Merge branch '3.0-dev' into anphel/3-mid-aug-release-snap

Author: anphel31

SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec

@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,6 +74,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Aug 11 2025 Azure Linux Security Servicing Account <[email protected]> - 20240524git3e722403cd16-9
+- Bump release for consistency with edk2 spec.
+
 * Thu Apr 24 2025 Jyoti Kanase <[email protected]> - 20240524git3e722403cd16-8
 - Bump release for consistency with edk2 spec.
 

SPECS/azurelinux-release/azurelinux-release.spec

@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        31%{?dist}
+Release:        32%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Fri Aug 22 2025 CBL-Mariner Servicing Account <[email protected]> - 3.0-32
+- Bump release for Aug 2025 Update 2
+
 * Tue Jul 22 2025 CBL-Mariner Servicing Account <[email protected]> - 3.0-31
 - Bump release for Aug 2025 Update
 

SPECS/edk2/CVE-2025-3770.patch

@@ -0,0 +1,46 @@
+From 9e882b45ee5648f415540cea3c2c0f7e274b5e86 Mon Sep 17 00:00:00 2001
+From: John Mathews <[email protected]>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <[email protected]>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch
+---
+ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index 644366b..6e1cd45 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -113,7 +113,7 @@ ProtFlatMode:
+     mov eax, strict dword 0               ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+     mov     cr3, rax
+-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
++    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
+ 
+     mov     cl, strict byte 0            ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
+     mov     ax, [rbx + DSC_SS]
+     mov     ss, eax
+ 
++    mov     rax, cr4                    ; enable MCE
++    bts     rax, 6
++    mov     cr4, rax
++
+     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
+ 
+ ; enable CET if supported
+-- 
+2.45.4
+

SPECS/edk2/edk2.spec

@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    8%{?dist}
+Release:    9%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -138,6 +138,7 @@ Patch1002: CVE-2024-4741.patch
 Patch1003: CVE-2024-13176.patch
 Patch1004: CVE-2024-2511.patch
 Patch1005: CVE-2024-4603.patch
+Patch1006: CVE-2025-3770.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -799,6 +800,9 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Aug 11 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-9
+- Patch for CVE-2025-3770
+
 * Thu Apr 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-8
 - Fix CVE-2024-38796
 

SPECS/libsoup/CVE-2025-4969.patch

@@ -0,0 +1,75 @@
+From 41e93c07278ce3d2f353c396045d757a7c4ed824 Mon Sep 17 00:00:00 2001
+From: Milan Crha <[email protected]>
+Date: Mon, 19 May 2025 17:48:27 +0200
+Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
+ members
+
+The boundary could be at a place which, calculated, pointed
+before the beginning of the array. Check the bounds, to avoid
+read out of the array bounds.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467.patch
+---
+ libsoup/soup-multipart.c |  2 +-
+ tests/multipart-test.c   | 22 ++++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a587fe7..27257e4 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end,
+ 			continue;
+ 
+ 		/* Check that it's at start of line */
+-		if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
++		if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
+ 			continue;
+ 
+ 		/* Check for "--" or "\r\n" after boundary */
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index a3a0b36..b07e4db 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void)
+ 	g_bytes_unref (bytes);
+ }
+ 
++static void
++test_multipart_bounds_bad_2 (void)
++{
++	SoupMultipart *multipart;
++	SoupMessageHeaders *headers;
++	GBytes *bytes;
++	const char *raw_data = "\n--123\r\nline\r\n--123--\r";
++
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++	bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++	multipart = soup_multipart_new_from_message (headers, bytes);
++	g_assert_nonnull (multipart);
++
++	soup_multipart_free (multipart);
++	soup_message_headers_unref (headers);
++	g_bytes_unref (bytes);
++}
++
+ static void
+ test_multipart_too_large (void)
+ {
+@@ -595,6 +616,7 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ 	g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ 	g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
++	g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2);
+ 	g_test_add_func ("/multipart/too-large", test_multipart_too_large);
+ 
+ 	ret = g_test_run ();
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -66,6 +66,7 @@ Patch16:         CVE-2025-32053.patch
 Patch17:         CVE-2025-4476.patch
 Patch18:         CVE-2025-32907.patch
 Patch19:         CVE-2025-4948.patch
+Patch20:         CVE-2025-4969.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -133,6 +134,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 3.4.4-9
+- Patch for CVE-2025-4969
+
 * Tue Jul 29 2025 Azure Linux Security Servicing Account <[email protected]> - 3.4.4-8
 - Patch for CVE-2025-4948