[AutoPR- Security] Patch rust for CVE-2024-11738 [MEDIUM] (#14459)

Co-authored-by: Archana Shettigar <[email protected]>

Author: azurelinux-security

SPECS-EXTENDED/389-ds-base/389-ds-base.spec

@@ -68,7 +68,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          3.1.1
-Release:          6%{?dist}
+Release:          7%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Vendor:           Microsoft Corporation
@@ -732,6 +732,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 3.1.1-7
+- Bump release to rebuild with rust
+
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 3.1.1-6
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/ripgrep/ripgrep.spec

@@ -20,7 +20,7 @@
 
 Name:           ripgrep
 Version:        13.0.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        A search tool that combines ag with grep
 License:        MIT AND Unlicense
 Vendor:         Microsoft Corporation
@@ -104,6 +104,9 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg
 %{_datadir}/zsh
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 13.0.0-10
+- Bump release to rebuild with rust
+
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 13.0.0-9
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec

@@ -2,7 +2,7 @@
 Summary:        Tool for generating C bindings to Rust code
 Name:           rust-cbindgen
 Version:        0.24.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -96,6 +96,9 @@ RUSTFLAGS=%{rustflags} cargo test --release
 %endif
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 0.24.3-6
+- Bump release to rebuild with rust
+
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 0.24.3-5
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec

@@ -3,7 +3,7 @@
 Summary: Tardev Snapshotter for containerd
 Name: tardev-snapshotter
 Version: 3.2.0.tardev1
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 Vendor: Microsoft Corporation
@@ -67,6 +67,9 @@ fi
 %config(noreplace) %{_unitdir}/%{name}.service
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 3.2.0.tardev1-4
+- Bump release to rebuild with rust
+
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 3.2.0.tardev1-3
 - Bump release to rebuild with rust
 

SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec

@@ -5,7 +5,7 @@
 Name:           cloud-hypervisor-cvm
 Summary:        Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload.
 Version:        41.0.79
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -136,6 +136,9 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c
 %license LICENSES/CC-BY-4.0.txt
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 41.0.79-4
+- Bump release to rebuild with rust
+
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 41.0.79-3
 - Bump release to rebuild with rust
 

SPECS/kata-containers-cc/kata-containers-cc.spec

@@ -3,7 +3,7 @@
 
 Name:         kata-containers-cc
 Version:      3.15.0.aks0
-Release:      4%{?dist}
+Release:      5%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
 URL:          https://github.com/microsoft/kata-containers
@@ -150,6 +150,9 @@ fi
 %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 3.15.0-aks0-5
+- Bump release to rebuild with rust
+
 * Tue Jul 22 2025 Jyoti Kanase <[email protected]> - 3.15.0.aks0-4
 - Bump release to rebuild with rust
 

SPECS/kata-containers/kata-containers.spec

@@ -2,7 +2,7 @@
 
 Name:           kata-containers
 Version:        3.18.0.kata0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Kata Containers package developed for Pod Sandboxing on AKS
 License:        ASL 2.0
 URL:            https://github.com/microsoft/kata-containers
@@ -115,6 +115,9 @@ popd
 %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 3.18.0.kata0-4
+- Bump release to rebuild with rust
+
 * Tue Jul 22 2025 Jyoti Kanase <[email protected]> - 3.18.0.kata0-3
 - Bump release to rebuild with rust
 

SPECS/rust/CVE-2024-11738.patch

@@ -0,0 +1,35 @@
+From 874dd834f5444394deda1f7fcc19cc09afebf6bd Mon Sep 17 00:00:00 2001
+From: Kevin Wang <[email protected]>
+Date: Fri, 22 Nov 2024 20:48:01 +0800
+Subject: [PATCH] Record and restore the processed cursor in
+ first_handshake_message
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/rustls/rustls/pull/2231.patch
+---
+ vendor/rustls-0.23.13/src/conn.rs | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/vendor/rustls-0.23.13/src/conn.rs b/vendor/rustls-0.23.13/src/conn.rs
+index 60b597ba5..d45d71fd0 100644
+--- a/vendor/rustls-0.23.13/src/conn.rs
++++ b/vendor/rustls-0.23.13/src/conn.rs
+@@ -655,6 +655,7 @@ impl<Data> ConnectionCommon<Data> {
+     /// `process_handshake_messages()` path, specialized for the first handshake message.
+     pub(crate) fn first_handshake_message(&mut self) -> Result<Option<Message<'static>>, Error> {
+         let mut buffer_progress = BufferProgress::default();
++        buffer_progress.add_processed(self.deframer_buffer.processed);
+ 
+         let res = self
+             .core
+@@ -665,6 +666,7 @@ impl<Data> ConnectionCommon<Data> {
+             )
+             .map(|opt| opt.map(|pm| Message::try_from(pm).map(|m| m.into_owned())));
+ 
++        self.deframer_buffer.processed = buffer_progress.processed();
+         match res? {
+             Some(Ok(msg)) => {
+                 self.deframer_buffer
+-- 
+2.45.4
+

SPECS/rust/rust.spec

@@ -9,7 +9,7 @@
 Summary:        Rust Programming Language
 Name:           rust
 Version:        1.86.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -43,6 +43,7 @@ Source6:        https://static.rust-lang.org/dist/%{release_date}/rustc-%{stage0
 Source7:        https://static.rust-lang.org/dist/%{release_date}/rust-std-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz
 Patch0:		CVE-2025-4574.patch
 Patch1:         CVE-2025-53605.patch
+Patch2:         CVE-2024-11738.patch
 BuildRequires:  binutils
 BuildRequires:  cmake
 # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor)
@@ -180,6 +181,9 @@ rm %{buildroot}%{_docdir}/docs/html/.lock
 %{_mandir}/man1/*
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 1.86.0-5
+- Patch for CVE-2024-11738
+ 
 * Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 1.86.0-4
 - patch for CVE-2025-53605