Merge pull request #5303 from microsoft/anphel/1.0-april-2023-update

Merge for Mariner 1.0 April 2023 update

Author: anphel31

SPECS/c-ares/c-ares.signatures.json

@@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "c-ares-1.18.1.tar.gz": "1a7d52a8a84a9fbffb1be9133c0f6e17217d91ea5a6fa61f6b4729cda78ebbcf"
- }
+  "Signatures": {
+    "c-ares-1.19.0.tar.gz": "bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3"
+  }
 }

SPECS/c-ares/c-ares.spec

@@ -1,6 +1,6 @@
 Summary:        A library that performs asynchronous DNS operations
 Name:           c-ares
-Version:        1.18.1
+Version:        1.19.0
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
@@ -70,6 +70,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/ares_*
 
 %changelog
+* Tue Apr 04 2023 CBL-Mariner Servicing Account <[email protected]> - 1.19.0-1
+- Auto-upgrade to 1.19.0 - To Address CVE-2022-4904
+
 * Sun Nov 28 2021 Muhammad Falak <[email protected]> - 1.18.1-1
 - Bump version to fix CVE-2021-3672
 

SPECS/ca-certificates/ca-certificates.signatures.json

@@ -11,7 +11,7 @@
   "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
   "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
   "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
-  "certdata.microsoft.txt": "7c9a314f528f5f353b478caaea8be051ad6b2ff99dca2754206afb632093fe47",
+  "certdata.microsoft.txt": "53fa416b306459da67127b12c17fb33d9598f0c085148578689066e84b00018e",
   "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
   "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
   "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",

SPECS/ca-certificates/ca-certificates.spec

@@ -44,7 +44,7 @@ Name:           ca-certificates
 
 # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
 Version:        20200720
-Release:        29%{?dist}
+Release:        30%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -319,6 +319,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Thu Mar 30 2023 CBL-Mariner Service Account <[email protected]> - 20200720-30
+- Updating Microsoft trusted root CAs.
+
 * Mon Dec 12 2022 Pawel Winogrodzki <[email protected]> - 20200720-29
 - Adding 'Obsoletes' for the old 'ca-certificates-microsoft' packages before release 19.
 

SPECS/ca-certificates/certdata.microsoft.txt

@@ -0,0 +1,56 @@
+diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs
+--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs	2021-04-25 17:00:00.000000000 -0700
++++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/src/primitives.rs	2023-04-05 15:33:56.893718099 -0700
+@@ -367,6 +367,16 @@
+         let entries: Vec<<T as FamStruct>::Entry> =
+             Vec::deserialize(reader, version_map, app_version)
+                 .map_err(|ref err| VersionizeError::Deserialize(format!("{:?}", err)))?;
++        if header.len() != entries.len() {
++            let msg = format!(
++                "Mismatch between length of FAM specified in FamStruct header ({}) \
++                and actual size of FAM ({})",
++                header.len(),
++                entries.len()
++            );
++
++            return Err(VersionizeError::Deserialize(msg));
++        }
+         // Construct the object from the array items.
+         // Header(T) fields will be initialized by Default trait impl.
+         let mut object = FamStructWrapper::from_entries(&entries)
+diff -Naur a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs
+--- a/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs	2021-04-25 17:00:00.000000000 -0700
++++ b/.cargo/registry/src/github.com-1ecc6299db9ec823/versionize-0.1.6/tests/test.rs	2023-04-05 15:34:57.145737780 -0700
+@@ -1321,6 +1321,32 @@
+ type Message2FamStructWrapper = FamStructWrapper<Message2>;
+ 
+ #[test]
++fn test_deserialize_famstructwrapper_invalid_len() {
++    let mut vm = VersionMap::new();
++    vm.new_version()
++        .set_type_version(Message::type_id(), 2)
++        .new_version()
++        .set_type_version(Message::type_id(), 3)
++        .new_version()
++        .set_type_version(Message::type_id(), 4);
++
++    // Create FamStructWrapper with len 2
++    let state = MessageFamStructWrapper::new(0).unwrap();
++    let mut buffer = [0; 256];
++
++    state.serialize(&mut buffer.as_mut_slice(), &vm, 2).unwrap();
++
++    // the `len` field of the header is the first serialized field.
++    // Let's corrupt it by making it bigger than the actual number of serialized elements
++    buffer[0] = 255;
++
++    assert_eq!(
++        MessageFamStructWrapper::deserialize(&mut buffer.as_slice(), &vm, 2).unwrap_err(),
++        VersionizeError::Deserialize("Mismatch between length of FAM specified in FamStruct header (255) and actual size of FAM (0)".to_string())
++    );
++}
++
++#[test]
+ fn test_versionize_famstructwrapper() {
+     let mut vm = VersionMap::new();
+     vm.new_version()

SPECS/cloud-hypervisor/CVE-2023-28448.patch

@@ -1,7 +1,7 @@
 Summary:        A Rust-VMM based cloud hypervisor from Intel
 Name:           cloud-hypervisor
 Version:        22.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0 or BSD
 URL:            https://github.com/cloud-hypervisor/cloud-hypervisor
 Group:          Development/Tools
@@ -12,6 +12,7 @@ Source0:       %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # To update the cache run:
 #   [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz
 Source1:        %{name}-%{version}-cargo.tar.gz
+Patch0:         CVE-2023-28448.patch
 ExclusiveArch:  x86_64
 
 BuildRequires:  gcc
@@ -28,6 +29,7 @@ A Rust-VMM based cloud hypervisor from Intel.
 mkdir -p $HOME
 pushd $HOME
 tar xf %{SOURCE1} --no-same-owner
+%patch0 -p1
 popd
 %setup -q
 
@@ -49,6 +51,9 @@ install -d %{buildroot}%{_libdir}/cloud-hypervisor
 %exclude %{_libdir}/debug
 
 %changelog
+* Wed Apr 05 2023 Henry Beberman <[email protected]> - 22.0-2
+- Patch CVE-2023-28448 in vendored versionize crate
+
 * Wed Mar 09 2022 Pawel Winogrodzki <[email protected]> - 22.0-1
 - Updating to version 22.0 to build with 'rust' 1.59.0.
 

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -0,0 +1,3 @@
+CVE-2023-1079 - patched in 5.10.173 - (generated by autopatch tool)
+upstream 4ab3a086d10eeec1424f2e8a968827a6336203df - stable 21a2eec4a440060a6eb294dc890eaf553101ba09
+

SPECS/kernel/CVE-2023-1079.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-1281 - patched in 5.10.169 - (generated by autopatch tool)
+upstream ee059170b1f7e94e55fa6cadee544e176a6e59c2 - stable eb8e9d8572d1d9df17272783ad8a84843ce559d4
+

SPECS/kernel/CVE-2023-1281.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-1390 - patched in 5.10.10 - (generated by autopatch tool)
+upstream b77413446408fdd256599daf00d5be72b5f3e7c6 - stable 60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd
+

SPECS/kernel/CVE-2023-1390.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-1513 - patched in 5.10.169 - (generated by autopatch tool)
+upstream 2c10b61421a28e95a46ab489fd56c0f442ff6952 - stable 6416c2108ba54d569e4c98d3b62ac78cb12e7107
+

SPECS/kernel/CVE-2023-1513.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-28772 - patched in 5.10.51 - (generated by autopatch tool)
+upstream d3b16034a24a112bb83aeb669ac5b9b01f744bb7 - stable f9fb4986f4d81182f938d16beb4f983fe71212aa
+

SPECS/kernel/CVE-2023-28772.nopatch

@@ -1,7 +1,7 @@
 Summary:       CBL-Mariner release files
 Name:          mariner-release
 Version:       1.0
-Release:       59%{?dist}
+Release:       60%{?dist}
 License:       MIT
 Group:         System Environment/Base
 URL:           https://aka.ms/cbl-mariner
@@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/issue.net
 
 %changelog
+*   Thu Apr 13 2023 Andrew Phelps <[email protected]> - 1.0-60
+-   Updating version for April update.
 *   Wed Mar 29 2023 Jon Slobodzian <[email protected]> - 1.0-59
 -   Updating version for March update2.
 *   Mon Mar 06 2023 Jon Slobodzian <[email protected]> - 1.0-58

SPECS/mariner-release/mariner-release.spec

@@ -5,8 +5,8 @@
 # Git clone is a standard practice of producing source files for moby-* packages.
 
 RUNC_REPO=https://github.com/opencontainers/runc.git
-RUNC_COMMIT=a916309fff0f838eb94e928713dbc3c0d0ac7aa4
-VERSION=v1.1.2
+RUNC_COMMIT=f19387a6bec4944c770f7668ab51c4348d9c2f38
+VERSION=v1.1.5
 
 mkdir -p /build/runc-src
 cd /build/runc-src

SPECS/moby-runc/generate-sources.sh

@@ -5,8 +5,8 @@
   "golang-crypto-c07d793c2f9aacf728fe68cbd7acd73adbd04159.tar.gz": "b7e8935189ea46c67eedafe6a97aefbdc2bf71dd9097fb7ee8a2a8ebc7556e7e",
   "golang-sys-b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d.tar.gz": "23703a84893a1cb53d3efbb46143451431b95b78d29ef1e02132cd580bb3a445",
   "logrus-v1.8.1.tar.gz": "e9492c08ac8f202b438ccfb992bf81b7860739cf8f2266958e0c574c7abfdd74",
-  "runc-v1.1.2.tar.gz": "1a14bb492b562a6f7a27248e65a699790a6964923de64612e9bafc06124a30a2",
+  "runc-v1.1.5.tar.gz": "4bbc7703f4a5273e4b3d2c0ef233c784d116e92722e05fa11aa93ccf51aed4b9",
   "runtime-spec-v1.0.2.tar.gz": "0933a1ba6e418fe020993e80426107da8de3572f3f20b4cd1ef296de6e62bb61",
   "urfave-cli-v2.3.0.tar.gz": "b17376246f1477157daab86d4a1562d6b004f5be0d15dfc61ebd8bb129384e6b"
  }
-}
+}

SPECS/moby-runc/moby-runc.signatures.json

@@ -1,15 +1,15 @@
 Summary:        CLI tool for spawning and running containers per OCI spec.
 Name:           moby-runc
-Version:        1.1.2+azure
-Release:        4%{?dist}
+Version:        1.1.5+azure
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Virtualization/Libraries
 URL:            https://runc.io/
 # See generate-sources.sh for creating runc source tarball
-#Source0:       https://github.com/opencontainers/runc/archive/refs/tags/v1.1.2.tar.gz
-Source0:        runc-v1.1.2.tar.gz
+#Source0:       https://github.com/opencontainers/runc/archive/refs/tags/v1.1.5.tar.gz
+Source0:        runc-v1.1.5.tar.gz
 #Source1:       https://github.com/sirupsen/logrus/archive/v1.8.1.tar.gz
 Source1:        logrus-v1.8.1.tar.gz
 #Source2:       https://github.com/opencontainers/runtime-spec/archive/v1.0.2.tar.gz
@@ -108,6 +108,9 @@ cp %{SOURCE7} %{buildroot}%{_docdir}/%{name}-%{version}/LICENSE
 %{_mandir}/*/*
 
 %changelog
+* Thu Apr 13 2023 Rohit Rawat <[email protected]> - 1.1.5+azure-1
+- Bump release to fix CVE-2023-28642, CVE-2023-27561, CVE-2023-25809
+
 * Tue Dec 13 2022 Suresh Babu Chalamalasetty <[email protected]> - 1.1.2+azure-4
 - Bump release to rebuild with go 1.18.8-2