Merge branch 'main' into 2.0

Author: jslobodzian

.github/workflows/check-srpm-duplicates.yml

@@ -0,0 +1,51 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# This action checks that the specs in this repo
+# generate SRPMs with unique names.
+name: SRPMs duplicates check
+
+on:
+  push:
+    branches: [main, 2.0*, 3.0*, fasttrack/*]
+  pull_request:
+    branches: [main, 2.0*, 3.0*, fasttrack/*]
+
+jobs:
+  check:
+    name: SRPMs duplicates check
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Each group is published to a different repo, thus we only need to check
+        # for SRPM duplicates within the group.
+        specs-dirs-groups: ["SPECS SPECS-SIGNED", "SPECS-EXTENDED"]
+
+    steps:
+      # Checkout the branch of our repo that triggered this action
+      - name: Workflow trigger checkout
+        uses: actions/checkout@v4
+
+      # For consistency, we use the same major/minor version of Python that Azure Linux ships
+      - name: Setup Python 3.9
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+
+      - name: Switch to stable toolkit
+        run: git fetch --all && git checkout 2.0-stable -- toolkit
+
+      # Generate the specs.json files. They are the input for the duplicates check script.
+      - name: Generate specs.json
+        run: |
+          set -euo pipefail
+
+          for spec_folder in ${{ matrix.specs-dirs-groups }}; do
+            echo "Generating specs.json for spec folder '$spec_folder'."
+
+            sudo make -C toolkit -j$(nproc) parse-specs REBUILD_TOOLS=y SPECS_DIR=../$spec_folder
+            cp -v build/pkg_artifacts/specs.json ${spec_folder}_specs.json
+          done
+
+      - name: Check for duplicate SRPMs
+        run: python3 toolkit/scripts/check_srpm_duplicates.py *_specs.json

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.176.3
-Release:        3%{?dist}
+Version:        5.15.180.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Apr 23 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.180.1-1
+- Auto-upgrade to 5.15.180.1
+
+* Thu Apr 03 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.179.1-1
+- Auto-upgrade to 5.15.179.1
+
 * Sat Feb 22 2025 Chris Co <[email protected]> - 5.15.176.3-3
 - Bump to match kernel-azure spec
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,8 +4,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.176.3
-Release:        2%{?dist}
+Version:        5.15.180.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Apr 23 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.180.1-1
+- Auto-upgrade to 5.15.180.1
+
+* Thu Apr 03 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.179.1-1
+- Auto-upgrade to 5.15.179.1
+
 * Tue Feb 11 2025 Rachel Menge <[email protected]> - 5.15.176.3-2
 - Bump release to match kernel-hci
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.176.3
-Release:        3%{?dist}
+Version:        5.15.180.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Apr 23 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.180.1-1
+- Auto-upgrade to 5.15.180.1
+
+* Thu Apr 03 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.179.1-1
+- Auto-upgrade to 5.15.179.1
+
 * Sat Feb 22 2025 Chris Co <[email protected]> - 5.15.176.3-3
 - Bump release to match kernel
 

SPECS/application-gateway-kubernetes-ingress/CVE-2024-51744.patch

@@ -0,0 +1,88 @@
+From 703e6193f4462ef2f617387c01798035fe620250 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Fri, 28 Mar 2025 04:25:18 +0000
+Subject: [PATCH] CVE-2024-51744
+
+Upstream patch reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
+---
+ vendor/github.com/dgrijalva/jwt-go/parser.go | 37 +++++++++++---------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
+index d6901d9..9fddb7d 100644
+--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
++++ b/vendor/github.com/dgrijalva/jwt-go/parser.go
+@@ -13,13 +13,21 @@ type Parser struct {
+ 	SkipClaimsValidation bool     // Skip claims validation during token parsing
+ }
+ 
+-// Parse, validate, and return a token.
+-// keyFunc will receive the parsed token and should return the key for validating.
+-// If everything is kosher, err will be nil
++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
++// receive the parsed token and should return the key for validating.
+ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
+ 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
+ }
+ 
++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
++// implementing the Claims interface. This provides default values which can be overridden and
++// allows a caller to use their own type, rather than the default MapClaims implementation of
++// Claims.
++//
++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
++// claims, otherwise you might run into a panic.
+ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
+ 	token, parts, err := p.ParseUnverified(tokenString, claims)
+ 	if err != nil {
+@@ -56,12 +64,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++ 	token.Signature = parts[2]
++ 	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++ 	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+ 	if !p.SkipClaimsValidation {
+ 		if err := token.Claims.Valid(); err != nil {
+-
+ 			// If the Claims Valid returned an error, check if it is a validation error,
+ 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
+ 			if e, ok := err.(*ValidationError); !ok {
+@@ -69,22 +82,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++ 	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // WARNING: Don't use this method unless you know what you're doing
+-- 
+2.45.2
+

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.4.0
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -31,6 +31,7 @@ Patch1:         CVE-2023-44487.patch
 Patch2:         CVE-2021-44716.patch
 Patch3:         CVE-2022-32149.patch
 Patch4:         CVE-2024-45338.patch
+Patch5:         CVE-2024-51744.patch
 
 BuildRequires:  golang
 %if %{with_check}
@@ -69,6 +70,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Fri Mar 28 2025 Jyoti Kanase <[email protected]> - 1.4.0-25
+- Fix CVE-2024-51744
+
 * Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 1.4.0-24
 - Add patch for CVE-2024-45338.
 

SPECS/augeas/CVE-2025-2588.patch

@@ -0,0 +1,80 @@
+From 42632cb7d0103fbf871fb698e7648ba925eec254 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <[email protected]>
+Date: Mon, 24 Mar 2025 09:48:19 +0200
+Subject: [PATCH] CVE-2025-2588: return _REG_ENOSYS if no specific error was
+ set yet parse_regexp failed
+
+parse_regexp() supposed to set an error on the parser state in case of a
+failure. If no specific error was set, return _REG_ENOSYS to indicate a
+generic failure.
+
+Fixes: https://github.com/hercules-team/augeas/issues/671
+Fixes: https://github.com/hercules-team/augeas/issues/778
+Fixes: https://github.com/hercules-team/augeas/issues/852
+
+Signed-off-by: Alexander Bokovoy <[email protected]>
+---
+ src/fa.c       | 3 +++
+ src/fa.h       | 3 ++-
+ tests/fatest.c | 6 ++++++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/fa.c b/src/fa.c
+index 66ac70784..14f2472ad 100644
+--- a/src/fa.c
++++ b/src/fa.c
+@@ -32,6 +32,7 @@
+ #include <config.h>
+ #include <limits.h>
+ #include <ctype.h>
++#include <regex.h>
+ #include <stdbool.h>
+ 
+ #include "internal.h"
+@@ -3550,6 +3551,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
+     return re;
+ 
+  error:
++    if (re == NULL && parse->error == REG_NOERROR)
++        parse->error = _REG_ENOSYS;
+     re_unref(re);
+     return NULL;
+ }
+diff --git a/src/fa.h b/src/fa.h
+index 1fd754ad0..89c9b17e9 100644
+--- a/src/fa.h
++++ b/src/fa.h
+@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
+  *
+  * On success, FA points to the newly allocated automaton constructed for
+  * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
+- * return value indicates the error.
++ * return value indicates the error. Special value _REG_ENOSYS indicates
++ * fa_compile() couldn't identify the syntax issue with regexp.
+  *
+  * The FA is case sensitive. Call FA_NOCASE to switch it to
+  * case-insensitive.
+diff --git a/tests/fatest.c b/tests/fatest.c
+index 0c9ca7696..6717af8f4 100644
+--- a/tests/fatest.c
++++ b/tests/fatest.c
+@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
+     const char *p1 = "aB";
+     const char *p2 = "[a-cUV]";
+     const char *p3 = "[^a-z]";
++    const char *wrong_regexp = "{&.{";
+     char *s;
+     size_t len;
+     int r;
+@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
+     CuAssertIntEquals(tc, 0, r);
+     CuAssertStrEquals(tc, "[^A-Za-z]", s);
+     free(s);
++
++    /* Test that fa_expand_nocase does return _REG_ENOSYS */
++    r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
++    CuAssertIntEquals(tc, _REG_ENOSYS, r);
++    free(s);
+ }
+ 
+ static void testNoCaseComplement(CuTest *tc) {

SPECS/augeas/augeas.spec

@@ -1,13 +1,15 @@
 Summary:        A library for changing configuration files
 Name:           augeas
 Version:        1.12.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://augeas.net/
 Source0:        http://download.augeas.net/%{name}-%{version}.tar.gz
 
+Patch0:         CVE-2025-2588.patch
+
 BuildRequires:  gcc
 BuildRequires:  libselinux-devel
 BuildRequires:  libxml2-devel
@@ -50,6 +52,7 @@ read files.
 
 %prep
 %setup -q
+%autopatch -p1
 
 %build
 %configure \
@@ -106,6 +109,9 @@ rm -f %{buildroot}%{_bindir}/dump
 %{_libdir}/pkgconfig/augeas.pc
 
 %changelog
+* Sun Mar 30 2025 Kshitiz Godara <[email protected]> - 1.12.0-6
+- Fix CVE-2025-2588 with an upstream patch
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 1.12.0-5
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)