Merge branch 'main' into 2.0

Author: jslobodzian

.github/workflows/go-test-coverage.yml

@@ -12,7 +12,7 @@ on:
 permissions: read-all
 
 env:
-  EXPECTED_GO_VERSION: "1.21"
+  EXPECTED_GO_VERSION: "1.23"
 
 jobs:
   build:

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Fri Apr 25 2025 Mayank Singh <[email protected]> - 1.0.1-11
+- Bump release for consistency with hvloader spec.
+
 * Wed Mar 26 2025 Tobias Brick <[email protected]> - 1.0.1-10
 - Bump release for consistency with hvloader spec.
 

SPECS/cni-plugins/CVE-2025-22872.patch

@@ -0,0 +1,42 @@
+From 4a1dbe133fb5d26ab4619d082c598527e47887c4 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <[email protected]>
+Date: Tue, 22 Apr 2025 19:25:27 -0500
+Subject: [PATCH] Address CVE-2025-22872
+Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
+
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 5c2a1f4..7549c62 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.45.2
+

SPECS/cni-plugins/cni-plugins.spec

@@ -1,7 +1,7 @@
 Summary:        Container Network Interface (CNI) plugins
 Name:           cni-plugins
 Version:        1.3.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ URL:            https://github.com/containernetworking/plugins
 Source0:        %{name}-%{version}.tar.gz
 Patch0:         CVE-2023-3978.patch
 Patch1:         CVE-2024-45338.patch
+Patch2:         CVE-2025-22872.patch
 %define _default_cni_plugins_dir /opt/cni/bin
 BuildRequires:  golang
 Provides:       kubernetes-cni
@@ -41,6 +42,9 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
 %{_default_cni_plugins_dir}/*
 
 %changelog
+* Tue Apr 22 2025 Sreeniavsulu Malavathula <[email protected]> - 1.3.0-8
+- Patch CVE-2025-22872
+
 * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 1.3.0-7
 - Add patch for CVE-2024-45338.
 

SPECS/crash/crash.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
   "crash-8.0.1.tar.gz": "233208b1433a49e1d5a063fa88e6fc9772b99fbb7b30ae79a2115d1b8f0dfc52",
-  "gdb-10.2.tar.gz": "b33ad58d687487a821ec8d878daab0f716be60d0936f2e3ac5cf08419ce70350"
+  "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2"
  }
 }

SPECS/crash/crash.spec

@@ -1,14 +1,16 @@
+%global gdb_version 10.2
 Name:          crash
 Version:       8.0.1
-Release:       3%{?dist}
+Release:       4%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
 URL:           https://github.com/crash-utility/crash
 Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
-Source1:       https://ftp.gnu.org/gnu/gdb/gdb-10.2.tar.gz
+# '-3' version of the tarball contains fix for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434 which cannot be applied as a .patch because source1 is only untar'ed during crash make
+Source1:       gdb-%{gdb_version}-3.tar.gz
 # lzo patch sourced from https://src.fedoraproject.org/rpms/crash/blob/rawhide/f/lzo_snappy_zstd.patch
 Patch0:        lzo_snappy_zstd.patch
 License:       GPLv3+
@@ -36,7 +38,8 @@ This package contains libraries and header files need for development.
 
 %prep
 %autosetup -n %{name}-%{version}
-cp %{SOURCE1} .
+# make expect the gdb tarball to be named with its version only, gdb-[version].tar.gz, e.g.: gdb-10.2.tar.gz
+cp %{SOURCE1} ./gdb-%{gdb_version}.tar.gz
 
 %build
 make RPMPKG=%{version}-%{release}
@@ -55,14 +58,17 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %license COPYING3
 %{_bindir}/crash
 %{_mandir}/man8/crash.8.gz
-%doc COPYING3 README
+%doc README
 
 %files devel
 %defattr(-,root,root)
 %dir %{_includedir}/crash
 %{_includedir}/crash/*.h
 
 %changelog
+* Mon Apr 21 2025 Kanishk Bansal <[email protected]> - 8.0.1-4
+- Update gdb-10.2-3.tar.gz to address CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434
+
 * Mon Oct 09 2023 Chris Co <[email protected]> - 8.0.1-3
 - Add patch from Fedora to enable lzo, snappy, zstd compression support
 - Remove unused crash printk fix patch

SPECS/fcgi/CVE-2012-6687.patch

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "fcgi-2.4.0.tar.gz": "66fc45c6b36a21bf2fbbb68e90f780cc21a9da1fffbae75e76d2b4402d3f05b9"
+  "fcgi-2.4.5.tar.gz": "92b0111a98d8636e06c128444a3d4d7a720bdd54e6ee4dd0c7b67775b1b0abff"
  }
 }

SPECS/fcgi/fcgi-EOF.patch

@@ -1,13 +1,11 @@
 Summary:        FastCGI development kit
 Name:           fcgi
-Version:        2.4.0
-Release:        7%{?dist}
+Version:        2.4.5
+Release:        1%{?dist}
 License:        OML
 # NOTE: below is an archive of FastCGI. The original project web page (http://www.fastcgi.com) is no longer online.
 URL:            https://fastcgi-archives.github.io
-Source0:        https://src.fedoraproject.org/lookaside/extras/%{name}/%{name}-%{version}.tar.gz/d15060a813b91383a9f3c66faf84867e/%{name}-%{version}.tar.gz
-Patch0:         fcgi-EOF.patch
-Patch1:         CVE-2012-6687.patch
+Source0:        https://github.com/FastCGI-Archives/fcgi2/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Group:          Development/Libraries/C and C++
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,11 +23,10 @@ FastCGI is a language independent, scalable, open extension to CGI that
 provides high performance without the limitations of server specific APIs.
 
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%autosetup -n %{name}2-%{version} -p1
 
 %build
+./autogen.sh
 %configure \
    --disable-static
 make
@@ -48,28 +45,44 @@ make check
 
 %files
 %defattr(-,root,root)
-%license LICENSE.TERMS
+%license LICENSE
 %{_bindir}/*
 %{_libdir}/libfcgi*.so*
+%doc %{_mandir}/man1/cgi-fcgi.1*
+%doc %{_mandir}/man3/FCGI_Accept.3*
+%doc %{_mandir}/man3/FCGI_Finish.3*
+%doc %{_mandir}/man3/FCGI_SetExitStatus.3*
+%doc %{_mandir}/man3/FCGI_StartFilterData.3*
 
 %files devel
 %defattr(-,root,root)
 %{_includedir}/*
+%{_libdir}/pkgconfig/fcgi*.pc
 
 %changelog
+* Tue Apr 22 2025 Kanishk Bansal <[email protected]> - 2.4.5-1
+- Upgrade to 2.4.5 to fix CVE-2025-23016
+- Remove patch of CVE-2012-6687, fcgi-EOF
+- Added missing man pages and pkgconfig files to package
+
 * Sat May 09 2020 Nick Samson <[email protected]> - 2.4.0-7
 - Added %%license line automatically
 
-*   Mon Apr 27 2020 Pawel Winogrodzki <[email protected]> 2.4.0-6
--   Fixed 'Source0' and 'URL' tags.
--   License verified.
-*   Thu Feb 27 2020 Henry Beberman <[email protected]> 2.4.0-5
--   Glob to include libfcgi++ as well as libfcgi in RPM
-*   Tue Sep 03 2019 Mateusz Malisz <[email protected]> 2.4.0-4
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Oct 13 2017 Alexey Makhalov <[email protected]> 2.4.0-3
--   Use standard configure macros
-*   Wed May 24 2017 Dheeraj Shetty <[email protected]> 2.4.0-2
--   Patch for CVE-2012-6687
-*   Fri Dec 16 2016 Dheeraj Shetty <[email protected]> 2.4.0-1
--   Initial build. First version
+* Mon Apr 27 2020 Pawel Winogrodzki <[email protected]> 2.4.0-6
+- Fixed 'Source0' and 'URL' tags.
+- License verified.
+
+* Thu Feb 27 2020 Henry Beberman <[email protected]> 2.4.0-5
+- Glob to include libfcgi++ as well as libfcgi in RPM
+
+* Tue Sep 03 2019 Mateusz Malisz <[email protected]> 2.4.0-4
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Oct 13 2017 Alexey Makhalov <[email protected]> 2.4.0-3
+- Use standard configure macros
+
+* Wed May 24 2017 Dheeraj Shetty <[email protected]> 2.4.0-2
+- Patch for CVE-2012-6687
+
+* Fri Dec 16 2016 Dheeraj Shetty <[email protected]> 2.4.0-1
+- Initial build. First version