Livepatched CVE-2022-3543 in kernel 5.15.77.1-1.cm2. (#4332)

SPECS-SIGNED/livepatch-5.15.77.1-1.cm2-signed/livepatch-5.15.77.1-1.cm2-signed.spec

@@ -0,0 +1,123 @@
+# The default %%__os_install_post macro ends up stripping the signatures off of the kernel module.
+%define __os_install_post %{__os_install_post_leave_signatures} %{nil}
+
+%global debug_package %{nil}
+
+%define kernel_version_release 5.15.77.1-1.cm2
+%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
+%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
+
+%define livepatch_unsigned_name livepatch-%{kernel_version_release}
+
+# Kpatch module names allow only alphanumeric characters and '_'.
+%define livepatch_name %(value="%{livepatch_unsigned_name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
+%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
+%define livepatch_module_name %{livepatch_name}.ko
+%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
+
+%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
+%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
+%define patch_loaded    kpatch list | grep -qP "%{livepatch_name}.*enabled"
+
+# Install patch if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define install_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_installed} \
+then \
+    kpatch install %{livepatch_module_path} \
+fi
+
+# Load patch, if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define load_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
+then \
+    kpatch load %{livepatch_module_path} \
+fi
+
+%define uninstall_if_should \
+if %{patch_installed} \
+then \
+    kpatch uninstall %{livepatch_name} \
+fi
+
+%define unload_if_should \
+if %{patch_loaded} \
+then \
+    kpatch unload %{livepatch_name} \
+fi
+
+Summary:        Set of livepatches for kernel %{kernel_version_release}
+Name:           %{livepatch_unsigned_name}-signed
+Version:        1.0.0
+Release:        2%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Base
+URL:            https://github.com/microsoft/CBL-Mariner
+Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/%{livepatch_module_name}
+
+ExclusiveArch:  x86_64
+
+%description
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.77.1-1.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2022-3543
+
+%package -n     %{livepatch_unsigned_name}
+Summary:        %{summary}
+
+Requires:       coreutils
+Requires:       livepatching-filesystem
+
+Requires(post): coreutils
+Requires(post): kpatch
+
+Requires(preun): kpatch
+
+Provides:       livepatch = %{kernel_version_release}
+
+%description -n %{livepatch_unsigned_name}
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.77.1-1.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2022-3543
+
+%install
+install -dm 755 %{buildroot}%{livepatch_install_dir}
+install -m 744 %{SOURCE0} %{buildroot}%{livepatch_module_path}
+
+%post -n %{livepatch_unsigned_name}
+%load_if_should
+%install_if_should
+
+%preun -n %{livepatch_unsigned_name}
+%uninstall_if_should
+%unload_if_should
+
+# Re-enable patch on rollbacks to supported kernel.
+%triggerin -n %{livepatch_unsigned_name} -- kernel = %{kernel_version_release}
+%load_if_should
+%install_if_should
+
+# Prevent the patch from being loaded after a reboot to a different kernel.
+# Previous kernel is still running, do NOT unload the livepatch.
+%triggerin -n %{livepatch_unsigned_name} -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
+%uninstall_if_should
+
+%files -n %{livepatch_unsigned_name}
+%defattr(-,root,root)
+%dir %{livepatch_install_dir}
+%{livepatch_module_path}
+
+%changelog
+* Tue Nov 29 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patched CVE-2022-3543.
+
+* Tue Nov 08 2022 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.0.0-1
+- Original version for CBL-Mariner.
+- License verified.

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -2044,6 +2044,7 @@
                 "livepatch-5.15.72.1-1.cm2",
                 "livepatch-5.15.74.1-1.cm2",
                 "livepatch-5.15.77.1-1.cm2",
+                "livepatch-5.15.77.1-1.cm2-signed",
                 "livepatch-5.15.79.1-1.cm2",
                 "livepatch-5.15.80.1-1.cm2",
                 "livepatching",

SPECS/kpatch/kpatch.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "kpatch-0.9.6.tar.gz": "3996727640e73210fd9ef7726089f5d953c2c71f2ab498f3d4991fd3426d7ecd"
+  "kpatch-0.9.7.tar.gz": "c9491521fa6dfdb6ba4206adb0d4be4eb5bae07138d8ce6e03dad7c12106eb04"
  }
 }

SPECS/kpatch/kpatch.spec

@@ -1,7 +1,7 @@
 Summary:        Kpatch tooling
 Name:           kpatch
-Version:        0.9.6
-Release:        4%{?dist}
+Version:        0.9.7
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -78,6 +78,9 @@ rm -rf %{buildroot}%{_mandir}
 %{_bindir}/kpatch-build
 
 %changelog
+* Tue Nov 29 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.9.7-1
+- Updating to version 0.9.7 to add support for the "return_sites" section.
+
 * Mon Aug 01 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.9.6-4
 - Adding missing dependency on "awk" and "binutils".
 

SPECS/kpatch/mariner_update.patch

@@ -1,41 +1,19 @@
-From 4f97bfb7590a10b6e8b267dc1f595a57a8d9659f Mon Sep 17 00:00:00 2001
+From 6a1f573561d06edecad15b9e93a423bf2e4fdd4d Mon Sep 17 00:00:00 2001
 From: Pawel Winogrodzki <pawelwi@microsoft.com>
-Date: Wed, 15 Jun 2022 10:51:00 -0700
+Date: Wed, 30 Nov 2022 11:25:58 -0800
 Subject: [PATCH] Adjustments for CBL-Mariner.
 
 ---
- kpatch-build/kpatch-build | 61 ++++++++++++++++++++-------------------
- 1 file changed, 31 insertions(+), 30 deletions(-)
+ kpatch-build/kpatch-build | 37 +++++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
 
 diff --git a/kpatch-build/kpatch-build b/kpatch-build/kpatch-build
-index 634095d..7766e0d 100755
+index 296fa48..12ab099 100755
 --- a/kpatch-build/kpatch-build
 +++ b/kpatch-build/kpatch-build
-@@ -205,21 +205,6 @@ rhel_kernel_version_gte() {
-         [  "${ARCHVERSION}" = "$(echo -e "${ARCHVERSION}\\n$1" | sort -rV | head -n1)" ]
- }
+@@ -639,13 +639,23 @@ fi
  
--# klp.arch relocations were supported prior to v5.8
--# and prior to 4.18.0-240.el8
--use_klp_arch()
--{
--	if kernel_is_rhel; then
--		! rhel_kernel_version_gte 4.18.0-240.el8
--	else
--		! kernel_version_gte 5.8.0
--	fi
--}
--
--rhel_kernel_version_gte() {
--        [  "${ARCHVERSION}" = "$(echo -e "${ARCHVERSION}\\n$1" | sort -rV | head -n1)" ]
--}
--
- # klp.arch relocations were supported prior to v5.8
- # and prior to 4.18.0-284.el8
- use_klp_arch()
-@@ -638,13 +623,23 @@ if [[ $DEBUG -eq 1 ]] || [[ $DEBUG -ge 3 ]]; then
- 	set -o xtrace
- fi
+ trace_on
  
 +# Don't check external file.
 +# shellcheck disable=SC1090
@@ -58,7 +36,7 @@ index 634095d..7766e0d 100755
  	ARCHVERSION="${ARCHVERSION#kernel-}"
  	ARCHVERSION="${ARCHVERSION#alt-}"
  fi
-@@ -699,20 +694,15 @@ fi
+@@ -700,20 +710,15 @@ fi
  KVER="${ARCHVERSION%%-*}"
  if [[ "$ARCHVERSION" =~ - ]]; then
  	KREL="${ARCHVERSION##*-}"
@@ -83,37 +61,40 @@ index 634095d..7766e0d 100755
  	[[ -z "$VMLINUX" ]] && VMLINUX="/usr/lib/debug/lib/modules/$ARCHVERSION/vmlinux"
  	[[ -e "$VMLINUX" ]] || die "kernel-debuginfo-$ARCHVERSION not installed"
  
-@@ -748,9 +738,8 @@ elif [[ -n "$OOT_MODULE" ]]; then
- 	fi
- elif [[ -e "$KERNEL_SRCDIR"/.config ]] && [[ -e "$VERSIONFILE" ]] && [[ "$(cat "$VERSIONFILE")" = "$ARCHVERSION" ]]; then
+@@ -751,13 +756,14 @@ elif [[ -e "$KERNEL_SRCDIR"/.config ]] && [[ -e "$VERSIONFILE" ]] && [[ "$(cat "
  	echo "Using cache at $KERNEL_SRCDIR"
--
+ 
  else
--	if [[ "$DISTRO" = fedora ]] || [[ "$DISTRO" = rhel ]] || [[ "$DISTRO" = ol ]] || [[ "$DISTRO" = centos ]]; then
-+	if [[ "$DISTRO" = fedora ]] || [[ "$DISTRO" = rhel ]] || [[ "$DISTRO" = ol ]] || [[ "$DISTRO" = centos ]] || [[ "$DISTRO" = mariner ]]; then
+-	if [[ "$DISTRO" = fedora ]] || [[ "$DISTRO" = rhel ]] || [[ "$DISTRO" = ol ]] || [[ "$DISTRO" = centos ]] || [[ "$DISTRO" = openEuler ]]; then
++	if [[ "$DISTRO" = fedora ]] || [[ "$DISTRO" = rhel ]] || [[ "$DISTRO" = ol ]] || [[ "$DISTRO" = centos ]] || [[ "$DISTRO" = openEuler ]] || [[ "$DISTRO" = mariner ]]; then
  
- 		echo "Fedora/Red Hat distribution detected"
+ 		[[ "$DISTRO" = fedora ]] && echo "Fedora distribution detected"
+ 		[[ "$DISTRO" = rhel ]] && echo "RHEL distribution detected"
+ 		[[ "$DISTRO" = ol ]] && echo "Oracle Linux distribution detected"
+ 		[[ "$DISTRO" = centos ]] && echo "CentOS distribution detected"
+ 		[[ "$DISTRO" = openEuler ]] && echo "OpenEuler distribution detected"
++		[[ "$DISTRO" = mariner ]] && echo "CBL-Mariner distribution detected"
  
-@@ -760,6 +749,9 @@ else
+ 		clean_cache
+ 
+@@ -765,6 +771,8 @@ else
  		if [[ -z "$SRCRPM" ]]; then
  			if [[ "$DISTRO" = fedora ]]; then
  				wget -P "$TEMPDIR" "http://kojipkgs.fedoraproject.org/packages/kernel/$KVER/$KREL/src/kernel-$KVER-$KREL.src.rpm" 2>&1 | logger || die
 +			elif [[ "$DISTRO" = mariner ]]; then
-+				source "$RELEASE_FILE"
 +				wget -P "$TEMPDIR" "https://packages.microsoft.com/cbl-mariner/$VERSION_ID/prod/base/srpms/kernel-$KVER-$KREL.src.rpm" 2>&1 | logger || die
  			else
  				command -v yumdownloader &>/dev/null || die "yumdownloader (yum-utils or dnf-utils) not installed"
  				yumdownloader --source --destdir "$TEMPDIR" "kernel$ALT-$KVER-$KREL" 2>&1 | logger || die
-@@ -773,17 +765,26 @@ else
- 		rpmbuild -D "_topdir $RPMTOPDIR" -bp --nodeps "--target=$(uname -m)" "$RPMTOPDIR"/SPECS/kernel$ALT.spec 2>&1 | logger ||
- 			die "rpmbuild -bp failed.  you may need to run 'yum-builddep kernel' first."
- 
--		mv "$RPMTOPDIR"/BUILD/kernel-*/linux-* "$KERNEL_SRCDIR" 2>&1 | logger || die
-+		if [[ "$DISTRO" = mariner ]]; then
+@@ -782,13 +790,15 @@ else
+ 			# openEuler has two directories with the same content after 'rpm -D'
+ 			# openEuler 21.09 has linux-* and linux-*-source while openEuler 20.03 has linux-* and linux-*-Source
+ 			mv "$RPMTOPDIR"/BUILD/kernel-*/linux-*[sS]ource "$KERNEL_SRCDIR" 2>&1 | logger || die
++		elif [[ "$DISTRO" = mariner ]]; then
 +			mv "$RPMTOPDIR"/BUILD/CBL-Mariner-Linux-Kernel-* "$KERNEL_SRCDIR" 2>&1 | logger || die
-+		else
-+			mv "$RPMTOPDIR"/BUILD/kernel-*/linux-* "$KERNEL_SRCDIR" 2>&1 | logger || die
-+		fi
+ 		else
+ 			mv "$RPMTOPDIR"/BUILD/kernel-*/linux-* "$KERNEL_SRCDIR" 2>&1 | logger || die
+ 		fi
  		rm -rf "$RPMTOPDIR"
  		rm -rf "$KERNEL_SRCDIR/.git"
  
@@ -122,18 +103,16 @@ index 634095d..7766e0d 100755
  			sed -i "s/^EXTRAVERSION.*/EXTRAVERSION = -${ARCHVERSION##*-}/" "$KERNEL_SRCDIR/Makefile" || die
  		fi
  
- 		echo "$ARCHVERSION" > "$VERSIONFILE" || die
+@@ -796,6 +806,9 @@ else
  
--		[[ -z "$CONFIGFILE" ]] && CONFIGFILE="$KERNEL_SRCDIR/configs/kernel$ALT-$KVER-$ARCH.config"
-+		if [[ "$DISTRO" = mariner ]]; then
+ 		if [[ "$DISTRO" = openEuler ]]; then
+ 			[[ -z "$CONFIGFILE" ]] && CONFIGFILE="/boot/config-${ARCHVERSION}"
++		elif [[ "$DISTRO" = mariner ]]; then
 +			[[ -z "$CONFIGFILE" ]] && CONFIGFILE="$KERNEL_SRCDIR/new_config"
 +			sed -i "s/CONFIG_LOCALVERSION=\"\"/CONFIG_LOCALVERSION=\"-$KREL\"/" "$CONFIGFILE"
-+		else
-+			[[ -z "$CONFIGFILE" ]] && CONFIGFILE="$KERNEL_SRCDIR/configs/kernel$ALT-$KVER-$ARCH.config"
-+		fi
- 
- 		(cd "$KERNEL_SRCDIR" && make mrproper 2>&1 | logger) || die
- 
+ 		else
+ 			[[ -z "$CONFIGFILE" ]] && CONFIGFILE="$KERNEL_SRCDIR/configs/kernel$ALT-$KVER-$ARCH.config"
+ 		fi
 -- 
 2.34.1
 

SPECS/livepatch-5.15.77.1-1.cm2/CVE-2022-3543.patch

@@ -0,0 +1,101 @@
+From 3975affcf55f93814a8ae14333d7fc7f183e60a4 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Thu, 29 Sep 2022 08:52:04 -0700
+Subject: [PATCH] af_unix: Fix memory leaks of the whole sk due to OOB skb.
+
+commit 7a62ed61367b8fd01bae1e18e30602c25060d824 upstream.
+
+syzbot reported a sequence of memory leaks, and one of them indicated we
+failed to free a whole sk:
+
+  unreferenced object 0xffff8880126e0000 (size 1088):
+    comm "syz-executor419", pid 326, jiffies 4294773607 (age 12.609s)
+    hex dump (first 32 bytes):
+      00 00 00 00 00 00 00 00 7d 00 00 00 00 00 00 00  ........}.......
+      01 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
+    backtrace:
+      [<000000006fefe750>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:1970
+      [<0000000074006db5>] sk_alloc+0x3b/0x800 net/core/sock.c:2029
+      [<00000000728cd434>] unix_create1+0xaf/0x920 net/unix/af_unix.c:928
+      [<00000000a279a139>] unix_create+0x113/0x1d0 net/unix/af_unix.c:997
+      [<0000000068259812>] __sock_create+0x2ab/0x550 net/socket.c:1516
+      [<00000000da1521e1>] sock_create net/socket.c:1566 [inline]
+      [<00000000da1521e1>] __sys_socketpair+0x1a8/0x550 net/socket.c:1698
+      [<000000007ab259e1>] __do_sys_socketpair net/socket.c:1751 [inline]
+      [<000000007ab259e1>] __se_sys_socketpair net/socket.c:1748 [inline]
+      [<000000007ab259e1>] __x64_sys_socketpair+0x97/0x100 net/socket.c:1748
+      [<000000007dedddc1>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+      [<000000007dedddc1>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
+      [<000000009456679f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+We can reproduce this issue by creating two AF_UNIX SOCK_STREAM sockets,
+send()ing an OOB skb to each other, and close()ing them without consuming
+the OOB skbs.
+
+  int skpair[2];
+
+  socketpair(AF_UNIX, SOCK_STREAM, 0, skpair);
+
+  send(skpair[0], "x", 1, MSG_OOB);
+  send(skpair[1], "x", 1, MSG_OOB);
+
+  close(skpair[0]);
+  close(skpair[1]);
+
+Currently, we free an OOB skb in unix_sock_destructor() which is called via
+__sk_free(), but it's too late because the receiver's unix_sk(sk)->oob_skb
+is accounted against the sender's sk->sk_wmem_alloc and __sk_free() is
+called only when sk->sk_wmem_alloc is 0.
+
+In the repro sequences, we do not consume the OOB skb, so both two sk's
+sock_put() never reach __sk_free() due to the positive sk->sk_wmem_alloc.
+Then, no one can consume the OOB skb nor call __sk_free(), and we finally
+leak the two whole sk.
+
+Thus, we must free the unconsumed OOB skb earlier when close()ing the
+socket.
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Anil Altinay <aaltinay@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index b7be8d066753..a579e28bd213 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -504,12 +504,6 @@ static void unix_sock_destructor(struct sock *sk)
+ 
+ 	skb_queue_purge(&sk->sk_receive_queue);
+ 
+-#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+-	if (u->oob_skb) {
+-		kfree_skb(u->oob_skb);
+-		u->oob_skb = NULL;
+-	}
+-#endif
+ 	WARN_ON(refcount_read(&sk->sk_wmem_alloc));
+ 	WARN_ON(!sk_unhashed(sk));
+ 	WARN_ON(sk->sk_socket);
+@@ -556,6 +550,13 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 
+ 	unix_state_unlock(sk);
+ 
++#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
++	if (u->oob_skb) {
++		kfree_skb(u->oob_skb);
++		u->oob_skb = NULL;
++	}
++#endif
++
+ 	wake_up_interruptible_all(&u->peer_wait);
+ 
+ 	if (skpair != NULL) {
+-- 
+2.34.1
+

SPECS/livepatch-5.15.77.1-1.cm2/livepatch-5.15.77.1-1.cm2.spec

@@ -64,7 +64,7 @@ fi
 Summary:        Set of livepatches for kernel %{kernel_version_release}
 Name:           livepatch-%{kernel_version_release}
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -73,6 +73,7 @@ URL:            https://github.com/microsoft/CBL-Mariner
 Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/kernel-%{kernel_version}.tar.gz
 Source1:        config-%{kernel_version_release}
 Source2:        mariner-%{kernel_version_release}.pem
+Patch0:         CVE-2022-3543.patch
 
 ExclusiveArch:  x86_64
 
@@ -184,6 +185,9 @@ addressing CVEs present in Mariner's %{kernel_version_release} kernel.
 %endif
 
 %changelog
+* Tue Nov 29 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patched CVE-2022-3543.
+
 * Tue Nov 08 2022 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.0.0-1
 - Original version for CBL-Mariner.
 - License verified.

cgmanifest.json

@@ -7621,8 +7621,8 @@
         "type": "other",
         "other": {
           "name": "kpatch",
-          "version": "0.9.6",
-          "downloadUrl": "https://github.com/dynup/kpatch/archive/refs/tags/v0.9.6.tar.gz"
+          "version": "0.9.7",
+          "downloadUrl": "https://github.com/dynup/kpatch/archive/refs/tags/v0.9.7.tar.gz"
         }
       }
     },
@@ -14153,9 +14153,9 @@
       "component": {
         "type": "other",
         "other": {
-          "name": "ORBit2",
-          "version": "2.14.19",
-          "downloadUrl": "https://download.gnome.org/sources/ORBit2/2.14/ORBit2-2.14.19.tar.gz"
+          "name": "orangefs",
+          "version": "2.9.8",
+          "downloadUrl": "https://s3.amazonaws.com/download.orangefs.org/current/source/orangefs-2.9.8.tar.gz"
         }
       }
     },
@@ -14163,9 +14163,9 @@
       "component": {
         "type": "other",
         "other": {
-          "name": "orangefs",
-          "version": "2.9.8",
-          "downloadUrl": "https://s3.amazonaws.com/download.orangefs.org/current/source/orangefs-2.9.8.tar.gz"
+          "name": "ORBit2",
+          "version": "2.14.19",
+          "downloadUrl": "https://download.gnome.org/sources/ORBit2/2.14/ORBit2-2.14.19.tar.gz"
         }
       }
     },