Merge branch 'master' into gems

Author: alex501212

configs/components/_base-rubygem.rb

@@ -40,13 +40,13 @@
 # If a gem needs more command line options to install set the :gem_install_options
 # in its component file rubygem-<compoment>, before the instance_eval of this file.
 gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym]
-if gem_install_options.nil?
-  pkg.install do
-    "#{settings[:gem_install]} #{name}-#{version}.gem"
-  end
-else
-  pkg.install do
-    "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
-  end
+remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym]
+pkg.install do
+  steps = []
+  steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions
+  steps << if gem_install_options.nil?
+             "#{settings[:gem_install]} #{name}-#{version}.gem"
+           else
+             "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
+           end
 end
-

configs/components/curl.rb

@@ -27,6 +27,7 @@
   elsif platform.is_windows?
     pkg.build_requires "runtime-#{settings[:runtime_project]}"
     pkg.environment "PATH", "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)"
+    pkg.environment "NM" , "/usr/bin/nm" if platform.name =~ /windowsfips-2016/
     pkg.environment "CYGWIN", settings[:cygwin]
   elsif platform.is_aix? && platform.name != 'aix-7.1-ppc'
     pkg.environment "PKG_CONFIG_PATH", "/opt/puppetlabs/puppet/lib/pkgconfig"
@@ -47,6 +48,7 @@
     pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
+    pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
   end
 
   configure_options = []

configs/components/openssl-1.0.2.rb

@@ -129,7 +129,7 @@
     'no-ssl3',
   ]
 
-  configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-2012r2/
+  configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-/
 
   # Individual projects may provide their own openssl configure flags:
   project_flags = settings[:openssl_extra_configure_flags] || []

configs/components/ruby-2.7.8.rb

@@ -43,6 +43,9 @@
   pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
   pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch"
 
+  pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch"
+  pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch"
+
   if platform.is_cross_compiled?
     unless platform.is_macos?
       pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch"
@@ -141,7 +144,8 @@
     'windows-2012r2-x64',
     'windows-2012r2-x86',
     'windows-2019-x64',
-    'windowsfips-2012r2-x64'
+    'windowsfips-2012r2-x64',
+    'windowsfips-2016-x64'
   ]
 
   unless without_dtrace.include? platform.name
@@ -170,6 +174,19 @@
     ]
   end
 
+  if(platform.name =~ /windowsfips-2016/)
+    # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
+    # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
+    # We patch rbconfig.rb to remove the '\r' character.
+    # This patch has to run after the build step since rbconfig.rb is generated during the build step. 
+    # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
+    # 'ruby_version' field in the future so that this patch can be removed - PA-6902.
+    pkg.add_source("#{base}/rbconfig_win.patch")
+    pkg.build do
+      ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
+    end
+  end
+
   #########
   # INSTALL
   #########

configs/components/ruby-3.2.5.rb

@@ -161,7 +161,8 @@
     'windows-2012r2-x64',
     'windows-2012r2-x86',
     'windows-2019-x64',
-    'windowsfips-2012r2-x64'
+    'windowsfips-2012r2-x64',
+    'windowsfips-2016-x64'
   ]
 
   unless without_dtrace.include? platform.name
@@ -195,6 +196,19 @@
     ]
   end
 
+  if(platform.name =~ /windowsfips-2016/)
+    # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
+    # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
+    # We patch rbconfig.rb to remove the '\r' character.
+    # This patch has to run after the build step since rbconfig.rb is generated during the build step. 
+    # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
+    # 'ruby_version' field in the future so that this patch can be removed - PA-6902.
+    pkg.add_source("#{base}/rbconfig_win.patch")
+    pkg.build do
+      ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
+    end
+  end
+
   #########
   # INSTALL
   #########

configs/components/rubygem-rexml.rb

@@ -1,6 +1,8 @@
 component 'rubygem-rexml' do |pkg, settings, platform|
-  pkg.version '3.3.5'
-  pkg.md5sum 'cdd5c83f1d7230a7d44406f69e9f3d2d'
+  pkg.version '3.3.6'
+  pkg.md5sum 'be54ad1a5f661ebf9824bf6ca36e50eb'
+
+  settings["#{pkg.get_name}_remove_older_versions".to_sym] = true
 
   # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml
   # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets
@@ -9,6 +11,6 @@
   if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3
     settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies"
   end
-  
+
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end

configs/platforms/windowsfips-2016-x64.rb

@@ -0,0 +1,54 @@
+platform "windowsfips-2016-x64" do |plat|
+  plat.vmpooler_template 'win-2016-fips-x86_64'
+
+  plat.servicetype 'windows'
+  visual_studio_version = '2017'
+  visual_studio_sdk_version = 'win8.1'
+
+  # We need to ensure we install chocolatey prior to adding any nuget repos. Otherwise, everything will fall over
+  plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/generic/buildsources/windows/chocolatey/install-chocolatey-1.4.0.ps1"
+  plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe feature enable -n useFipsCompliantChecksums"
+
+  plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/api/nuget/nuget"
+
+  # C:\tools is likely added by mingw, however because we also want to use that
+  # dir for vsdevcmd.bat we create it for safety
+  plat.provision_with "mkdir -p C:/tools"
+  # We don't want to install any packages from the chocolatey repo by accident
+  plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe sources remove -name chocolatey"
+
+  packages = [
+    "cmake",
+    "pl-gdbm-#{self._platform.architecture}",
+    "pl-iconv-#{self._platform.architecture}",
+    "pl-libffi-#{self._platform.architecture}",
+    "pl-pdcurses-#{self._platform.architecture}",
+    "pl-toolchain-#{self._platform.architecture}",
+    "pl-zlib-#{self._platform.architecture}",
+    "mingw-w64 -version 5.2.0 -debug",
+  ]
+
+  packages.each do |name|
+    plat.provision_with("C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress #{name}")
+  end
+  # We use cache-location in the following install because msvc has several long paths
+  # if we do not update the cache location choco will fail because paths get too long
+  plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe install msvc.#{visual_studio_version}-#{visual_studio_sdk_version}.sdk.en-us -y --cache-location=\"C:\\msvc\" --no-progress"
+  # The following creates a batch file that will execute the vsdevcmd batch file located within visual studio.
+  # We create the following batch file under C:\tools\vsdevcmd.bat so we can avoid using both the %ProgramFiles(x86)%
+  # evironment var, as well as any spaces in the path when executing things with cygwin. This makes command execution
+  # through cygwin much easier.
+  #
+  # Note that the unruly \'s in the following string escape the following sequence to literal chars: "\" and then \""
+  plat.provision_with "touch C:/tools/vsdevcmd.bat && echo \"\\\"%ProgramFiles(x86)%\\Microsoft Visual Studio\\#{visual_studio_version}\\BuildTools\\Common7\\Tools\\vsdevcmd\\\"\" >> C:/tools/vsdevcmd.bat"
+
+  plat.install_build_dependencies_with "C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress"
+
+  plat.make "/usr/bin/make"
+  plat.patch "TMP=/var/tmp /usr/bin/patch.exe --binary"
+
+  plat.platform_triple "x86_64-w64-mingw32"
+
+  plat.package_type "archive"
+  plat.output_dir "windows"
+end

configs/projects/_shared-agent-components.rb

@@ -26,7 +26,7 @@
 elsif platform.name =~ /^redhatfips-.*/
   proj.component "openssl-1.1.1-fips"
 else
-  proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-2012r2/ && proj.openssl_version =~ /1.0.2/
+  proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-/ && proj.openssl_version =~ /1.0.2/
   proj.component "openssl-#{proj.openssl_version}"
 end
 
@@ -62,6 +62,12 @@
 proj.component 'rubygem-fast_gettext'
 proj.component 'rubygem-ffi'
 
+# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version
+# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908.
+# So, we add it here to update to a higher version
+# free from the CVEs.
+proj.component 'rubygem-rexml'
+
 if platform.is_windows? || platform.is_solaris? || platform.is_aix?
   proj.component 'rubygem-minitar'
 end

configs/projects/_shared-agent-settings.rb

@@ -131,6 +131,7 @@
 end
 
 proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ")
+proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ")
 
 # For AIX, we use the triple to install a better rbconfig
 if platform.is_aix?
@@ -147,7 +148,7 @@
   proj.setting(:openssl_version, '3.0')
 elsif platform.name =~ /^redhatfips-/
   proj.setting(:openssl_version, '1.1.1-fips')
-elsif platform.name =~ /^windowsfips-2012r2/
+elsif platform.name =~ /^windowsfips-/
   proj.setting(:openssl_version, '1.0.2')
 else
   proj.setting(:openssl_version, '1.1.1')
@@ -168,7 +169,7 @@
   proj.setting(:cflags, "#{proj.cppflags}")
 
   ldflags = "-L#{proj.tools_root}/lib -L#{proj.gcc_root}/lib -L#{proj.libdir} -Wl,--nxcompat"
-  if platform.name !~ /windowsfips-2012r2/ || name != 'agent-runtime-7.x'
+  if platform.name !~ /windowsfips-/ || name != 'agent-runtime-7.x'
     ldflags += ' -Wl,--dynamicbase'
   end
   proj.setting(:ldflags, ldflags)

configs/projects/agent-runtime-7.x.rb

@@ -61,11 +61,6 @@
   proj.component 'rubygem-thor'
   proj.component 'rubygem-scanf'
 
-  # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version
-  # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version
-  # free from the CVEs.
-  proj.component 'rubygem-rexml'
-
   if platform.is_linux?
     proj.component "virt-what"
     proj.component "dmidecode" unless platform.architecture =~ /ppc64/