microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'main' into 2.0

This commit is contained in:
jslobodzian 2024-10-28 22:00:57 -04:00
Родитель 0fbfb7a9f3 3eb66d1e29
Коммит bec03956ca
8 изменённых файлов: 102 добавлений и 64 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
SPECS/msft-golang/msft-golang.signatures.json
Просмотреть файл

@ -2,7 +2,7 @@
"Signatures": {
"go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
"go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
"go1.22.7-20240905.3.src.tar.gz": "4c2601d9fe6b4692b6bb4487751dec149c30bd76ad9383331a84971a66bdd0bc",
"go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8",
"go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
}
}

7
SPECS/msft-golang/msft-golang.spec
Просмотреть файл

@ -1,6 +1,6 @@
%global goroot %{_libdir}/golang
%global gopath %{_datadir}/gocode
%global ms_go_filename go1.22.7-20240905.3.src.tar.gz
%global ms_go_filename go1.22.8-20241001.6.src.tar.gz
%global ms_go_revision 1
%ifarch aarch64
%global gohostarch arm64
@ -14,7 +14,7 @@
%define __find_requires %{nil}
Summary: Go
Name: msft-golang
Version: 1.22.7
Version: 1.22.8
Release: 1%{?dist}
License: BSD
Vendor: Microsoft Corporation
@ -153,6 +153,9 @@ fi
%{_bindir}/*
%changelog
* Thu Oct 24 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.22.8-1
- Auto-upgrade to 1.22.8 - To fix CVE-2022-41717
* Mon Sep 09 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.22.7-1
- Bump version to 1.22.7 to address CVE-2024-34158, CVE-2024-34156, CVE-2024-34155

50
SPECS/mysql/CVE-2023-46218.patch
Просмотреть файл

@ -1,50 +0,0 @@
From f35969c8cacf16cac88f79cbb0ab0ffd6e5e037f Mon Sep 17 00:00:00 2001
From: Suresh Thelkar <sthelkar@microsoft.com>
Date: Wed, 20 Dec 2023 12:51:01 +0530
Subject: [PATCH] Patch for CVE-2023-46218
Upstream patch details are given below
https://github.com/curl/curl/commit/2b0994c29a721c91c57
---
extra/curl/curl-8.4.0/lib/cookie.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/extra/curl/curl-8.4.0/lib/cookie.c b/extra/curl/curl-8.4.0/lib/cookie.c
index af01203a..57b2ad9a 100644
--- a/extra/curl/curl-8.4.0/lib/cookie.c
+++ b/extra/curl/curl-8.4.0/lib/cookie.c
@@ -1029,15 +1029,23 @@ Curl_cookie_add(struct Curl_easy *data,
* dereference it.
*/
if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- int acceptable;
-
- if(psl) {
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
- Curl_psl_release(data);
+ bool acceptable = FALSE;
+ char lcase[256];
+ char lcookie[256];
+ size_t dlen = strlen(domain);
+ size_t clen = strlen(co->domain);
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+ const psl_ctx_t *psl = Curl_psl_use(data);
+ if(psl) {
+ /* the PSL check requires lowercase domain name and pattern */
+ Curl_strntolower(lcase, domain, dlen + 1);
+ Curl_strntolower(lcookie, co->domain, clen + 1);
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+ Curl_psl_release(data);
+ }
+ else
+ acceptable = !bad_domain(domain, strlen(domain));
}
- else
- acceptable = !bad_domain(domain, strlen(domain));
if(!acceptable) {
infof(data, "cookie '%s' dropped, domain '%s' must not "
--
2.38.1

2
SPECS/mysql/mysql.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d"
"mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9"
}
}

12
SPECS/mysql/mysql.spec
Просмотреть файл

@ -1,6 +1,6 @@
Summary: MySQL.
Name: mysql
Version: 8.0.36
Version: 8.0.40
Release: 1%{?dist}
License: GPLv2 with exceptions AND LGPLv2 AND BSD
Vendor: Microsoft Corporation
@ -9,7 +9,6 @@ Group: Applications/Databases
URL: https://www.mysql.com
Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
Patch0: CVE-2012-5627.nopatch
Patch1: CVE-2023-46218.patch
BuildRequires: cmake
BuildRequires: libtirpc-devel
BuildRequires: openssl-devel
@ -98,6 +97,15 @@ fi
%{_libdir}/pkgconfig/mysqlclient.pc
%changelog
* Fri Oct 18 2024 Sudipta Pandit <sudpandit@microsoft.com> - 8.0.40-1
- Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237,
CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198,
CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096,
CVE-2024-21171, CVE-2024-21165, CVE-2023-46219
- Remove patch for CVE-2023-46218 (fixed in 8.0.37)
* Tue Jun 18 2024 Archana Choudhary <archana1@microsoft.com> - 8.0.36-1
- Upgrade to 8.0.36 to fix 10 CVEs

71
SPECS/qt5-qtbase/CVE-2022-25255.patch Normal file
Просмотреть файл

@ -0,0 +1,71 @@
From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001
From: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
Date: Wed, 23 Oct 2024 16:13:23 -0700
Subject: [PATCH] patch CVE-2022-25255
Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
---
src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp
index 7a2daa2a..29b771a1 100644
--- a/src/corelib/io/qprocess_unix.cpp
+++ b/src/corelib/io/qprocess_unix.cpp
@@ -1,7 +1,7 @@
/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2016 Intel Corporation.
+** Copyright (C) 2022 Intel Corporation.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtCore module of the Qt Toolkit.
@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
// Add the program name to the argument list.
argv[0] = nullptr;
if (!program.contains(QLatin1Char('/'))) {
+ // findExecutable() returns its argument if it's an absolute path,
+ // otherwise it searches $PATH; returns empty if not found (we handle
+ // that case much later)
const QString &exeFilePath = QStandardPaths::findExecutable(program);
- if (!exeFilePath.isEmpty()) {
- const QByteArray &tmp = QFile::encodeName(exeFilePath);
- argv[0] = ::strdup(tmp.constData());
- }
- }
- if (!argv[0])
+ const QByteArray &tmp = QFile::encodeName(exeFilePath);
+ argv[0] = ::strdup(tmp.constData());
+ } else {
argv[0] = ::strdup(encodedProgramName.constData());
+ }
// Add every argument to the list
for (int i = 0; i < arguments.count(); ++i)
@@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
}
- QByteArray tmp;
if (!program.contains(QLatin1Char('/'))) {
+ // findExecutable() returns its argument if it's an absolute path,
+ // otherwise it searches $PATH; returns empty if not found (we handle
+ // that case much later)
const QString &exeFilePath = QStandardPaths::findExecutable(program);
- if (!exeFilePath.isEmpty())
- tmp = QFile::encodeName(exeFilePath);
+ const QByteArray &tmp = QFile::encodeName(exeFilePath);
+ argv[0] = ::strdup(tmp.constData());
+ } else {
+ argv[0] = ::strdup(QFile::encodeName(program));
}
- if (tmp.isEmpty())
- tmp = QFile::encodeName(program);
- argv[0] = tmp.data();
if (envp)
qt_safe_execve(argv[0], argv, envp);
--
2.34.1

8
SPECS/qt5-qtbase/qt5-qtbase.spec
Просмотреть файл

@ -33,7 +33,7 @@
Name: qt5-qtbase
Summary: Qt5 - QtBase components
Version: 5.12.11
Release: 13%{?dist}
Release: 14%{?dist}
# See LICENSE.GPL3-EXCEPT.txt, for exception details
License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
Vendor: Microsoft Corporation
@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch
Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch
Patch92: CVE-2024-39936.patch
Patch93: CVE-2022-25255.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are
# not there, the platform to integrate with isn't either. Then Qt will just
@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
## upstream patches
@ -781,6 +784,9 @@ fi
%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
%changelog
* Wed Oct 23 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 5.12.11-14
- Add patch to resolve CVE-2022-25255.
* Wed Aug 07 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-13
- Add patch to resolve CVE-2024-39936.

8
cgmanifest.json
Просмотреть файл

@ -13673,8 +13673,8 @@
"type": "other",
"other": {
"name": "msft-golang",
"version": "1.22.7",
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.7-1/go1.22.7-20240905.3.src.tar.gz"
"version": "1.22.8",
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.8-1/go1.22.8-20241001.6.src.tar.gz"
}
}
},
@ -13813,8 +13813,8 @@
"type": "other",
"other": {
"name": "mysql",
"version": "8.0.36",
"downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz"
"version": "8.0.40",
"downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz"
}
}
},