Merge branch '2.0' into fasttrack/2.0

Author: PawelWMS

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.1-14
+- Bump release for consistency with hvloader spec.
+
 * Tue May 13 2025 Archana Shettigar <[email protected]> - 1.0.1-13
 - Bump release for consistency with hvloader spec.
 

SPECS/apache-commons-lang3/CVE-2025-48924.patch

@@ -0,0 +1,100 @@
+From b424803abdb2bec818e4fbcb251ce031c22aca53 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <[email protected]>
+Date: Sat, 21 Sep 2024 17:23:08 -0400
+Subject: [PATCH] Rewrite ClassUtils.getClass() without recursion to avoid
+ StackOverflowError on very long inputs.
+
+- This was found fuzz testing Apache Commons Text which relies on
+ClassUtils.
+- OssFuzz Issue 42522972:
+apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security
+exception in org.apache.commons.lang3.ClassUtils.getClass
+
+Upstream Patch Reference: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53.patch
+---
+ src/changes/changes.xml                       |  1 +
+ .../org/apache/commons/lang3/ClassUtils.java  | 46 +++++++++----------
+ 2 files changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/src/changes/changes.xml b/src/changes/changes.xml
+index 5731324..dd2577b 100644
+--- a/src/changes/changes.xml
++++ b/src/changes/changes.xml
+@@ -47,6 +47,7 @@ The <action> type attribute can be add,update,fix,remove.
+ 
+   <release version="3.8.1" date="2018-09-19" description="This release is a bugfix for Restoring Bundle-SymbolicName in the MANIFEST.mf file.">
+     <action issue="LANG-1419" type="fix" dev="chtompki">Restore BundleSymbolicName for OSGi</action>
++    <action                   type="fix" dev="ggregory" due-to="OSS-Fuzz, Gary Gregory">Rewrite ClassUtils.getClass(...) without recursion to avoid StackOverflowError on very long inputs. OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang3.ClassUtils.getClass.</action>
+   </release>
+ 
+   <release version="3.8" date="2018-08-15" description="New features and bug fixes. Requires Java 7, supports Java 8, 9, 10.">
+diff --git a/src/main/java/org/apache/commons/lang3/ClassUtils.java b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+index be9f0dd..a9ec195 100644
+--- a/src/main/java/org/apache/commons/lang3/ClassUtils.java
++++ b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+@@ -985,30 +985,27 @@ public class ClassUtils {
+      */
+     public static Class<?> getClass(
+             final ClassLoader classLoader, final String className, final boolean initialize) throws ClassNotFoundException {
+-        try {
+-            Class<?> clazz;
+-            if (namePrimitiveMap.containsKey(className)) {
+-                clazz = namePrimitiveMap.get(className);
+-            } else {
+-                clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
+-            }
+-            return clazz;
+-        } catch (final ClassNotFoundException ex) {
+-            // allow path separators (.) as inner class name separators
+-            final int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
+-
+-            if (lastDotIndex != -1) {
+-                try {
+-                    return getClass(classLoader, className.substring(0, lastDotIndex) +
+-                            INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1),
+-                            initialize);
+-                } catch (final ClassNotFoundException ex2) { // NOPMD
+-                    // ignore exception
++        // This method was re-written to avoid recursion and stack overflows found by fuzz testing.
++        String next = className;
++        int lastDotIndex = -1;
++        do {
++            try {
++                Class<?> clazz;
++                if (namePrimitiveMap.containsKey(next)) {
++                    clazz = namePrimitiveMap.get(next);
++                } else {
++                    clazz = Class.forName(toCanonicalName(next), initialize, classLoader);
++                }
++                return clazz;
++            } catch (final ClassNotFoundException ex) {
++                lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
++                if (lastDotIndex != -1) {
++                    next = next.substring(0, lastDotIndex) +
++                            INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1);
+                 }
+             }
+-
+-            throw ex;
+-        }
++        } while (lastDotIndex != -1);
++        throw new ClassNotFoundException(next);
+     }
+ 
+     /**
+@@ -1124,9 +1121,10 @@ public class ClassUtils {
+     private static String toCanonicalName(String className) {
+         className = StringUtils.deleteWhitespace(className);
+         Validate.notNull(className, "className must not be null.");
+-        if (className.endsWith("[]")) {
++        final String arrayMarker = "[]";
++        if (className.endsWith(arrayMarker)) {
+             final StringBuilder classNameBuffer = new StringBuilder();
+-            while (className.endsWith("[]")) {
++            while (className.endsWith(arrayMarker)) {
+                 className = className.substring(0, className.length() - 2);
+                 classNameBuffer.append("[");
+             }
+-- 
+2.34.1
+

SPECS/apache-commons-lang3/apache-commons-lang3.spec

@@ -18,7 +18,7 @@
 Summary:        Apache Commons Lang Package
 Name:           apache-%{short_name}
 Version:        3.8.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -27,6 +27,7 @@ URL:            https://commons.apache.org/proper/commons-lang
 Source0:        https://archive.apache.org/dist/commons/lang/source/%{short_name}-%{version}-src.tar.gz
 Source1:        build.xml
 Source2:        default.properties
+Patch0:         CVE-2025-48924.patch
 BuildRequires:  ant
 BuildRequires:  ant-junit
 BuildRequires:  fdupes
@@ -57,7 +58,8 @@ Group:          Documentation/HTML
 Javadoc for %{name}.
 
 %prep
-%setup -q -n %{short_name}-%{version}-src
+
+%autosetup -n %{short_name}-%{version}-src -p1
 cp %{SOURCE1} .
 cp %{SOURCE2} .
 sed -i 's/\r//' *.txt
@@ -98,6 +100,9 @@ cp -pr target/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
 %{_javadocdir}/%{name}
 
 %changelog
+* Wed Jul 16 2025 Aninda Pradhan <[email protected]> - 3.8.1-6
+- Addressed CVE-2025-48924
+
 * Fri Mar 17 2023 Mykhailo Bykhovtsev <[email protected]> - 3.8.1-5
 - Moved from extended to core
 - License verified

SPECS/apparmor/CVE-2023-53154.patch

@@ -0,0 +1,30 @@
+From 1dfb03ca74b78ff4a87b48a70b91a5cfc985f9c4 Mon Sep 17 00:00:00 2001
+From: dj_palli <[email protected]>
+Date: Thu, 12 Jun 2025 20:49:56 +0000
+Subject: [PATCH] Address CVE-2023-53154
+
+Upstream Patch Reference: https://github.com/DaveGamble/cJSON/commit/3ef4e4e730e5efd381be612df41e1ff3f5bb3c32
+
+---
+ binutils/cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/binutils/cJSON.c b/binutils/cJSON.c
+index e85ac11..45c1c45 100644
+--- a/binutils/cJSON.c
++++ b/binutils/cJSON.c
+@@ -1650,6 +1650,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
++	if (cannot_access_at_index(input_buffer, 1))
++        {
++            goto fail; /* nothing comes after the comma */
++        }
++
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.45.2
+

SPECS/apparmor/apparmor.spec

@@ -1,7 +1,7 @@
 Summary:        AppArmor is an effective and easy-to-use Linux application security system.
 Name:           apparmor
 Version:        3.0.4
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,8 +11,12 @@ Source0:        https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{ver
 Patch1:         apparmor-service-start-fix.patch
 Patch2:         CVE-2023-50471.patch
 Patch3:         CVE-2024-31755.patch
+Patch4:         CVE-2023-53154.patch
+Patch5:         removed_unused_global_variables_fix_test-aa.patch
+
 # CVE-2016-1585 has no upstream fix as of 2020/09/28
 Patch100:       CVE-2016-1585.nopatch
+
 BuildRequires:  apr
 BuildRequires:  apr-util-devel
 BuildRequires:  autoconf
@@ -355,6 +359,10 @@ make DESTDIR=%{buildroot} install
 %exclude %{perl_archlib}/perllocal.pod
 
 %changelog
+* Fri Jun 13 2025 Durga Jagadeesh Palli <[email protected]> - 3.0.4-5
+- Patch CVE-2023-53154
+- Patch removed_unused_global_variables_fix_test-aa.patch to fix PTest failure
+
 * Thu May 30 2024 Sumedh Sharma <[email protected]> - 3.0.4-4
 - Add patch for CVE-2024-31755
 

SPECS/apparmor/removed_unused_global_variables_fix_test-aa.patch

@@ -0,0 +1,52 @@
+From 91b1b21fe68bdbcb51552cc2dc2e930da139a123 Mon Sep 17 00:00:00 2001
+From: dj_palli <[email protected]>
+Date: Thu, 10 Jul 2025 07:22:28 +0000
+Subject: [PATCH] Address ptest error fix
+
+Description: fix the Ptest failure by removing the unused global variables in test-aa
+
+---
+ utils/apparmor/aa.py           | 1 -
+ utils/apparmor/common.py       | 1 -
+ utils/test/test-aa-easyprof.py | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
+index 4ba484d..71754aa 100644
+--- a/utils/apparmor/aa.py
++++ b/utils/apparmor/aa.py
+@@ -1486,7 +1486,6 @@ def set_logfile(filename):
+ def do_logprof_pass(logmark=''):
+     # set up variables for this pass
+ #    transitions = hasher()
+-    global active_profiles
+     global sev_db
+ #    aa = hasher()
+ #     changed = dict()
+diff --git a/utils/apparmor/common.py b/utils/apparmor/common.py
+index bbe2834..b4ae059 100644
+--- a/utils/apparmor/common.py
++++ b/utils/apparmor/common.py
+@@ -69,7 +69,6 @@ def msg(out, output=sys.stdout):
+ 
+ def debug(out):
+     '''Print debug message'''
+-    global DEBUGGING
+     if DEBUGGING:
+         try:
+             print("DEBUG: %s" % (out), file=sys.stderr)
+diff --git a/utils/test/test-aa-easyprof.py b/utils/test/test-aa-easyprof.py
+index d205797..9d8e51c 100755
+--- a/utils/test/test-aa-easyprof.py
++++ b/utils/test/test-aa-easyprof.py
+@@ -108,7 +108,6 @@ class T(unittest.TestCase):
+ 
+     def setUp(self):
+         '''Setup for tests'''
+-        global topdir
+ 
+         self.tmpdir = os.path.realpath(tempfile.mkdtemp(prefix='test-aa-easyprof'))
+ 
+-- 
+2.45.2
+

SPECS/binutils/CVE-2025-7545.patch

@@ -0,0 +1,38 @@
+From 5ea79aec8f03363778904754b75337f73be0db16 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 17 Jul 2025 08:56:14 +0000
+Subject: [PATCH] Fix CVE CVE-2025-7545 in binutils
+
+Upstream Patch Reference: https://github.com/bminor/binutils-gdb/commit/08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944.patch
+---
+ binutils/objcopy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index a6c2e0dc..b9552398 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -4438,6 +4438,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	  char *to = (char *) memhunk;
+ 	  char *end = (char *) memhunk + size;
+ 	  int i;
++	  bfd_size_type memhunk_size = size;
+ 
+ 	  /* If the section address is not exactly divisible by the interleave,
+ 	     then we must bias the from address.  If the copy_byte is less than
+@@ -4457,6 +4458,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	      }
+ 
+ 	  size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
++
++	  /* Don't extend the output section size.  */
++	  if (size > memhunk_size)
++	    size = memhunk_size;
++
+ 	  osection->lma /= interleave;
+ 	  if (copy_byte < extra)
+ 	    osection->lma++;
+-- 
+2.45.3
+

SPECS/binutils/CVE-2025-7546.patch

@@ -0,0 +1,45 @@
+From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <[email protected]>
+Date: Sat, 21 Jun 2025 06:52:00 +0800
+Subject: [PATCH] elf: Report corrupted group section
+
+Report corrupted group section instead of trying to recover.
+
+	PR binutils/33050
+	* elf.c (bfd_elf_set_group_contents): Report corrupted group
+	section.
+
+Signed-off-by: H.J. Lu <[email protected]>
+
+[AI Backported] Upstream Patch Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b
+---
+ bfd/elf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 05bb9c99..4fc0a65e 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -3633,8 +3633,18 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg)
+ 	break;
+     }
+ 
++  /* We should always get here with loc == sec->contents + 4.  Return
++     an error for bogus SHT_GROUP sections.  */
+   loc -= 4;
+-  BFD_ASSERT (loc == sec->contents);
++  if (loc != sec->contents)
++    {
++      /* xgettext:c-format */
++      _bfd_error_handler (_("%pB: corrupted group section: `%pA'"),
++                          abfd, sec);
++      bfd_set_error (bfd_error_bad_value);
++      *failedptr = true;
++      return;
++    }
+ 
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+ }
+-- 
+2.45.3
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -53,6 +53,8 @@ Patch18:         CVE-2025-1178.patch
 Patch19:	 CVE-2025-1744.patch
 Patch20:         CVE-2025-5245.patch
 Patch21:         CVE-2025-5244.patch
+Patch22:         CVE-2025-7545.patch
+Patch23:         CVE-2025-7546.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -309,6 +311,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Thu Jul 17 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-16
+- Patch for CVE-2025-7545, CVE-2025-7546
+
 * Mon Jun 9 2025 Akarsh Chaudhary <[email protected]>- 2.37-15
 - Patch CVE-2025-5245 ,CVE-2025-5244
 

SPECS/ca-certificates/ca-certificates.signatures.json

@@ -10,9 +10,9 @@
     "README.src": "86184318d451bec55d70c84e618cbfe10c8adb7dc893964ce4aaecff99d83433",
     "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
     "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
-    "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
-    "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
-    "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
+    "certdata.base.txt": "8896c309aef808c7769dc630abee75adbb6bfb5c8a961461b51f845a1740ea66",
+    "certdata.distrusted.txt": "536b1235c5b0b3c82ddf303eca696ec164cdb21899cd9e5313d8b29ce9cdc268",
+    "certdata.microsoft.txt": "9c802e9f5a0bd90ba51a4f04ec1d2304a11d1cf321e4e5bdff97459b46ba3e02",
     "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
     "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
     "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",