Merge branch 'main' into sammeluch/2.0-merge-june25

Author: sameluch

.github/workflows/check-package-update-gate.yml

@@ -0,0 +1,89 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: Check Package Update Gate
+
+on:
+  push:
+    branches: [main, 2.0*, 3.0*, fasttrack/*]
+  pull_request:
+    branches: [main, 2.0*, 3.0*, fasttrack/*]
+
+jobs:
+
+  build:
+    name: Check Package Update Gate
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Get base commit for PRs
+      if: ${{ github.event_name == 'pull_request' }}
+      run: |
+        git fetch origin ${{ github.base_ref }}
+        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
+        echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+
+    - name: Get base commit for Pushes
+      if: ${{ github.event_name == 'push' }}
+      run: |
+        git fetch origin ${{ github.event.before }}
+        echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
+        echo "Merging ${{ github.sha }} into ${{ github.event.before }}"
+
+    - name: Get the changed files
+      run: |
+        echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'"
+        changed_specs=$(git diff-tree --diff-filter=d  --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep "SPECS.*/.*\.spec$" || test $? = 1; })
+        echo "Files to validate: '${changed_specs}'"
+        echo "updated-specs=$(echo ${changed_specs})" >> $GITHUB_ENV
+
+    - name: Check each spec
+      run: |
+
+        if [[ -z "${{ env.updated-specs }}" ]]; then
+          echo "No spec files to validate. Exiting."
+          exit 0
+        fi
+
+        for spec in ${{ env.updated-specs }}
+          do
+            echo "Checking '$spec'."
+            # Expand macros if present
+            name=$(rpmspec --parse "$spec" | grep -E "^Name:\s*(.*)" | awk '{print $2}')
+            version=$(rpmspec --parse "$spec" | grep -E "^Version:\s*(.*)" | awk '{print $2}')
+
+            # Read from packagelist-gate.csv and iterate each row
+            # 1st column: package name
+            # 2nd column: condition (>=, =,'')
+            # 3rd column: version number
+            
+            while IFS=, read -r package_name condition version_number; do
+              if [[ "$name" == "$package_name" ]]; then
+                  case "$condition" in
+                      ">=" | "=" )
+                          if [[ ("$condition" == ">=" && "$(printf '%s\n' "$version" "$version_number" | sort -V | head -n1)" == "$version_number") ||
+                                ("$condition" == "=" && "$version" == "$version_number") ]]; then
+                              1>&2 echo "**** ERROR ****"
+                              1>&2 echo "Spec '$spec' version '$version' is not allowed in Azure Linux. Error:'$spec $condition $version_number'."
+                              1>&2 echo "**** ERROR ****"
+                              error_found=1
+                          fi
+                          ;;
+                      *)
+                          1>&2 echo "**** ERROR ****"
+                          1>&2 echo "Spec $spec is not allowed in Azure Linux"
+                          1>&2 echo "**** ERROR ****"
+                          error_found=1
+                          ;;
+                  esac
+              fi
+            done < .github/workflows/packagelist-gate.csv  
+          done
+
+        if [[ -n $error_found ]]
+        then
+          exit 1
+        fi

.github/workflows/packagelist-gate.csv

@@ -0,0 +1,6 @@
+fdk-aac-free,,
+opus,,
+opus-file,,
+packer,>=,1.10.0
+redis,>=,7.4
+terraform,>=,1.6.0

SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

@@ -12,7 +12,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
 /boot/efi/EFI/BOOT/%{grubpxeefiname}
 
 %changelog
+* Mon Jun 02 2025 Jyoti Kanase <[email protected]> - 2.06-14
+- Bump release number to match grub release
+
 * Thu Feb 15 2024 Dan Streetman <[email protected]> - 2.06-13
 - match grub2 version
 

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.182.1
+Version:        5.15.184.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Fri May 30 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.184.1-1
+- Auto-upgrade to 5.15.184.1
+
 * Sat May 17 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.182.1-1
 - Auto-upgrade to 5.15.182.1
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.182.1
+Version:        5.15.184.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Fri May 30 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.184.1-1
+- Auto-upgrade to 5.15.184.1
+
 * Sat May 17 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.182.1-1
 - Auto-upgrade to 5.15.182.1
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.182.1
+Version:        5.15.184.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Fri May 30 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.184.1-1
+- Auto-upgrade to 5.15.184.1
+
 * Sat May 17 2025 CBL-Mariner Servicing Account <[email protected]> - 5.15.182.1-1
 - Auto-upgrade to 5.15.182.1
 

SPECS/binutils/CVE-2025-5244.patch

@@ -0,0 +1,28 @@
+From 29477093469001a51d96b82a032ce17183c9ea7b Mon Sep 17 00:00:00 2001
+From: AkarshHCL <[email protected]>
+Date: Mon, 9 Jun 2025 17:30:02 +0000
+Subject: [PATCH] Address CVE-2025-5244
+
+Upstream Patch reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5
+
+---
+ bfd/elflink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index d838cd9f..51790953 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -13831,7 +13831,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info)
+ 	  if (o->flags & SEC_GROUP)
+ 	    {
+ 	      asection *first = elf_next_in_group (o);
+-	      o->gc_mark = first->gc_mark;
++	      if (first != NULL)
++		o->gc_mark = first->gc_mark;
+ 	    }
+ 
+ 	  if (o->gc_mark)
+-- 
+2.45.2
+

SPECS/binutils/CVE-2025-5245.patch

@@ -0,0 +1,41 @@
+From 1d28410b1def74897f1df8d95473409aa076813e Mon Sep 17 00:00:00 2001
+From: AkarshHCL <[email protected]>
+Date: Mon, 9 Jun 2025 14:37:38 +0000
+Subject: [PATCH] Address CVE-2025-5245
+
+Upstream Patch reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a
+
+---
+ binutils/debug.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 93887374..404813fa 100644
+--- a/binutils/debug.c
++++ b/binutils/debug.c
+@@ -2545,9 +2545,6 @@ debug_write_type (struct debug_handle *info,
+     case DEBUG_KIND_UNION_CLASS:
+       return debug_write_class_type (info, fns, fhandle, type, tag);
+     case DEBUG_KIND_ENUM:
+-      if (type->u.kenum == NULL)
+-	return (*fns->enum_type) (fhandle, tag, (const char **) NULL,
+-				  (bfd_signed_vma *) NULL);
+       return (*fns->enum_type) (fhandle, tag, type->u.kenum->names,
+ 				type->u.kenum->values);
+     case DEBUG_KIND_POINTER:
+@@ -3089,9 +3086,9 @@ debug_type_samep (struct debug_handle *info, struct debug_type_s *t1,
+       break;
+ 
+     case DEBUG_KIND_ENUM:
+-      if (t1->u.kenum == NULL)
+-	ret = t2->u.kenum == NULL;
+-      else if (t2->u.kenum == NULL)
++      if (t1->u.kenum->names == NULL)
++	ret = t2->u.kenum->names == NULL;
++      else if (t2->u.kenum->names == NULL)
+ 	ret = false;
+       else
+ 	{
+-- 
+2.45.2
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -51,6 +51,8 @@ Patch16:         CVE-2025-1181.patch
 Patch17:         CVE-2025-1182.patch
 Patch18:         CVE-2025-1178.patch
 Patch19:	 CVE-2025-1744.patch
+Patch20:         CVE-2025-5245.patch
+Patch21:         CVE-2025-5244.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -307,6 +309,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Mon Jun 9 2025 Akarsh Chaudhary <[email protected]>- 2.37-15
+- Patch CVE-2025-5245 ,CVE-2025-5244
+
 * Tue Mar 11 2025 Kavya Sree Kaitepalli <[email protected]> - 2.37-14
 - Fix CVE-2025-1744
 

SPECS/cert-manager/CVE-2025-22872.patch

@@ -0,0 +1,42 @@
+From 0e7a1fa0b7d23464ad2102424d1c9af0f1b576d7 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Wed, 21 May 2025 13:55:14 -0700
+Subject: [PATCH] Patch CVE-2025-22872
+
+Upstream reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 50f7c6a..cf52f26 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.34.1
+