CVE-2024-21626.patch Patch11: CVE-2024-3154.patch +Patch12: CVE-2024-3727.patch BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: fdupes @@ -216,9 +217,12 @@ mkdir -p /opt/cni/bin %{_fillupdir}/sysconfig.kubelet %changelog -* Fri Jun 07 2024 Muhammad Falak - 1.22.3-3 +* Wed Jun 26 2024 Muhammad Falak - 1.22.3-4 - Bump release to rebuild with go 1.21.11 +* Tue Jun 18 2024 Francisco Huelsz Prince - 1.22.3-3 +- Patch CVE-2024-3727 in vendored github.com/containers/image. + * Mon Jun 03 2024 Bala - 1.22.3-2 - Patch CVE-2024-3154 diff --git a/SPECS/guava/CVE-2023-2976.patch b/SPECS/guava/CVE-2023-2976.patch new file mode 100644 index 00000000000..ce7c04432aa --- /dev/null +++ b/SPECS/guava/CVE-2023-2976.patch @@ -0,0 +1,493 @@ +# This is a manually backported patch from the below commit +# The commit below fixes both issues 2575 and 4011 +# The current patch is modified version of the commit to fix only the issue 2575 (CVE-2023-2976) +# since issue 4011 (CVE-2020-8908) is already fixed in the spec with a patch +# +# From feb83a1c8fd2e7670b244d5afd23cba5aca43284 Mon Sep 17 00:00:00 2001 +# From: cpovirk +# Date: Thu, 25 May 2023 13:18:00 -0700 +# Subject: [PATCH] Restrict permissions when creating temporary files and +# directories, or fail if that's not possible. +# +# (Also, check that the provided `fileThreshold` is non-negative.) +# +# - Fixes https://github.com/google/guava/issues/2575 +# - Fixes https://github.com/google/guava/issues/4011 +# +# RELNOTES=Reimplemented `Files.createTempDir` and `FileBackedOutputStream` to further address [CVE-2020-8908](https://github.com/google/guava/issues/4011) and [Guava issue #2575](https://github.com/google/guava/issues/2575) (CVE forthcoming). +# PiperOrigin-RevId: 535359233 +# +# J2ktIncompatible.java extracted from https://github.com/google/guava/commit/ae97cce255a24e82db9a5acfc07e3ec787e1c9c3 +# ElementTypesAreNonnullByDefault.java extracted from https://github.com/google/guava/commit/5137f9983a0f2dee131b5e090228aedd2b7ace44 +# +From 9b9d984002fefab3a692b8e522edad20872b6be7 Mon Sep 17 00:00:00 2001 +From: Sindhu Karri +Date: Thu, 20 Jun 2024 01:03:10 +0000 +Subject: [PATCH] Restrict permissions when creating temporary files and directories, or fail if that's not possible. + (Also, check that the provided `fileThreshold` is non-negative.) + +import Preconditions.checkArgument + +include ElementTypesAreNonnullByDefault.java annotation +--- + .../common/annotations/J2ktIncompatible.java | 31 +++ + .../io/ElementTypesAreNonnullByDefault.java | 41 ++++ + .../common/io/FileBackedOutputStream.java | 7 +- + android/pom.xml | 1 + + .../common/annotations/J2ktIncompatible.java | 31 +++ + .../io/ElementTypesAreNonnullByDefault.java | 41 ++++ + .../common/io/FileBackedOutputStream.java | 7 +- + .../com/google/common/io/TempFileCreator.java | 176 ++++++++++++++++++ + pom.xml | 1 + + 9 files changed, 334 insertions(+), 2 deletions(-) + create mode 100644 android/guava/src/com/google/common/annotations/J2ktIncompatible.java + create mode 100644 android/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java + create mode 100644 guava/src/com/google/common/annotations/J2ktIncompatible.java + create mode 100644 guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java + create mode 100644 guava/src/com/google/common/io/TempFileCreator.java + +diff --git a/android/guava/src/com/google/common/annotations/J2ktIncompatible.java b/android/guava/src/com/google/common/annotations/J2ktIncompatible.java +new file mode 100644 +index 0000000..6e28d02 +--- /dev/null ++++ b/android/guava/src/com/google/common/annotations/J2ktIncompatible.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (C) 2009 The Guava Authors ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except ++ * in compliance with the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software distributed under the License ++ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express ++ * or implied. See the License for the specific language governing permissions and limitations under ++ * the License. ++ */ ++ ++package com.google.common.annotations; ++ ++import java.lang.annotation.ElementType; ++import java.lang.annotation.Retention; ++import java.lang.annotation.RetentionPolicy; ++import java.lang.annotation.Target; ++ ++/** ++ * The presence of this annotation on an API indicates that the method may not be used with ++ * J2kt. ++ * ++ * @since NEXT ++ */ ++@Retention(RetentionPolicy.CLASS) ++@Target({ElementType.TYPE, ElementType.METHOD, ElementType.CONSTRUCTOR, ElementType.FIELD}) ++@GwtCompatible ++public @interface J2ktIncompatible {} +diff --git a/android/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java b/android/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java +new file mode 100644 +index 0000000..48bc10f +--- /dev/null ++++ b/android/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) 2021 The Guava Authors ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package com.google.common.io; ++ ++import static java.lang.annotation.ElementType.FIELD; ++import static java.lang.annotation.ElementType.METHOD; ++import static java.lang.annotation.ElementType.PARAMETER; ++import static java.lang.annotation.ElementType.TYPE; ++import static java.lang.annotation.RetentionPolicy.RUNTIME; ++ ++import com.google.common.annotations.GwtCompatible; ++import java.lang.annotation.Retention; ++import java.lang.annotation.Target; ++import javax.annotation.Nonnull; ++import javax.annotation.meta.TypeQualifierDefault; ++ ++/** ++ * Marks all "top-level" types as non-null in a way that is recognized by Kotlin. Note that this ++ * unfortunately includes type-variable usages, so we also provide {@link ParametricNullness} to ++ * "undo" it as best we can. ++ */ ++@GwtCompatible ++@Retention(RUNTIME) ++@Target(TYPE) ++@TypeQualifierDefault({FIELD, METHOD, PARAMETER}) ++@Nonnull ++@interface ElementTypesAreNonnullByDefault {} +diff --git a/android/guava/src/com/google/common/io/FileBackedOutputStream.java b/android/guava/src/com/google/common/io/FileBackedOutputStream.java +index e303110..56a33f5 100644 +--- a/android/guava/src/com/google/common/io/FileBackedOutputStream.java ++++ b/android/guava/src/com/google/common/io/FileBackedOutputStream.java +@@ -14,6 +14,8 @@ + + package com.google.common.io; + ++import static com.google.common.base.Preconditions.checkArgument; ++ + import com.google.common.annotations.Beta; + import com.google.common.annotations.GwtIncompatible; + import com.google.common.annotations.VisibleForTesting; +@@ -82,8 +84,11 @@ public final class FileBackedOutputStream extends OutputStream { + * @param fileThreshold the number of bytes before the stream should switch to buffering to a file + * @param resetOnFinalize if true, the {@link #reset} method will be called when the {@link + * ByteSource} returned by {@link #asByteSource} is finalized ++ * @throws IllegalArgumentException if {@code fileThreshold} is negative + */ + public FileBackedOutputStream(int fileThreshold, boolean resetOnFinalize) { ++ checkArgument( ++ fileThreshold >= 0, "fileThreshold must be non-negative, but was %s", fileThreshold); + this.fileThreshold = fileThreshold; + this.resetOnFinalize = resetOnFinalize; + memory = new MemoryOutput(); +@@ -193,7 +198,7 @@ public final class FileBackedOutputStream extends OutputStream { + */ + private void update(int len) throws IOException { + if (file == null && (memory.getCount() + len > fileThreshold)) { +- File temp = File.createTempFile("FileBackedOutputStream", null); ++ File temp = TempFileCreator.INSTANCE.createTempFile("FileBackedOutputStream"); + if (resetOnFinalize) { + // Finalizers are not guaranteed to be called on system shutdown; + // this is insurance. +diff --git a/android/pom.xml b/android/pom.xml +index e51a8e0..c19e531 100644 +--- a/android/pom.xml ++++ b/android/pom.xml +@@ -131,6 +131,7 @@ + animal-sniffer-maven-plugin + ${animal.sniffer.version} + ++ com.google.common.io.IgnoreJRERequirement + + org.codehaus.mojo.signature + java16-sun +diff --git a/guava/src/com/google/common/annotations/J2ktIncompatible.java b/guava/src/com/google/common/annotations/J2ktIncompatible.java +new file mode 100644 +index 0000000..6e28d02 +--- /dev/null ++++ b/guava/src/com/google/common/annotations/J2ktIncompatible.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (C) 2009 The Guava Authors ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except ++ * in compliance with the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software distributed under the License ++ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express ++ * or implied. See the License for the specific language governing permissions and limitations under ++ * the License. ++ */ ++ ++package com.google.common.annotations; ++ ++import java.lang.annotation.ElementType; ++import java.lang.annotation.Retention; ++import java.lang.annotation.RetentionPolicy; ++import java.lang.annotation.Target; ++ ++/** ++ * The presence of this annotation on an API indicates that the method may not be used with ++ * J2kt. ++ * ++ * @since NEXT ++ */ ++@Retention(RetentionPolicy.CLASS) ++@Target({ElementType.TYPE, ElementType.METHOD, ElementType.CONSTRUCTOR, ElementType.FIELD}) ++@GwtCompatible ++public @interface J2ktIncompatible {} +diff --git a/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java b/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java +new file mode 100644 +index 0000000..48bc10f +--- /dev/null ++++ b/guava/src/com/google/common/io/ElementTypesAreNonnullByDefault.java +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) 2021 The Guava Authors ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package com.google.common.io; ++ ++import static java.lang.annotation.ElementType.FIELD; ++import static java.lang.annotation.ElementType.METHOD; ++import static java.lang.annotation.ElementType.PARAMETER; ++import static java.lang.annotation.ElementType.TYPE; ++import static java.lang.annotation.RetentionPolicy.RUNTIME; ++ ++import com.google.common.annotations.GwtCompatible; ++import java.lang.annotation.Retention; ++import java.lang.annotation.Target; ++import javax.annotation.Nonnull; ++import javax.annotation.meta.TypeQualifierDefault; ++ ++/** ++ * Marks all "top-level" types as non-null in a way that is recognized by Kotlin. Note that this ++ * unfortunately includes type-variable usages, so we also provide {@link ParametricNullness} to ++ * "undo" it as best we can. ++ */ ++@GwtCompatible ++@Retention(RUNTIME) ++@Target(TYPE) ++@TypeQualifierDefault({FIELD, METHOD, PARAMETER}) ++@Nonnull ++@interface ElementTypesAreNonnullByDefault {} +diff --git a/guava/src/com/google/common/io/FileBackedOutputStream.java b/guava/src/com/google/common/io/FileBackedOutputStream.java +index e303110..56a33f5 100644 +--- a/guava/src/com/google/common/io/FileBackedOutputStream.java ++++ b/guava/src/com/google/common/io/FileBackedOutputStream.java +@@ -14,6 +14,8 @@ + + package com.google.common.io; + ++import static com.google.common.base.Preconditions.checkArgument; ++ + import com.google.common.annotations.Beta; + import com.google.common.annotations.GwtIncompatible; + import com.google.common.annotations.VisibleForTesting; +@@ -82,8 +84,11 @@ public final class FileBackedOutputStream extends OutputStream { + * @param fileThreshold the number of bytes before the stream should switch to buffering to a file + * @param resetOnFinalize if true, the {@link #reset} method will be called when the {@link + * ByteSource} returned by {@link #asByteSource} is finalized ++ * @throws IllegalArgumentException if {@code fileThreshold} is negative + */ + public FileBackedOutputStream(int fileThreshold, boolean resetOnFinalize) { ++ checkArgument( ++ fileThreshold >= 0, "fileThreshold must be non-negative, but was %s", fileThreshold); + this.fileThreshold = fileThreshold; + this.resetOnFinalize = resetOnFinalize; + memory = new MemoryOutput(); +@@ -193,7 +198,7 @@ public final class FileBackedOutputStream extends OutputStream { + */ + private void update(int len) throws IOException { + if (file == null && (memory.getCount() + len > fileThreshold)) { +- File temp = File.createTempFile("FileBackedOutputStream", null); ++ File temp = TempFileCreator.INSTANCE.createTempFile("FileBackedOutputStream"); + if (resetOnFinalize) { + // Finalizers are not guaranteed to be called on system shutdown; + // this is insurance. +diff --git a/guava/src/com/google/common/io/TempFileCreator.java b/guava/src/com/google/common/io/TempFileCreator.java +new file mode 100644 +index 0000000..a28a0af +--- /dev/null ++++ b/guava/src/com/google/common/io/TempFileCreator.java +@@ -0,0 +1,176 @@ ++/* ++ * Copyright (C) 2007 The Guava Authors ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except ++ * in compliance with the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software distributed under the License ++ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express ++ * or implied. See the License for the specific language governing permissions and limitations under ++ * the License. ++ */ ++ ++package com.google.common.io; ++ ++import static com.google.common.base.StandardSystemProperty.JAVA_IO_TMPDIR; ++ ++import com.google.common.annotations.GwtIncompatible; ++import com.google.common.annotations.J2ktIncompatible; ++import com.google.j2objc.annotations.J2ObjCIncompatible; ++import java.io.File; ++import java.io.IOException; ++import java.nio.file.Paths; ++import java.nio.file.attribute.FileAttribute; ++import java.nio.file.attribute.PosixFilePermission; ++import java.nio.file.attribute.PosixFilePermissions; ++import java.util.Set; ++ ++/** ++ * Creates temporary files and directories whose permissions are restricted to the current user or, ++ * in the case of Android, the current app. If that is not possible (as is the case under the very ++ * old Android Ice Cream Sandwich release), then this class throws an exception instead of creating ++ * a file or directory that would be more accessible. ++ */ ++@J2ktIncompatible ++@GwtIncompatible ++@J2ObjCIncompatible ++@ElementTypesAreNonnullByDefault ++abstract class TempFileCreator { ++ static final TempFileCreator INSTANCE = pickSecureCreator(); ++ ++ /** ++ * @throws IllegalStateException if the directory could not be created (to implement the contract ++ * of {@link Files#createTempDir()} ++ * @throws UnsupportedOperationException if the system does not support creating temporary ++ * directories securely ++ */ ++ abstract File createTempDir(); ++ ++ abstract File createTempFile(String prefix) throws IOException; ++ ++ private static TempFileCreator pickSecureCreator() { ++ try { ++ Class.forName("java.nio.file.Path"); ++ return new JavaNioCreator(); ++ } catch (ClassNotFoundException runningUnderAndroid) { ++ // Try another way. ++ } ++ ++ try { ++ int version = (int) Class.forName("android.os.Build$VERSION").getField("SDK_INT").get(null); ++ int jellyBean = ++ (int) Class.forName("android.os.Build$VERSION_CODES").getField("JELLY_BEAN").get(null); ++ /* ++ * I assume that this check can't fail because JELLY_BEAN will be present only if we're ++ * running under Jelly Bean or higher. But it seems safest to check. ++ */ ++ if (version < jellyBean) { ++ return new ThrowingCreator(); ++ } ++ ++ // Don't merge these catch() blocks, let alone use ReflectiveOperationException directly: ++ // b/65343391 ++ } catch (NoSuchFieldException e) { ++ // The JELLY_BEAN field doesn't exist because we're running on a version before Jelly Bean :) ++ return new ThrowingCreator(); ++ } catch (ClassNotFoundException e) { ++ // Should be impossible, but we want to return *something* so that class init succeeds. ++ return new ThrowingCreator(); ++ } catch (IllegalAccessException e) { ++ // ditto ++ return new ThrowingCreator(); ++ } ++ ++ // Android isolates apps' temporary directories since Jelly Bean: ++ // https://github.com/google/guava/issues/4011#issuecomment-770020802 ++ // So we can create files there with any permissions and still get security from the isolation. ++ return new JavaIoCreator(); ++ } ++ ++ @IgnoreJRERequirement // used only when Path is available ++ private static final class JavaNioCreator extends TempFileCreator { ++ private static final FileAttribute> RWX_USER_ONLY = ++ PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------")); ++ private static final FileAttribute> RW_USER_ONLY = ++ PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rw-------")); ++ ++ @Override ++ File createTempDir() { ++ try { ++ return java.nio.file.Files.createTempDirectory( ++ Paths.get(JAVA_IO_TMPDIR.value()), /* prefix= */ null, RWX_USER_ONLY) ++ .toFile(); ++ } catch (IOException e) { ++ throw new IllegalStateException("Failed to create directory", e); ++ } ++ } ++ ++ @Override ++ File createTempFile(String prefix) throws IOException { ++ return java.nio.file.Files.createTempFile( ++ Paths.get(JAVA_IO_TMPDIR.value()), ++ /* prefix= */ prefix, ++ /* suffix= */ null, ++ RW_USER_ONLY) ++ .toFile(); ++ } ++ } ++ ++ private static final class JavaIoCreator extends TempFileCreator { ++ @Override ++ File createTempDir() { ++ File baseDir = new File(JAVA_IO_TMPDIR.value()); ++ @SuppressWarnings("GoodTime") // reading system time without TimeSource ++ String baseName = System.currentTimeMillis() + "-"; ++ ++ for (int counter = 0; counter < TEMP_DIR_ATTEMPTS; counter++) { ++ File tempDir = new File(baseDir, baseName + counter); ++ if (tempDir.mkdir()) { ++ return tempDir; ++ } ++ } ++ throw new IllegalStateException( ++ "Failed to create directory within " ++ + TEMP_DIR_ATTEMPTS ++ + " attempts (tried " ++ + baseName ++ + "0 to " ++ + baseName ++ + (TEMP_DIR_ATTEMPTS - 1) ++ + ')'); ++ } ++ ++ @Override ++ File createTempFile(String prefix) throws IOException { ++ return File.createTempFile( ++ /* prefix= */ prefix, ++ /* suffix= */ null, ++ /* directory= */ null /* defaults to java.io.tmpdir */); ++ } ++ ++ /** Maximum loop count when creating temp directories. */ ++ private static final int TEMP_DIR_ATTEMPTS = 10000; ++ } ++ ++ private static final class ThrowingCreator extends TempFileCreator { ++ private static final String MESSAGE = ++ "Guava cannot securely create temporary files or directories under SDK versions before" ++ + " Jelly Bean. You can create one yourself, either in the insecure default directory" ++ + " or in a more secure directory, such as context.getCacheDir(). For more information," ++ + " see the Javadoc for Files.createTempDir()."; ++ ++ @Override ++ File createTempDir() { ++ throw new IllegalStateException(MESSAGE); ++ } ++ ++ @Override ++ File createTempFile(String prefix) throws IOException { ++ throw new IOException(MESSAGE); ++ } ++ } ++ ++ private TempFileCreator() {} ++} +diff --git a/pom.xml b/pom.xml +index 737f182..f653afe 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -132,6 +132,7 @@ + animal-sniffer-maven-plugin + ${animal.sniffer.version} + ++ com.google.common.io.IgnoreJRERequirement + + org.codehaus.mojo.signature + java18 +-- +2.33.8 + diff --git a/SPECS/guava/guava.spec b/SPECS/guava/guava.spec index 4e9be01e461..dd3cbf497da 100644 --- a/SPECS/guava/guava.spec +++ b/SPECS/guava/guava.spec @@ -17,7 +17,7 @@ Summary: Google Core Libraries for Java Name: guava Version: 25.0 -Release: 7%{?dist} +Release: 8%{?dist} License: Apache-2.0 AND CC0-1.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,7 @@ Source0: https://github.com/google/guava/archive/v%{version}.tar.gz#/%{na Source1: %{name}-build.tar.xz Patch0: %{name}-%{version}-java8compat.patch Patch1: CVE-2020-8908.patch +Patch2: CVE-2023-2976.patch BuildRequires: ant BuildRequires: fdupes BuildRequires: javapackages-local-bootstrap @@ -65,6 +66,7 @@ guava-testlib provides additional functionality for conveninent unit testing %setup -q -a1 %patch0 -p1 %patch1 -p1 +%patch2 -p1 find . -name '*.jar' -delete @@ -142,6 +144,9 @@ cp -r %{name}-testlib/target/site/apidocs %{buildroot}%{_javadocdir}/%{name}/%{n %files testlib -f .mfiles-guava-testlib %changelog +* Fri Jun 07 2024 Sindhu Karri 25.0-8 +- Add patch for CVE-2023-2976 + * Wed Aug 23 2023 Dallas Delaney 25.0-7 - Add patch for CVE-2020-8908 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 3f8befe9742..2a69e95a95a 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" + "kernel-5.15.160.1.tar.gz": "74e9c18f4c5e5dd9b1187a344946fecdba159cbc5e08e70cb4e1715dd661b6a8" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 1631f9e2c40..18f80faf496 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index ff6707020a2..5709b97bf90 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.2 Kernel Configuration +# Linux/x86_64 5.15.160.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index 9c2822f6220..8e5b3b91196 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.2 Kernel Configuration +# Linux/arm64 5.15.160.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index df2048e9d92..bcbe4463da8 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "7650bca555140f8b2c2e6b03709da0a8d730993215e9d28751068c799100c7bf", - "config_aarch64": "1c9733a974fa2aa7f38ae3c05887921cb7e94db0f2d5e37f85780da5824dab38", + "config": "5542ff67a14a0a2ad4112df104d5bcc3358c4a823cc3fb12c10f3ce21596a515", + "config_aarch64": "383a3752302280c76bc2d19215e60209597053777ea22803772454401c659d08", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" + "kernel-5.15.160.1.tar.gz": "74e9c18f4c5e5dd9b1187a344946fecdba159cbc5e08e70cb4e1715dd661b6a8" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index 5f18e514b46..7b729f5a68a 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index 8c432a9df1e..415c9cfc7b1 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.2 Kernel Configuration +# Linux/x86_64 5.15.160.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index 6af05f9b10d..55cc55c5569 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "c8c6eb36480dc13723e2c29f8df52b2557c88c5fd2c6b28acedd763f90954855", - "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" + "config": "da84ef7b3b7e58e56da2c96ee4e05c998b8859410ae58bf10eafd8235316a718", + "kernel-5.15.160.1.tar.gz": "74e9c18f4c5e5dd9b1187a344946fecdba159cbc5e08e70cb4e1715dd661b6a8" } } diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index e0788a07278..d12899f8b21 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 1226bbd6072..4094bd062eb 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" + "kernel-5.15.160.1.tar.gz": "74e9c18f4c5e5dd9b1187a344946fecdba159cbc5e08e70cb4e1715dd661b6a8" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index bb81130cdde..988f8cae1b9 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -11,7 +11,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -73,6 +73,9 @@ done %endif %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index e9f1648a87d..5fc57c651b9 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.2 Kernel Configuration +# Linux/x86_64 5.15.160.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 4dd532bba17..6dcc90bbf55 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.2 Kernel Configuration +# Linux/arm64 5.15.160.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index f9ae0436f3a..cf1f95ab83e 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "4c524dadcc8f306d8cd9e34ba5aa03cf1fb6b1f40fca0b811861ac09d916f4a8", - "config_aarch64": "764d801459dd24b7676b30a6fa05c68bf544ff8b577bd8085adbe01d56b8c697", + "config": "74b5a39c6af9b6b7b572884b5ff0207abd691f623be4316507271667744e6358", + "config_aarch64": "3e942841e0e8cf8270c62213e947699b2398f6a9001208cf60c4ff204285c00b", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" + "kernel-5.15.160.1.tar.gz": "74e9c18f4c5e5dd9b1187a344946fecdba159cbc5e08e70cb4e1715dd661b6a8" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 84e20b0b7bb..e48ab3f2778 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.158.2 +Version: 5.15.160.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Sat Jun 08 2024 CBL-Mariner Servicing Account - 5.15.160.1-1 +- Auto-upgrade to 5.15.160.1 + * Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 - Revert to 5.15.158.2 diff --git a/SPECS/libndp/CVE-2024-5564.patch b/SPECS/libndp/CVE-2024-5564.patch new file mode 100644 index 00000000000..15c9129cda1 --- /dev/null +++ b/SPECS/libndp/CVE-2024-5564.patch @@ -0,0 +1,44 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin +Suggested-by: Felix Maurer +Signed-off-by: Hangbin Liu +Signed-off-by: Jiri Pirko +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/SPECS/libndp/libndp.spec b/SPECS/libndp/libndp.spec index 83a330f6009..df04ea5855c 100644 --- a/SPECS/libndp/libndp.spec +++ b/SPECS/libndp/libndp.spec @@ -1,13 +1,14 @@ Summary: Library for Neighbor Discovery Protocol Name: libndp Version: 1.8 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Libraries URL: http://www.libndp.org/ Source: http://www.libndp.org/files/%{name}-%{version}.tar.gz +Patch0: CVE-2024-5564.patch %description This package contains a library which provides a wrapper @@ -22,7 +23,7 @@ Requires: libndp Headers and libraries for the libndp. %prep -%setup -q +%autosetup -p1 %build %configure --disable-static @@ -48,6 +49,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/pkgconfig/*.pc %changelog +* Fri Jun 14 2024 Nick Samson - 1.8-2 +- Patch CVE-2024-5564 + * Tue Jan 11 2022 Henry Li - 1.8-1 - Upgrade to version 1.8 - Remove calling autogen, which does not exist in latest version diff --git a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.signatures.json b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.signatures.json index 480e806a734..e864e833c9c 100644 --- a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.signatures.json +++ b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libnetfilter_conntrack-1.0.8.tar.bz2": "0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf" + "libnetfilter_conntrack-1.0.9.tar.bz2": "67bd9df49fe34e8b82144f6dfb93b320f384a8ea59727e92ff8d18b5f4b579a8" } } \ No newline at end of file diff --git a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec index 687ff4cccfe..00babccd505 100644 --- a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec +++ b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec @@ -1,6 +1,6 @@ Summary: Netfilter conntrack userspace library Name: libnetfilter_conntrack -Version: 1.0.8 +Version: 1.0.9 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -51,6 +51,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/*.so %changelog +* Wed Jun 12 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 1.0.9-1 +- Update to version 1.0.9 + * Tue Jan 11 2022 Henry Li - 1.0.8-1 - Upgrade to version 1.0.8 - Verified License diff --git a/SPECS/ntfs-3g/CVE-2023-52890.patch b/SPECS/ntfs-3g/CVE-2023-52890.patch new file mode 100644 index 00000000000..8a4e3e3ee55 --- /dev/null +++ b/SPECS/ntfs-3g/CVE-2023-52890.patch @@ -0,0 +1,37 @@ +From 233f365fdce9d95844dde537440cd9ab36a32454 Mon Sep 17 00:00:00 2001 +From: Erik Larsson +Date: Tue, 13 Jun 2023 17:47:15 +0300 +Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'. + +If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence, +then 'n' will be less than 0 and the loop will terminate without storing +anything in '*t'. After the loop the uppercase string's allocation is +freed, however after it is freed it is unconditionally accessed through +'*t', which points into the freed allocation, for the purpose of NULL- +terminating the string. This leads to a use-after-free. +Fixed by only NULL-terminating the string when no error has been thrown. + +Thanks for Jeffrey Bencteux for reporting this issue: +https://github.com/tuxera/ntfs-3g/issues/84 +--- + libntfs-3g/unistr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c +index 5854b3b..db8ddf4 100644 +--- a/libntfs-3g/unistr.c ++++ b/libntfs-3g/unistr.c +@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low, + free(upp); + upp = (char*)NULL; + errno = EILSEQ; ++ } else { ++ *t = 0; + } +- *t = 0; + } + return (upp); + } +-- +2.34.1 + diff --git a/SPECS/ntfs-3g/ntfs-3g.spec b/SPECS/ntfs-3g/ntfs-3g.spec index 0932e25731a..cda07e01624 100644 --- a/SPECS/ntfs-3g/ntfs-3g.spec +++ b/SPECS/ntfs-3g/ntfs-3g.spec @@ -1,13 +1,14 @@ Summary: Linux NTFS userspace driver Name: ntfs-3g Version: 2022.10.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner URL: https://www.tuxera.com/company/open-source/ Source0: https://tuxera.com/opensource/%{name}_ntfsprogs-%{version}.tgz Patch0: ntfs-3g_ntfsprogs-2011.10.9-RC-ntfsck-unsupported-return-0.patch +Patch1: CVE-2023-52890.patch BuildRequires: fuse-devel BuildRequires: gnutls-devel @@ -170,6 +171,9 @@ rm -rf %{buildroot}%{_defaultdocdir}/%{name}/README %exclude %{_mandir}/man8/ntfs-3g* %changelog +* Mon Jun 17 2024 Suresh Thelkar - 2022.10.3-2 +- Patch CVE-2023-52890 + * Mon Nov 14 2022 CBL-Mariner Servicing Account - 2022.10.3-1 - Auto-upgrade to 2022.10.3 - CVE-2022-40284 diff --git a/SPECS/openssh/CVE-2023-28531.patch b/SPECS/openssh/CVE-2023-28531.patch new file mode 100644 index 00000000000..180e21bbbaa --- /dev/null +++ b/SPECS/openssh/CVE-2023-28531.patch @@ -0,0 +1,25 @@ +From 54ac4ab2b53ce9fcb66b8250dee91c070e4167ed Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 9 Mar 2023 06:58:26 +0000 +Subject: [PATCH] upstream: include destination constraints for smartcard keys + too. + +Spotted by Luci Stanescu; ok deraadt@ markus@ + +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f +--- + authfd.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/authfd.c b/authfd.c +index 13f9432efb3..77dc3cce597 100644 +--- a/authfd.c +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, + struct dest_constraint **dest_constraints, size_t ndest_constraints) + { + struct sshbuf *msg; +- int r, constrained = (life || confirm); ++ int r, constrained = (life || confirm || dest_constraints); + u_char type; + + if (add) { diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 7e47e6058c3..2fa6c97bded 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -3,7 +3,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: %{openssh_ver} -Release: 4%{?dist} +Release: 5%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -44,6 +44,8 @@ Patch316: CVE-2023-48795-0006-upstream-Remove-leftover-line.patch Patch317: CVE-2023-48795-0007-upstream-Refactor-creation-of-KEX-proposal.patch Patch318: CVE-2023-48795-0008-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch Patch319: CVE-2023-48795-0009-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch +# Patch for CVE-2023-28531 can be removed if openssh is upgraded to version 9.3p1 or greater +Patch350: CVE-2023-28531.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: e2fsprogs-devel @@ -128,6 +130,7 @@ popd %patch317 -p1 -b .cve-2023-48795-0007 %patch318 -p1 -b .cve-2023-48795-0008 %patch319 -p1 -b .cve-2023-48795-0009 +%patch350 -p1 -b .cve-2023-28531 %build export CFLAGS="$CFLAGS -fpic" @@ -284,6 +287,9 @@ fi %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Tue Jun 25 2024 Sam Meluch - 8.9p1-5 +- Add patch for CVE-2023-28531 + * Mon Jan 8 15:23:58 EST 2024 Dan Streetman - 8.9p1-4 - Add patches for CVE-2023-48795 diff --git a/SPECS/php/php.signatures.json b/SPECS/php/php.signatures.json index b535c393037..292d27de10c 100644 --- a/SPECS/php/php.signatures.json +++ b/SPECS/php/php.signatures.json @@ -1,19 +1,19 @@ { - "Signatures": { - "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869", - "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0", - "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e", - "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59", - "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95", - "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38", - "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8", - "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9", - "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79", - "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117", - "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328", - "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2", - "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8", - "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278", - "php-8.1.28.tar.xz": "95d0b2e9466108fd750dab5c30a09e5c67f5ad2cb3b1ffb3625a038a755ad080" - } + "Signatures": { + "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869", + "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0", + "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e", + "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59", + "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95", + "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38", + "php-8.1.29.tar.xz": "288884af60581d4284baba2ace9ca6d646f72facbd3e3c2dd2acc7fe6f903536", + "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8", + "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9", + "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79", + "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117", + "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328", + "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2", + "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8", + "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278" + } } diff --git a/SPECS/php/php.spec b/SPECS/php/php.spec index 13563ff5961..3b4c021ae00 100644 --- a/SPECS/php/php.spec +++ b/SPECS/php/php.spec @@ -32,7 +32,7 @@ %global with_qdbm 0 Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 8.1.28 +Version: 8.1.29 Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -1516,6 +1516,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %dir %{_datadir}/php/preload %changelog +* Mon Jun 10 2024 Neha Agarwal - 8.1.29-1 +- Upgrade to 8.1.29 to fix CVE-2024-4577, CVE-2024-5585 and CVE-2024-5458 + * Fri May 03 2024 Gary Swalling - 8.1.28-1 - Upgrade to 8.1.28 to fix CVE-2024-2756, CVE-2024-3096 - Update BuildRequires, libpq is now provided by postgresql diff --git a/SPECS/skopeo/CVE-2024-3727.patch b/SPECS/skopeo/CVE-2024-3727.patch new file mode 100644 index 00000000000..026304b4317 --- /dev/null +++ b/SPECS/skopeo/CVE-2024-3727.patch @@ -0,0 +1,851 @@ +From 28694484fdc289dd6dcf3135fdeebf849cf2acf1 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 20 Jun 2024 10:02:30 +0000 +Subject: [PATCH] Fix CVE-2024-3727 in github.com/containers/image + +--- + .../containers/image/v5/copy/progress_bars.go | 7 +++- + .../containers/image/v5/copy/single.go | 39 ++++++++++++++----- + .../image/v5/directory/directory_dest.go | 22 +++++++++-- + .../image/v5/directory/directory_src.go | 17 ++++++-- + .../image/v5/directory/directory_transport.go | 25 ++++++++---- + .../image/v5/docker/docker_client.go | 20 ++++++++-- + .../image/v5/docker/docker_image.go | 7 +++- + .../image/v5/docker/docker_image_dest.go | 22 +++++++++-- + .../image/v5/docker/docker_image_src.go | 18 ++++++++- + .../image/v5/docker/internal/tarfile/dest.go | 12 +++++- + .../v5/docker/internal/tarfile/writer.go | 34 ++++++++++++---- + .../image/v5/docker/registries_d.go | 7 +++- + .../image/v5/openshift/openshift_src.go | 3 ++ + .../containers/image/v5/ostree/ostree_dest.go | 10 +++++ + .../containers/image/v5/ostree/ostree_src.go | 4 +- + .../image/v5/storage/storage_dest.go | 32 ++++++++++----- + .../image/v5/storage/storage_image.go | 14 +++++-- + .../image/v5/storage/storage_reference.go | 10 ++++- + .../image/v5/storage/storage_src.go | 19 +++++++-- + 19 files changed, 254 insertions(+), 68 deletions(-) + +diff --git a/vendor/github.com/containers/image/v5/copy/progress_bars.go b/vendor/github.com/containers/image/v5/copy/progress_bars.go +index ce07823..ba6a273 100644 +--- a/vendor/github.com/containers/image/v5/copy/progress_bars.go ++++ b/vendor/github.com/containers/image/v5/copy/progress_bars.go +@@ -48,10 +48,13 @@ type progressBar struct { + // As a convention, most users of progress bars should call mark100PercentComplete on full success; + // by convention, we don't leave progress bars in partial state when fully done + // (even if we copied much less data than anticipated). +-func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types.BlobInfo, kind string, onComplete string) *progressBar { ++func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types.BlobInfo, kind string, onComplete string) (*progressBar, error) { + // shortDigestLen is the length of the digest used for blobs. + const shortDigestLen = 12 + ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, err ++ } + prefix := fmt.Sprintf("Copying %s %s", kind, info.Digest.Encoded()) + // Truncate the prefix (chopping of some part of the digest) to make all progress bars aligned in a column. + maxPrefixLen := len("Copying blob ") + shortDigestLen +@@ -104,7 +107,7 @@ func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types. + return &progressBar{ + Bar: bar, + originalSize: info.Size, +- } ++ }, nil + } + + // printCopyInfo prints a "Copying ..." message on the copier if the output is +diff --git a/vendor/github.com/containers/image/v5/copy/single.go b/vendor/github.com/containers/image/v5/copy/single.go +index 67ca43f..d36b854 100644 +--- a/vendor/github.com/containers/image/v5/copy/single.go ++++ b/vendor/github.com/containers/image/v5/copy/single.go +@@ -599,7 +599,10 @@ func (ic *imageCopier) copyConfig(ctx context.Context, src types.Image) error { + destInfo, err := func() (types.BlobInfo, error) { // A scope for defer + progressPool := ic.c.newProgressPool() + defer progressPool.Wait() +- bar := ic.c.createProgressBar(progressPool, false, srcInfo, "config", "done") ++ bar, err := ic.c.createProgressBar(progressPool, false, srcInfo, "config", "done") ++ if err != nil { ++ return types.BlobInfo{}, err ++ } + defer bar.Abort(false) + ic.c.printCopyInfo("config", srcInfo) + +@@ -707,11 +710,17 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + } + if reused { + logrus.Debugf("Skipping blob %s (already present):", srcInfo.Digest) +- func() { // A scope for defer +- bar := ic.c.createProgressBar(pool, false, types.BlobInfo{Digest: reusedBlob.Digest, Size: 0}, "blob", "skipped: already exists") ++ if err := func() error { // A scope for defer ++ bar, err := ic.c.createProgressBar(pool, false, types.BlobInfo{Digest: reusedBlob.Digest, Size: 0}, "blob", "skipped: already exists") ++ if err != nil { ++ return err ++ } + defer bar.Abort(false) + bar.mark100PercentComplete() +- }() ++ return nil ++ }(); err != nil { ++ return types.BlobInfo{}, "", err ++ } + + // Throw an event that the layer has been skipped + if ic.c.options.Progress != nil && ic.c.options.ProgressInterval > 0 { +@@ -730,8 +739,11 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + // Attempt a partial only when the source allows to retrieve a blob partially and + // the destination has support for it. + if canAvoidProcessingCompleteLayer && ic.c.rawSource.SupportsGetBlobAt() && ic.c.dest.SupportsPutBlobPartial() { +- if reused, blobInfo := func() (bool, types.BlobInfo) { // A scope for defer +- bar := ic.c.createProgressBar(pool, true, srcInfo, "blob", "done") ++ reused, blobInfo, err := func() (bool, types.BlobInfo, error) { // A scope for defer ++ bar, err := ic.c.createProgressBar(pool, true, srcInfo, "blob", "done") ++ if err != nil { ++ return false, types.BlobInfo{}, err ++ } + hideProgressBar := true + defer func() { // Note that this is not the same as defer bar.Abort(hideProgressBar); we need hideProgressBar to be evaluated lazily. + bar.Abort(hideProgressBar) +@@ -751,18 +763,25 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + bar.mark100PercentComplete() + hideProgressBar = false + logrus.Debugf("Retrieved partial blob %v", srcInfo.Digest) +- return true, updatedBlobInfoFromUpload(srcInfo, uploadedBlob) ++ return true, updatedBlobInfoFromUpload(srcInfo, uploadedBlob), nil + } + logrus.Debugf("Failed to retrieve partial blob: %v", err) +- return false, types.BlobInfo{} +- }(); reused { ++ return false, types.BlobInfo{}, nil ++ }() ++ if err != nil { ++ return types.BlobInfo{}, "", err ++ } ++ if reused { + return blobInfo, cachedDiffID, nil + } + } + + // Fallback: copy the layer, computing the diffID if we need to do so + return func() (types.BlobInfo, digest.Digest, error) { // A scope for defer +- bar := ic.c.createProgressBar(pool, false, srcInfo, "blob", "done") ++ bar, err := ic.c.createProgressBar(pool, false, srcInfo, "blob", "done") ++ if err != nil { ++ return types.BlobInfo{}, "", err ++ } + defer bar.Abort(false) + + srcStream, srcBlobSize, err := ic.c.rawSource.GetBlob(ctx, srcInfo, ic.c.blobInfoCache) +diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go +index 222723a..d32877e 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go +@@ -173,7 +173,10 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io. + } + } + +- blobPath := d.ref.layerPath(blobDigest) ++ blobPath, err := d.ref.layerPath(blobDigest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } + // need to explicitly close the file, since a rename won't otherwise not work on Windows + blobFile.Close() + explicitClosed = true +@@ -196,7 +199,10 @@ func (d *dirImageDestination) TryReusingBlobWithOptions(ctx context.Context, inf + if info.Digest == "" { + return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with unknown digest") + } +- blobPath := d.ref.layerPath(info.Digest) ++ blobPath, err := d.ref.layerPath(info.Digest) ++ if err != nil { ++ return false, private.ReusedBlob{}, err ++ } + finfo, err := os.Stat(blobPath) + if err != nil && os.IsNotExist(err) { + return false, private.ReusedBlob{}, nil +@@ -216,7 +222,11 @@ func (d *dirImageDestination) TryReusingBlobWithOptions(ctx context.Context, inf + // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema), + // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError. + func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error { +- return os.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644) ++ path, err := d.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return err ++ } ++ return os.WriteFile(path, manifest, 0644) + } + + // PutSignaturesWithFormat writes a set of signatures to the destination. +@@ -229,7 +239,11 @@ func (d *dirImageDestination) PutSignaturesWithFormat(ctx context.Context, signa + if err != nil { + return err + } +- if err := os.WriteFile(d.ref.signaturePath(i, instanceDigest), blob, 0644); err != nil { ++ path, err := d.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return err ++ } ++ if err := os.WriteFile(path, blob, 0644); err != nil { + return err + } + } +diff --git a/vendor/github.com/containers/image/v5/directory/directory_src.go b/vendor/github.com/containers/image/v5/directory/directory_src.go +index 5fc83bb..6d725bc 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_src.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_src.go +@@ -55,7 +55,11 @@ func (s *dirImageSource) Close() error { + // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list); + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { +- m, err := os.ReadFile(s.ref.manifestPath(instanceDigest)) ++ path, err := s.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } ++ m, err := os.ReadFile(path) + if err != nil { + return nil, "", err + } +@@ -66,7 +70,11 @@ func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- r, err := os.Open(s.ref.layerPath(info.Digest)) ++ path, err := s.ref.layerPath(info.Digest) ++ if err != nil { ++ return nil, -1, err ++ } ++ r, err := os.Open(path) + if err != nil { + return nil, -1, err + } +@@ -84,7 +92,10 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache + func (s *dirImageSource) GetSignaturesWithFormat(ctx context.Context, instanceDigest *digest.Digest) ([]signature.Signature, error) { + signatures := []signature.Signature{} + for i := 0; ; i++ { +- path := s.ref.signaturePath(i, instanceDigest) ++ path, err := s.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return nil, err ++ } + sigBlob, err := os.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { +diff --git a/vendor/github.com/containers/image/v5/directory/directory_transport.go b/vendor/github.com/containers/image/v5/directory/directory_transport.go +index 7e30686..4f7d596 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_transport.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_transport.go +@@ -161,25 +161,34 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex + } + + // manifestPath returns a path for the manifest within a directory using our conventions. +-func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string { ++func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json") ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil + } +- return filepath.Join(ref.path, "manifest.json") ++ return filepath.Join(ref.path, "manifest.json"), nil + } + + // layerPath returns a path for a layer tarball within a directory using our conventions. +-func (ref dirReference) layerPath(digest digest.Digest) string { ++func (ref dirReference) layerPath(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } + // FIXME: Should we keep the digest identification? +- return filepath.Join(ref.path, digest.Encoded()) ++ return filepath.Join(ref.path, digest.Encoded()), nil + } + + // signaturePath returns a path for a signature within a directory using our conventions. +-func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string { ++func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)) ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil + } +- return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)) ++ return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil + } + + // versionPath returns a path for the version file within a directory using our conventions. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 6ce8f70..d03f87a 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -952,6 +952,8 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { + return c.detectPropertiesError + } + ++// fetchManifest fetches a manifest for (the repo of ref) + tagOrDigest. ++// The caller is responsible for ensuring tagOrDigest uses the expected format. + func (c *dockerClient) fetchManifest(ctx context.Context, ref dockerReference, tagOrDigest string) ([]byte, string, error) { + path := fmt.Sprintf(manifestPath, reference.Path(ref.ref), tagOrDigest) + headers := map[string][]string{ +@@ -1034,6 +1036,9 @@ func (c *dockerClient) getBlob(ctx context.Context, ref dockerReference, info ty + } + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, 0, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(ref.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) +@@ -1097,7 +1102,10 @@ func isManifestUnknownError(err error) bool { + // digest in ref. + // It returns (nil, nil) if the manifest does not exist. + func (c *dockerClient) getSigstoreAttachmentManifest(ctx context.Context, ref dockerReference, digest digest.Digest) (*manifest.OCI1, error) { +- tag := sigstoreAttachmentTag(digest) ++ tag, err := sigstoreAttachmentTag(digest) ++ if err != nil { ++ return nil, err ++ } + sigstoreRef, err := reference.WithTag(reference.TrimNamed(ref.ref), tag) + if err != nil { + return nil, err +@@ -1130,6 +1138,9 @@ func (c *dockerClient) getSigstoreAttachmentManifest(ctx context.Context, ref do + // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, + // using the original data structures. + func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { ++ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) + if err != nil { +@@ -1153,8 +1164,11 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe + } + + // sigstoreAttachmentTag returns a sigstore attachment tag for the specified digest. +-func sigstoreAttachmentTag(d digest.Digest) string { +- return strings.Replace(d.String(), ":", "-", 1) + ".sig" ++func sigstoreAttachmentTag(d digest.Digest) (string, error) { ++ if err := d.Validate(); err != nil { // Make sure d.String() doesn’t contain any unexpected characters ++ return "", err ++ } ++ return strings.Replace(d.String(), ":", "-", 1) + ".sig", nil + } + + // Close removes resources associated with an initialized dockerClient, if any. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index 9316048..4c80bb2 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -88,7 +88,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index a9a36f0..0c0505a 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -229,6 +229,9 @@ func (d *dockerImageDestination) PutBlobWithOptions(ctx context.Context, stream + // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); + // it returns a non-nil error only on an unexpected failure. + func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return false, -1, err ++ } + checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) + logrus.Debugf("Checking %s", checkPath) + res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) +@@ -466,6 +469,7 @@ func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte, inst + // particular instance. + refTail = instanceDigest.String() + // Double-check that the manifest we've been given matches the digest we've been given. ++ // This also validates the format of instanceDigest. + matches, err := manifest.MatchesDigest(m, *instanceDigest) + if err != nil { + return fmt.Errorf("digesting manifest in PutManifest: %w", err) +@@ -632,11 +636,13 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures []signature + + // NOTE: Keep this in sync with docs/signature-protocols.md! + for i, signature := range signatures { +- sigURL := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) +- err := d.putOneSignature(sigURL, signature) ++ sigURL, err := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) + if err != nil { + return err + } ++ if err := d.putOneSignature(sigURL, signature); err != nil { ++ return err ++ } + } + // Remove any other signatures, if present. + // We stop at the first missing signature; if a previous deleting loop aborted +@@ -644,7 +650,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures []signature + // is enough for dockerImageSource to stop looking for other signatures, so that + // is sufficient. + for i := len(signatures); ; i++ { +- sigURL := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := d.c.deleteOneSignature(sigURL) + if err != nil { + return err +@@ -775,8 +784,12 @@ func (d *dockerImageDestination) putSignaturesToSigstoreAttachments(ctx context. + if err != nil { + return err + } ++ attachmentTag, err := sigstoreAttachmentTag(manifestDigest) ++ if err != nil { ++ return err ++ } + logrus.Debugf("Uploading sigstore attachment manifest") +- return d.uploadManifest(ctx, manifestBlob, sigstoreAttachmentTag(manifestDigest)) ++ return d.uploadManifest(ctx, manifestBlob, attachmentTag) + } + + func layerMatchesSigstoreSignature(layer imgspecv1.Descriptor, mimeType string, +@@ -892,6 +905,7 @@ func (d *dockerImageDestination) putSignaturesToAPIExtension(ctx context.Context + return err + } + ++ // manifestDigest is known to be valid because it was not rejected by getExtensionsSignatures above. + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), manifestDigest.String()) + res, err := d.c.makeRequest(ctx, http.MethodPut, path, nil, bytes.NewReader(body), v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index f9d4d60..274cd6d 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -194,6 +194,9 @@ func simplifyContentType(contentType string) string { + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, "", err ++ } + return s.fetchManifest(ctx, instanceDigest.String()) + } + err := s.ensureManifestIsLoaded(ctx) +@@ -203,6 +206,8 @@ func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *dig + return s.cachedManifest, s.cachedManifestMIMEType, nil + } + ++// fetchManifest fetches a manifest for tagOrDigest. ++// The caller is responsible for ensuring tagOrDigest uses the expected format. + func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest string) ([]byte, string, error) { + return s.c.fetchManifest(ctx, s.physicalRef, tagOrDigest) + } +@@ -352,6 +357,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo, + return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt") + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, nil, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil) +@@ -462,7 +470,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst + return nil, fmt.Errorf("server provided %d signatures, assuming that's unreasonable and a server error", maxLookasideSignatures) + } + +- sigURL := lookasideStorageURL(s.c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(s.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return nil, err ++ } + signature, missing, err := s.getOneSignature(ctx, sigURL) + if err != nil { + return nil, err +@@ -660,7 +671,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere + } + + for i := 0; ; i++ { +- sigURL := lookasideStorageURL(c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := c.deleteOneSignature(sigURL) + if err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +index 7507d85..106490c 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +@@ -111,11 +111,19 @@ func (d *Destination) PutBlobWithOptions(ctx context.Context, stream io.Reader, + return private.UploadedBlob{}, fmt.Errorf("reading Config file stream: %w", err) + } + d.config = buf +- if err := d.archive.sendFileLocked(d.archive.configPath(inputInfo.Digest), inputInfo.Size, bytes.NewReader(buf)); err != nil { ++ configPath, err := d.archive.configPath(inputInfo.Digest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } ++ if err := d.archive.sendFileLocked(configPath, inputInfo.Size, bytes.NewReader(buf)); err != nil { + return private.UploadedBlob{}, fmt.Errorf("writing Config file: %w", err) + } + } else { +- if err := d.archive.sendFileLocked(d.archive.physicalLayerPath(inputInfo.Digest), inputInfo.Size, stream); err != nil { ++ layerPath, err := d.archive.physicalLayerPath(inputInfo.Digest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } ++ if err := d.archive.sendFileLocked(layerPath, inputInfo.Size, stream); err != nil { + return private.UploadedBlob{}, err + } + } +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +index df7b2c0..7f6bd0e 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +@@ -95,7 +95,10 @@ func (w *Writer) ensureSingleLegacyLayerLocked(layerID string, layerDigest diges + if !w.legacyLayers.Contains(layerID) { + // Create a symlink for the legacy format, where there is one subdirectory per layer ("image"). + // See also the comment in physicalLayerPath. +- physicalLayerPath := w.physicalLayerPath(layerDigest) ++ physicalLayerPath, err := w.physicalLayerPath(layerDigest) ++ if err != nil { ++ return err ++ } + if err := w.sendSymlinkLocked(filepath.Join(layerID, legacyLayerFileName), filepath.Join("..", physicalLayerPath)); err != nil { + return fmt.Errorf("creating layer symbolic link: %w", err) + } +@@ -139,6 +142,9 @@ func (w *Writer) writeLegacyMetadataLocked(layerDescriptors []manifest.Schema2De + } + + // This chainID value matches the computation in docker/docker/layer.CreateChainID … ++ if err := l.Digest.Validate(); err != nil { // This should never fail on this code path, still: make sure the chainID computation is unambiguous. ++ return err ++ } + if chainID == "" { + chainID = l.Digest + } else { +@@ -204,12 +210,20 @@ func checkManifestItemsMatch(a, b *ManifestItem) error { + func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Descriptor, configDigest digest.Digest, repoTags []reference.NamedTagged) error { + layerPaths := []string{} + for _, l := range layerDescriptors { +- layerPaths = append(layerPaths, w.physicalLayerPath(l.Digest)) ++ p, err := w.physicalLayerPath(l.Digest) ++ if err != nil { ++ return err ++ } ++ layerPaths = append(layerPaths, p) + } + + var item *ManifestItem ++ configPath, err := w.configPath(configDigest) ++ if err != nil { ++ return err ++ } + newItem := ManifestItem{ +- Config: w.configPath(configDigest), ++ Config: configPath, + RepoTags: []string{}, + Layers: layerPaths, + Parent: "", // We don’t have this information +@@ -294,21 +308,27 @@ func (w *Writer) Close() error { + // configPath returns a path we choose for storing a config with the specified digest. + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) configPath(configDigest digest.Digest) string { +- return configDigest.Hex() + ".json" ++func (w *Writer) configPath(configDigest digest.Digest) (string, error) { ++ if err := configDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } ++ return configDigest.Hex() + ".json", nil + } + + // physicalLayerPath returns a path we choose for storing a layer with the specified digest + // (the actual path, i.e. a regular file, not a symlink that may be used in the legacy format). + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) physicalLayerPath(layerDigest digest.Digest) string { ++func (w *Writer) physicalLayerPath(layerDigest digest.Digest) (string, error) { ++ if err := layerDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } + // Note that this can't be e.g. filepath.Join(l.Digest.Hex(), legacyLayerFileName); due to the way + // writeLegacyMetadata constructs layer IDs differently from inputinfo.Digest values (as described + // inside it), most of the layers would end up in subdirectories alone without any metadata; (docker load) + // tries to load every subdirectory as an image and fails if the config is missing. So, keep the layers + // in the root of the tarball. +- return layerDigest.Hex() + ".tar" ++ return layerDigest.Hex() + ".tar", nil + } + + type tarFI struct { +diff --git a/vendor/github.com/containers/image/v5/docker/registries_d.go b/vendor/github.com/containers/image/v5/docker/registries_d.go +index c7b884a..9d651d9 100644 +--- a/vendor/github.com/containers/image/v5/docker/registries_d.go ++++ b/vendor/github.com/containers/image/v5/docker/registries_d.go +@@ -286,8 +286,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string { + // lookasideStorageURL returns an URL usable for accessing signature index in base with known manifestDigest. + // base is not nil from the caller + // NOTE: Keep this in sync with docs/signature-protocols.md! +-func lookasideStorageURL(base lookasideStorageBase, manifestDigest digest.Digest, index int) *url.URL { ++func lookasideStorageURL(base lookasideStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) { ++ if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return nil, err ++ } + sigURL := *base + sigURL.Path = fmt.Sprintf("%s@%s=%s/signature-%d", sigURL.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1) +- return &sigURL ++ return &sigURL, nil + } +diff --git a/vendor/github.com/containers/image/v5/openshift/openshift_src.go b/vendor/github.com/containers/image/v5/openshift/openshift_src.go +index 0ac0127..62774af 100644 +--- a/vendor/github.com/containers/image/v5/openshift/openshift_src.go ++++ b/vendor/github.com/containers/image/v5/openshift/openshift_src.go +@@ -109,6 +109,9 @@ func (s *openshiftImageSource) GetSignaturesWithFormat(ctx context.Context, inst + } + imageStreamImageName = s.imageStreamImageName + } else { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + imageStreamImageName = instanceDigest.String() + } + image, err := s.client.getImage(ctx, imageStreamImageName) +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +index d00a0cd..29177f1 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +@@ -345,6 +345,10 @@ func (d *ostreeImageDestination) TryReusingBlobWithOptions(ctx context.Context, + } + d.repo = repo + } ++ ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, so validate explicitly. ++ return false, private.ReusedBlob{}, err ++ } + branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex()) + + found, data, err := readMetadata(d.repo, branch, "docker.uncompressed_digest") +@@ -470,12 +474,18 @@ func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) er + return nil + } + for _, layer := range d.schema.LayersDescriptors { ++ if err := layer.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.Digest.Hex() + if err = checkLayer(hash); err != nil { + return err + } + } + for _, layer := range d.schema.FSLayers { ++ if err := layer.BlobSum.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.BlobSum.Hex() + if err = checkLayer(hash); err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_src.go b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +index 9983acc..a9568c2 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_src.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +@@ -286,7 +286,9 @@ func (s *ostreeImageSource) readSingleFile(commit, path string) (io.ReadCloser, + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, -1, err ++ } + blob := info.Digest.Hex() + + // Ensure s.compressed is initialized. It is build by LayerInfosForCopy. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_dest.go b/vendor/github.com/containers/image/v5/storage/storage_dest.go +index 07e1d5e..6b59be1 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_dest.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_dest.go +@@ -324,6 +324,13 @@ func (s *storageImageDestination) TryReusingBlobWithOptions(ctx context.Context, + // tryReusingBlobAsPending implements TryReusingBlobWithOptions for (digest, size or -1), filling s.blobDiffIDs and other metadata. + // The caller must arrange the blob to be eventually committed using s.commitLayer(). + func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, size int64, options *private.TryReusingBlobOptions) (bool, private.ReusedBlob, error) { ++ if digest == "" { ++ return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) ++ } ++ if err := digest.Validate(); err != nil { ++ return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) ++ } ++ + // lock the entire method as it executes fairly quickly + s.lock.Lock() + defer s.lock.Unlock() +@@ -344,13 +351,6 @@ func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, + } + } + +- if digest == "" { +- return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) +- } +- if err := digest.Validate(); err != nil { +- return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) +- } +- + // Check if we've already cached it in a file. + if size, ok := s.fileSizes[digest]; ok { + return true, private.ReusedBlob{ +@@ -803,8 +803,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + if err != nil { + return fmt.Errorf("digesting top-level manifest: %w", err) + } ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: manifestBigDataKey(manifestDigest), ++ Key: key, + Data: toplevelManifest, + Digest: manifestDigest, + }) +@@ -812,8 +816,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + // Set up to save the image's manifest. Allow looking it up by digest by using the key convention defined by the Store. + // Record the manifest twice: using a digest-specific key to allow references to that specific digest instance, + // and using storage.ImageDigestBigDataKey for future users that don’t specify any digest and for compatibility with older readers. ++ key, err := manifestBigDataKey(s.manifestDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: manifestBigDataKey(s.manifestDigest), ++ Key: key, + Data: s.manifest, + Digest: s.manifestDigest, + }) +@@ -831,8 +839,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + }) + } + for instanceDigest, signatures := range s.signatureses { ++ key, err := signatureBigDataKey(instanceDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: signatureBigDataKey(instanceDigest), ++ Key: key, + Data: signatures, + Digest: digest.Canonical.FromBytes(signatures), + }) +diff --git a/vendor/github.com/containers/image/v5/storage/storage_image.go b/vendor/github.com/containers/image/v5/storage/storage_image.go +index ac09f3d..ba25a0c 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_image.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_image.go +@@ -26,14 +26,20 @@ type storageImageCloser struct { + // manifestBigDataKey returns a key suitable for recording a manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; + // for compatibility, if a manifest is not available under this key, check also storage.ImageDigestBigDataKey +-func manifestBigDataKey(digest digest.Digest) string { +- return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++func manifestBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // Make sure info.Digest.String() uses the expected format and does not collide with other BigData keys. ++ return "", err ++ } ++ return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String(), nil + } + + // signatureBigDataKey returns a key suitable for recording the signatures associated with the manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; +-func signatureBigDataKey(digest digest.Digest) string { +- return "signature-" + digest.Encoded() ++func signatureBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return "", err ++ } ++ return "signature-" + digest.Encoded(), nil + } + + // Size() returns the previously-computed size of the image, with no error. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_reference.go b/vendor/github.com/containers/image/v5/storage/storage_reference.go +index a55e340..6b7565f 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_reference.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_reference.go +@@ -73,7 +73,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + // We don't need to care about storage.ImageDigestBigDataKey because + // manifests lists are only stored into storage by c/image versions + // that know about manifestBigDataKey, and only using that key. +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return false // This should never happen, manifestDigest comes from a reference.Digested, and that validates the format. ++ } + manifestBytes, err := store.ImageBigData(img.ID, key) + if err != nil { + return false +@@ -95,7 +98,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + if err != nil { + return false + } +- key = manifestBigDataKey(chosenInstance) ++ key, err = manifestBigDataKey(chosenInstance) ++ if err != nil { ++ return false ++ } + _, err = store.ImageBigData(img.ID, key) + return err == nil // true if img.ID is based on chosenInstance. + } +diff --git a/vendor/github.com/containers/image/v5/storage/storage_src.go b/vendor/github.com/containers/image/v5/storage/storage_src.go +index f1ce086..7e4b69f 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_src.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_src.go +@@ -202,7 +202,10 @@ func (s *storageImageSource) getBlobAndLayerID(digest digest.Digest, layers []st + // GetManifest() reads the image's manifest. + func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, mimeType string, err error) { + if instanceDigest != nil { +- key := manifestBigDataKey(*instanceDigest) ++ key, err := manifestBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil { + return nil, "", fmt.Errorf("reading manifest for image instance %q: %w", *instanceDigest, err) +@@ -214,7 +217,10 @@ func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *di + // Prefer the manifest corresponding to the user-specified digest, if available. + if s.imageRef.named != nil { + if digested, ok := s.imageRef.named.(reference.Digested); ok { +- key := manifestBigDataKey(digested.Digest()) ++ key, err := manifestBigDataKey(digested.Digest()) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil && !os.IsNotExist(err) { // os.IsNotExist is true if the image exists but there is no data corresponding to key + return nil, "", err +@@ -329,7 +335,14 @@ func (s *storageImageSource) GetSignaturesWithFormat(ctx context.Context, instan + instance := "default instance" + if instanceDigest != nil { + signatureSizes = s.SignaturesSizes[*instanceDigest] +- key = signatureBigDataKey(*instanceDigest) ++ k, err := signatureBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, err ++ } ++ key = k ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, err ++ } + instance = instanceDigest.Encoded() + } + if len(signatureSizes) > 0 { +-- +2.33.8 + diff --git a/SPECS/skopeo/skopeo.spec b/SPECS/skopeo/skopeo.spec index 3e5f864a35c..53b158aa14e 100644 --- a/SPECS/skopeo/skopeo.spec +++ b/SPECS/skopeo/skopeo.spec @@ -1,7 +1,7 @@ Summary: Inspect container images and repositories on registries Name: skopeo Version: 1.14.2 -Release: 4%{?dist} +Release: 5%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: Applications/Tools URL: https://github.com/containers/skopeo Source0: https://github.com/containers/skopeo/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2023-45288.patch +Patch1: CVE-2024-3727.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath BuildRequires: btrfs-progs-devel @@ -46,9 +47,12 @@ make test-unit-local %{_mandir}/man1/%%{name}* %changelog -* Thu Jun 06 2024 CBL-Mariner Servicing Account - 1.14.2-4 +* Wed Jun 26 2024 CBL-Mariner Servicing Account - 1.14.2-5 - Bump release to rebuild with go 1.21.11 +* Thu Jun 20 2024 Rohit Rawat - 1.14.2-4 +- Fix CVE-2024-3727 in github.com/containers/image + * Thu Apr 18 2024 Chris Gunn - 1.14.2-3 - Fix for CVE-2023-45288 diff --git a/SPECS/vitess/CVE-2023-44487.patch b/SPECS/vitess/CVE-2023-44487.patch deleted file mode 100644 index 8f91fa92d54..00000000000 --- a/SPECS/vitess/CVE-2023-44487.patch +++ /dev/null @@ -1,152 +0,0 @@ -From cfb6510164d254bb74e00f066883d4a74458f6b5 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Fri, 6 Oct 2023 09:51:19 -0700 -Subject: [PATCH] http2: limit maximum handler goroutines to - MaxConcurrentStreams - -When the peer opens a new stream while we have MaxConcurrentStreams -handler goroutines running, defer starting a handler until one -of the existing handlers exits. - -Fixes golang/go#63417 -Fixes CVE-2023-39325 - -Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 -TryBot-Result: Security TryBots -Reviewed-by: Ian Cottrell -Reviewed-by: Tatiana Bradley -Run-TryBot: Damien Neil -Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 -Reviewed-by: Michael Pratt -Reviewed-by: Dmitri Shuralyov -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Dmitri Shuralyov -Reviewed-by: Damien Neil - -Modified to apply to vendored code by: Daniel McIlvaney - - Adjusted paths - - Removed reference to server_test.go ---- - vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- - 1 file changed, 64 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go -index 8cb14f3..6000140 100644 ---- a/vendor/golang.org/x/net/http2/server.go -+++ b/vendor/golang.org/x/net/http2/server.go -@@ -581,9 +581,11 @@ type serverConn struct { - advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client - curClientStreams uint32 // number of open streams initiated by the client - curPushedStreams uint32 // number of open streams initiated by server push -+ curHandlers uint32 // number of running handler goroutines - maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests - maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes - streams map[uint32]*stream -+ unstartedHandlers []unstartedHandler - initialStreamSendWindowSize int32 - maxFrameSize int32 - peerMaxHeaderListSize uint32 // zero means unknown (default) -@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { - return - case gracefulShutdownMsg: - sc.startGracefulShutdownInternal() -+ case handlerDoneMsg: -+ sc.handlerDone() - default: - panic("unknown timer") - } -@@ -1028,6 +1032,7 @@ var ( - idleTimerMsg = new(serverMessage) - shutdownTimerMsg = new(serverMessage) - gracefulShutdownMsg = new(serverMessage) -+ handlerDoneMsg = new(serverMessage) - ) - - func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } -@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { - } - } - -- go sc.runHandler(rw, req, handler) -- return nil -+ return sc.scheduleHandler(id, rw, req, handler) - } - - func (sc *serverConn) upgradeRequest(req *http.Request) { -@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { - sc.conn.SetReadDeadline(time.Time{}) - } - -+ // This is the first request on the connection, -+ // so start the handler directly rather than going -+ // through scheduleHandler. -+ sc.curHandlers++ - go sc.runHandler(rw, req, sc.handler.ServeHTTP) - } - -@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response - return &responseWriter{rws: rws} - } - -+type unstartedHandler struct { -+ streamID uint32 -+ rw *responseWriter -+ req *http.Request -+ handler func(http.ResponseWriter, *http.Request) -+} -+ -+// scheduleHandler starts a handler goroutine, -+// or schedules one to start as soon as an existing handler finishes. -+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { -+ sc.serveG.check() -+ maxHandlers := sc.advMaxStreams -+ if sc.curHandlers < maxHandlers { -+ sc.curHandlers++ -+ go sc.runHandler(rw, req, handler) -+ return nil -+ } -+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { -+ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) -+ } -+ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ -+ streamID: streamID, -+ rw: rw, -+ req: req, -+ handler: handler, -+ }) -+ return nil -+} -+ -+func (sc *serverConn) handlerDone() { -+ sc.serveG.check() -+ sc.curHandlers-- -+ i := 0 -+ maxHandlers := sc.advMaxStreams -+ for ; i < len(sc.unstartedHandlers); i++ { -+ u := sc.unstartedHandlers[i] -+ if sc.streams[u.streamID] == nil { -+ // This stream was reset before its goroutine had a chance to start. -+ continue -+ } -+ if sc.curHandlers >= maxHandlers { -+ break -+ } -+ sc.curHandlers++ -+ go sc.runHandler(u.rw, u.req, u.handler) -+ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references -+ } -+ sc.unstartedHandlers = sc.unstartedHandlers[i:] -+ if len(sc.unstartedHandlers) == 0 { -+ sc.unstartedHandlers = nil -+ } -+} -+ - // Run on its own goroutine. - func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { -+ defer sc.sendServeMsg(handlerDoneMsg) - didPanic := true - defer func() { - rw.rws.stream.cancelCtx() --- -2.33.8 diff --git a/SPECS/vitess/CVE-2023-45288.patch b/SPECS/vitess/CVE-2023-45288.patch deleted file mode 100644 index 676fcbace54..00000000000 --- a/SPECS/vitess/CVE-2023-45288.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 10 Jan 2024 13:41:39 -0800 -Subject: [PATCH] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -Fixes golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 -Reviewed-by: Dmitri Shuralyov -Auto-Submit: Dmitri Shuralyov -Reviewed-by: Than McIntosh -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } --- -2.44.0 - diff --git a/SPECS/vitess/vitess.signatures.json b/SPECS/vitess/vitess.signatures.json index 6b10bf5b7fe..d29d8b3b5af 100644 --- a/SPECS/vitess/vitess.signatures.json +++ b/SPECS/vitess/vitess.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "vitess-16.0.2-vendor.tar.gz": "86cb3d667cef20d65bd122d47f71271a3cb7163a1e474dd1feba17674435ce2e", - "vitess-16.0.2.tar.gz": "89328d683f2694de4ada21c7a815d396a853ad45d39607aca467996678b69e0c" + "vitess-17.0.7-vendor.tar.gz": "09f50053dfc4aa2b5caed55a5fabcb9f5b832fabead635797344f74216ae8b76", + "vitess-17.0.7.tar.gz": "1838b97ff30b182af576a7bc25bcd54532fcedccffd28778206c20774bb34c10" } } \ No newline at end of file diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec index af5d0a0d885..ecc827b076a 100644 --- a/SPECS/vitess/vitess.spec +++ b/SPECS/vitess/vitess.spec @@ -2,8 +2,8 @@ %bcond_without check Name: vitess -Version: 16.0.2 -Release: 9%{?dist} +Version: 17.0.7 +Release: 1%{?dist} Summary: Database clustering system for horizontal scaling of MySQL # Upstream license specification: MIT and Apache-2.0 License: MIT and ASL 2.0 @@ -26,8 +26,6 @@ Source0: %{name}-%{version}.tar.gz # -cf %%{name}-%%{version}-vendor.tar.gz vendor # Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2023-44487.patch -Patch1: CVE-2023-45288.patch BuildRequires: golang %description @@ -105,6 +103,10 @@ go check -t go/cmd \ %{_bindir}/* %changelog +* Tue Jun 11 2024 Sumedh Sharma - 17.0.7-1 +- Bump version to 17.0.7 to address CVE-2024-32886 +- Remove patches already fixed in sources + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 16.0.2-9 - Bump release to rebuild with go 1.21.11 diff --git a/SPECS/vte291/CVE-2024-37535.patch b/SPECS/vte291/CVE-2024-37535.patch new file mode 100644 index 00000000000..14fdccf0dbb --- /dev/null +++ b/SPECS/vte291/CVE-2024-37535.patch @@ -0,0 +1,79 @@ +From c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sun, 2 Jun 2024 19:19:35 +0200 +Subject: [PATCH] widget: Add safety limit to widget size requests + +https://gitlab.gnome.org/GNOME/vte/-/issues/2786 +(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda) +--- + src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/src/vtegtk.cc b/src/vtegtk.cc +index 24bdd7184..48cae79c1 100644 +--- a/src/vtegtk.cc ++++ b/src/vtegtk.cc +@@ -91,6 +91,38 @@ + template + constexpr bool check_enum_value(T value) noexcept; + ++static inline void ++sanitise_widget_size_request(int* minimum, ++ int* natural) noexcept ++{ ++ // Overly large size requests will make gtk happily allocate ++ // a window size over the window system's limits (see ++ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786), ++ // leading to aborting the whole process. ++ // The toolkit should be in a better position to know about ++ // these limits and not exceed them (which here is certainly ++ // possible since our minimum sizes are very small), let's ++ // limit the widget's size request to some large value ++ // that hopefully is within the absolute limits of ++ // the window system (assumed here to be int16 range, ++ // and leaving some space for the widgets that contain ++ // the terminal). ++ auto const limit = (1 << 15) - (1 << 12); ++ ++ if (*minimum > limit || *natural > limit) { ++ static auto warned = false; ++ ++ if (!warned) { ++ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n", ++ *minimum, *natural); ++ warned = true; ++ } ++ } ++ ++ *minimum = std::min(*minimum, limit); ++ *natural = std::clamp(*natural, *minimum, limit); ++} ++ + struct _VteTerminalClassPrivate { + GtkStyleProvider *style_provider; + }; +@@ -510,6 +542,7 @@ try + { + VteTerminal *terminal = VTE_TERMINAL(widget); + WIDGET(terminal)->get_preferred_width(minimum_width, natural_width); ++ sanitise_widget_size_request(minimum_width, natural_width); + } + catch (...) + { +@@ -524,6 +557,7 @@ try + { + VteTerminal *terminal = VTE_TERMINAL(widget); + WIDGET(terminal)->get_preferred_height(minimum_height, natural_height); ++ sanitise_widget_size_request(minimum_height, natural_height); + } + catch (...) + { +@@ -781,6 +815,7 @@ try + WIDGET(terminal)->measure(orientation, for_size, + minimum, natural, + minimum_baseline, natural_baseline); ++ sanitise_widget_size_request(minimum, natural); + } + catch (...) + { +-- diff --git a/SPECS/vte291/vte291.spec b/SPECS/vte291/vte291.spec index d94ea9b987f..29a03c8ab76 100644 --- a/SPECS/vte291/vte291.spec +++ b/SPECS/vte291/vte291.spec @@ -11,7 +11,7 @@ Summary: Terminal emulator library Name: vte291 Version: 0.66.2 -Release: 2%{?dist} +Release: 3%{?dist} License: CC-BY AND GPLv2+ AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ Source0: https://download.gnome.org/sources/vte/%{majorver}/vte-%{version # https://bugzilla.redhat.com/show_bug.cgi?id=1103380 # https://gitlab.gnome.org/GNOME/vte/-/issues/226 Patch100: vte291-cntnr-precmd-preexec-scroll.patch +Patch101: CVE-2024-37535.patch BuildRequires: gcc-c++ BuildRequires: gettext BuildRequires: gobject-introspection-devel @@ -75,8 +76,7 @@ The vte-profile package contains a profile.d script for the VTE terminal emulator library. %prep -%setup -q -n vte-%{version} -%patch100 -p1 -b .cntnr-precmd-preexec-scroll +%autosetup -p1 -n vte-%{version} %if 0%{?flatpak} # Install user units where systemd macros expect them sed -i -e "/^vte_systemduserunitdir =/s|vte_prefix|'/usr'|" meson.build @@ -119,6 +119,9 @@ sed -i -e "/^vte_systemduserunitdir =/s|vte_prefix|'/usr'|" meson.build %{_sysconfdir}/profile.d/vte.sh %changelog +* Thu Jun 13 2024 Neha Agarwal - 0.66.2-3 +- Patch CVE-2024-37535 + * Wed Sep 20 2023 Jon Slobodzian - 0.66.2-2 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/wget/CVE-2024-38428.patch b/SPECS/wget/CVE-2024-38428.patch new file mode 100644 index 00000000000..d1a8fbe5ef2 --- /dev/null +++ b/SPECS/wget/CVE-2024-38428.patch @@ -0,0 +1,72 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: [PATCH] Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b00..07c3bc876 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected diff --git a/SPECS/wget/wget.spec b/SPECS/wget/wget.spec index 2abfc91618d..c58809a79b5 100644 --- a/SPECS/wget/wget.spec +++ b/SPECS/wget/wget.spec @@ -1,13 +1,14 @@ Summary: A network utility to retrieve files from the Web Name: wget Version: 1.21.2 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL-3.0-or-later AND LGPL-3.0-or-later URL: https://www.gnu.org/software/wget/wget.html Group: System Environment/NetworkingPrograms Vendor: Microsoft Corporation Distribution: Mariner Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz +Patch0: CVE-2024-38428.patch BuildRequires: openssl-devel %if %{with_check} BuildRequires: perl @@ -23,7 +24,7 @@ The Wget package contains a utility useful for non-interactive downloading of files from the Web. %prep -%autosetup +%autosetup -p1 %build %configure \ @@ -54,6 +55,9 @@ rm -rf %{buildroot}/%{_infodir} %{_datadir}/locale/*/LC_MESSAGES/*.mo %changelog +* Wed Jun 19 2024 Saul Paredes - 1.21.2-3 +- Patch for CVE-2024-38428 + * Thu Nov 30 2023 Olivia Crain - 1.21.2-2 - Require test-related perl modules at check-time - Invoke make/configure with macros diff --git a/cgmanifest.json b/cgmanifest.json index 4d40b28e826..a96cfefd74f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2027,8 +2027,8 @@ "type": "other", "other": { "name": "conntrack-tools", - "version": "1.4.5", - "downloadUrl": "https://netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.5.tar.bz2" + "version": "1.4.8", + "downloadUrl": "https://netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.8.tar.xz" } } }, @@ -6560,8 +6560,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.15.158.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" + "version": "5.15.160.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.160.1.tar.gz" } } }, @@ -8141,8 +8141,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.15.158.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" + "version": "5.15.160.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.160.1.tar.gz" } } }, @@ -8151,8 +8151,8 @@ "type": "other", "other": { "name": "kernel-azure", - "version": "5.15.158.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" + "version": "5.15.160.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.160.1.tar.gz" } } }, @@ -8161,8 +8161,8 @@ "type": "other", "other": { "name": "kernel-hci", - "version": "5.15.158.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" + "version": "5.15.160.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.160.1.tar.gz" } } }, @@ -8171,8 +8171,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.15.158.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" + "version": "5.15.160.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.160.1.tar.gz" } } }, @@ -10241,8 +10241,8 @@ "type": "other", "other": { "name": "libnetfilter_conntrack", - "version": "1.0.8", - "downloadUrl": "http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" + "version": "1.0.9", + "downloadUrl": "http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.9.tar.bz2" } } }, @@ -21114,8 +21114,8 @@ "type": "other", "other": { "name": "php", - "version": "8.1.28", - "downloadUrl": "https://www.php.net/distributions/php-8.1.28.tar.xz" + "version": "8.1.29", + "downloadUrl": "https://www.php.net/distributions/php-8.1.29.tar.xz" } } }, @@ -29557,8 +29557,8 @@ "type": "other", "other": { "name": "vitess", - "version": "16.0.2", - "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v16.0.2.tar.gz" + "version": "17.0.7", + "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v17.0.7.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 14b51c80072..ba0362f7052 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.aarch64.rpm -kernel-headers-5.15.158.2-1.cm2.noarch.rpm +kernel-headers-5.15.160.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.aarch64.rpm glibc-devel-2.35-7.cm2.aarch64.rpm glibc-i18n-2.35-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 35a45b3d75a..ae8aef1598f 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.x86_64.rpm -kernel-headers-5.15.158.2-1.cm2.noarch.rpm +kernel-headers-5.15.160.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.x86_64.rpm glibc-devel-2.35-7.cm2.x86_64.rpm glibc-i18n-2.35-7.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 8e70c61e220..dd3711d0533 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.158.2-1.cm2.noarch.rpm +kernel-headers-5.15.160.1-1.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 34da0fd4e6a..2a4ee24eefd 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -141,8 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-cross-headers-5.15.158.2-1.cm2.noarch.rpm -kernel-headers-5.15.158.2-1.cm2.noarch.rpm +kernel-cross-headers-5.15.160.1-1.cm2.noarch.rpm +kernel-headers-5.15.160.1-1.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod index 0106138d6a6..813c64241a7 100644 --- a/toolkit/tools/go.mod +++ b/toolkit/tools/go.mod @@ -3,14 +3,14 @@ module github.com/microsoft/azurelinux/toolkit/tools go 1.20 require ( - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d github.com/bendahl/uinput v1.4.0 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e github.com/fatih/color v1.16.0 github.com/gdamore/tcell v1.4.0 - github.com/google/uuid v1.3.0 + github.com/google/uuid v1.6.0 github.com/jinzhu/copier v0.3.2 github.com/juliangruber/go-intersect v1.1.0 github.com/klauspost/pgzip v1.2.5 @@ -18,9 +18,9 @@ require ( github.com/muesli/crunchy v0.4.0 github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c github.com/sirupsen/logrus v1.9.3 - github.com/stretchr/testify v1.7.1 + github.com/stretchr/testify v1.9.0 github.com/ulikunitz/xz v0.5.10 - golang.org/x/sys v0.18.0 + golang.org/x/sys v0.21.0 gonum.org/v1/gonum v0.14.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/ini.v1 v1.67.0 @@ -28,28 +28,26 @@ require ( ) require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/gdamore/encoding v1.0.0 // indirect - github.com/golang-jwt/jwt/v5 v5.0.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/klauspost/compress v1.10.5 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.0.3 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.7 // indirect - github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect - github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rivo/uniseg v0.1.0 // indirect github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect - golang.org/x/crypto v0.21.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/text v0.14.0 // indirect - gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/text v0.16.0 // indirect ) diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum index ad5587f25ae..98873b8d746 100644 --- a/toolkit/tools/go.sum +++ b/toolkit/tools/go.sum @@ -1,14 +1,14 @@ -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.2.0 h1:Ma67P/GGprNwsslzEH6+Kb8nybI8jpDTm4Wmzu2ReK8= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 h1:nVocQV40OQne5613EeLayJiRAJuKlBGy+m22qWG+WRg= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0/go.mod h1:7QJP7dr2wznCMeqIrhMgWGf7XpAQnVrJqDm9nvV3Cu4= -github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= -github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -25,7 +25,6 @@ github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oD github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko= @@ -33,10 +32,10 @@ github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo github.com/gdamore/tcell v1.3.0/go.mod h1:Hjvr+Ofd+gLglo7RYKxxnzCBmev3BzsS67MebKS4zMM= github.com/gdamore/tcell v1.4.0 h1:vUnHwJRvcPQa3tzi+0QI4U9JINXYJlOz9yiaiPQ2wMU= github.com/gdamore/tcell v1.4.0/go.mod h1:vxEiSDZdW3L+Uhjii9c3375IlDmR05bzxY404ZVSMo0= -github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= -github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/jinzhu/copier v0.3.2 h1:QdBOCbaouLDYaIPFfi1bKv5F5tPpeTwXe4sD0jqtz5w= github.com/jinzhu/copier v0.3.2/go.mod h1:24xnZezI2Yqac9J61UC6/dG/k76ttpq0DdJI3QmUvro= github.com/juliangruber/go-intersect v1.1.0 h1:sc+y5dCjMMx0pAdYk/N6KBm00tD/f3tq+Iox7dYDUrY= @@ -45,11 +44,11 @@ github.com/klauspost/compress v1.10.5 h1:7q6vHIqubShURwQz8cQK6yIe/xC3IF0Vm7TGfqj github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE= github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= -github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.0.2/go.mod h1:0MS4r+7BZKSJ5mw4/S5MPN+qHFF1fYclkSPilDOKW0s= @@ -67,58 +66,55 @@ github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vyg github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/muesli/crunchy v0.4.0 h1:qdiml8gywULHBsztiSAf6rrE6EyuNasNKZ104mAaahM= github.com/muesli/crunchy v0.4.0/go.mod h1:9k4x6xdSbb7WwtAVy0iDjaiDjIk6Wa5AgUIqp+HqOpU= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c h1:Q1oRqcTvxE0hjV0Gw4bEcYYLM0ztcuARGVSWEF2tKaI= github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c/go.mod h1:/rBeY22VG2QprWnEqG57IBC8biVu3i0DOIjRLc9I8H0= github.com/rivo/uniseg v0.1.0 h1:+2KBaVoUmb9XzDsrx/Ct0W/EYOSFf/nWTauy++DprtY= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gonum.org/v1/gonum v0.14.0 h1:2NiG67LD1tEH0D7kM+ps2V+fXmsAnpUeec7n8tcr4S0= gonum.org/v1/gonum v0.14.0/go.mod h1:AoWeoz0becf9QMWtE8iWXNXc27fK4fNeHNf/oMejGfU= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=