diff --git a/SPECS-EXTENDED/buildah/buildah.spec b/SPECS-EXTENDED/buildah/buildah.spec index ae8713ec4b7..f76e937881a 100644 --- a/SPECS-EXTENDED/buildah/buildah.spec +++ b/SPECS-EXTENDED/buildah/buildah.spec @@ -21,7 +21,7 @@ Summary: A command line tool used for creating OCI Images Name: buildah Version: 1.18.0 -Release: 26%{?dist} +Release: 27%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,7 +32,7 @@ BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: git BuildRequires: glib2-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: go-md2man BuildRequires: go-rpm-macros BuildRequires: golang @@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype %{_datadir}/%{name}/test %changelog +* Wed Aug 21 2024 Chris Co - 1.18.0-27 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 1.18.0-26 - update to build dep latest glibc-static version diff --git a/SPECS-EXTENDED/catatonit/catatonit.spec b/SPECS-EXTENDED/catatonit/catatonit.spec index 3a766166714..2a9e5d12d35 100644 --- a/SPECS-EXTENDED/catatonit/catatonit.spec +++ b/SPECS-EXTENDED/catatonit/catatonit.spec @@ -3,7 +3,7 @@ Distribution: Azure Linux Name: catatonit Version: 0.1.7 -Release: 14%{?dist} +Release: 15%{?dist} Summary: A signal-forwarding process manager for containers License: GPLv3+ URL: https://github.com/openSUSE/catatonit @@ -13,7 +13,7 @@ BuildRequires: automake BuildRequires: file BuildRequires: gcc BuildRequires: git -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: libtool BuildRequires: make @@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name} %{_libexecdir}/podman/%{name} %changelog +* Wed Aug 21 2024 Chris Co - 0.1.7-15 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 0.1.7-14 - update to build dep latest glibc-static version diff --git a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json b/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json index fdf607ab93c..d10a6ba75d0 100644 --- a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json +++ b/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "distribution-gpg-keys-1.60.tar.gz": "6136be288a89d858054b0ac376553a898e596a70875b61dfc99e46e768d88e31" + "distribution-gpg-keys-1.104.tar.gz": "60ec27522ba960719f6b7d578106a65dc2dca235e9ebf2399a6a98571afffd5a" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec b/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec index 208960fc413..00587568041 100644 --- a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec +++ b/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec @@ -1,14 +1,14 @@ Summary: GPG keys of various Linux distributions Name: distribution-gpg-keys -Version: 1.60 -Release: 2%{?dist} +Version: 1.104 +Release: 1%{?dist} License: CC0 -URL: https://github.com/xsuchy/distribution-gpg-keys +URL: https://github.com/rpm-software-management/distribution-gpg-keys # Sources can be obtained by -# git clone git://github.com/xsuchy/distribution-gpg-keys.git +# git clone git://github.com/rpm-software-management/distribution-gpg-keys.git # cd distribution-gpg-keys # tito build --tgz -Source0: https://github.com/xsuchy/distribution-gpg-keys/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz +Source0: https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz BuildArch: noarch %description @@ -45,6 +45,10 @@ cp -a keys/* %{buildroot}%{_datadir}/%{name}/ %{_datadir}/%{name}/copr %changelog +* Fri Aug 02 2024 Devin Anderson - 1.104-1 +- Update to 1.104, a more recent version that includes the Azure Linux keys. +- Use the official repository URI to download sources. + * Tue Feb 08 2022 Cameron Baird - 1.60-2 - Initial CBL-Mariner import from Fedora 33 (license: MIT) - License verified diff --git a/SPECS-EXTENDED/dyninst/dyninst.spec b/SPECS-EXTENDED/dyninst/dyninst.spec index 2448eecd356..b020da7ea54 100644 --- a/SPECS-EXTENDED/dyninst/dyninst.spec +++ b/SPECS-EXTENDED/dyninst/dyninst.spec @@ -1,7 +1,7 @@ Summary: An API for Run-time Code Generation License: LGPLv2+ Name: dyninst -Release: 16%{?dist} +Release: 17%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux URL: http://www.dyninst.org @@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel # Extra requires just for the testsuite BuildRequires: gcc-gfortran libstdc++-static libxml2-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} # Testsuite files should not provide/require anything %{?filter_setup: @@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a %changelog +* Wed Aug 21 2024 Chris Co - 10.1.0-17 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 10.1.0-16 - update to build dep latest glibc-static version diff --git a/SPECS-EXTENDED/libldb/0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch b/SPECS-EXTENDED/libldb/0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch index 3b818993b12..7742479d22d 100644 --- a/SPECS-EXTENDED/libldb/0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch +++ b/SPECS-EXTENDED/libldb/0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch @@ -131,19 +131,6 @@ index ef632ba903369e4211991f17a3b204bcd96c3a2f..63e50567860ff890b00b0ce6c7607c91 if not m: conf.end_msg('not found', color='YELLOW') return -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py -index 8863c2c53e7d7dd9317c9233f0085ffd0eea6b2f..34793902fba884cf2d8358bf4315dc98027266b6 100644 ---- a/buildtools/wafsamba/samba_cross.py -+++ b/buildtools/wafsamba/samba_cross.py -@@ -77,7 +77,7 @@ def cross_answer(ca_file, msg): - f.close() - return (0, ans.strip("'")) - else: -- m = re.match('\(\s*(-?\d+)\s*,\s*\"(.*)\"\s*\)', ans) -+ m = re.match(r'\(\s*(-?\d+)\s*,\s*\"(.*)\"\s*\)', ans) - if m: - f.close() - return (int(m.group(1)), m.group(2)) diff --git a/buildtools/wafsamba/samba_headers.py b/buildtools/wafsamba/samba_headers.py index a268c011c5d8e406e0d763554c55668cfb5388bc..c8bee19010978a04460b0637fcc8fd484a699ea8 100644 --- a/buildtools/wafsamba/samba_headers.py diff --git a/SPECS-EXTENDED/libldb/libldb.signatures.json b/SPECS-EXTENDED/libldb/libldb.signatures.json index 3bf03a83bce..a5fcdb0790f 100644 --- a/SPECS-EXTENDED/libldb/libldb.signatures.json +++ b/SPECS-EXTENDED/libldb/libldb.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { - "ldb-2.1.4.tar.asc": "e3e6c5b00295584e11216eeae1546711138772ab819bf26f3ab4ea0c76c76041", - "ldb-2.1.4.tar.gz": "9e0b12ee10cbd31f920f3ce1dcd7617c558411a438faaef44c596d77b4d0bf4e", + "ldb-2.7.2.tar.asc": "b5d4d98f3aef9fd7c22a6962af775269d819643cbf1c9fd3a8c2885a2e61f464", + "ldb-2.7.2.tar.gz": "26ee72d647854e662d99643eb2b2d341655abf31f4990838d6650fb5cf9209c8", "ldb.keyring": "9c5722acdd291bcc20a6b6d314b32d9cef30dcaeef59ef0d39635575e20167f1", "libldb-LICENSE.txt": "e3a994d82e644b03a792a930f574002658412f62407f5fee083f2555c5f23118" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/libldb/libldb.spec b/SPECS-EXTENDED/libldb/libldb.spec index 6831d91a11b..1b19875dc87 100644 --- a/SPECS-EXTENDED/libldb/libldb.spec +++ b/SPECS-EXTENDED/libldb/libldb.spec @@ -3,18 +3,18 @@ %global with_python3 1 -%global talloc_version 2.3.1 -%global tdb_version 1.4.3 -%global tevent_version 0.10.2 +%global talloc_version 2.4.0 +%global tdb_version 1.4.8 +%global tevent_version 0.14.1 Name: libldb -Version: 2.1.4 -Release: 2%{?dist} +Version: 2.7.2 +Release: 1%{?dist} Summary: A schema-less, ldap like, API and database Requires: libtalloc%{?_isa} >= %{talloc_version} Requires: libtdb%{?_isa} >= %{tdb_version} Requires: libtevent%{?_isa} >= %{tevent_version} -License: LGPLv3+ +License: LGPL-3.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux URL: http://ldb.samba.org/ @@ -221,6 +221,10 @@ rm -f $RPM_BUILD_ROOT/%{_mandir}/man3/_* %endif %changelog +* Wed Aug 07 2024 Sindhu Karri - 2.7.2-1 +- Upgrade to 2.7.2 to build with Python 3.12 for 3.0 +- License verified. Using SPDX format + * Tue Mar 02 2021 Henry Li - 2.1.4-2 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Remove distro condition check diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec index add84212ce4..d30a2e4a53e 100644 --- a/SPECS-EXTENDED/podman/podman.spec +++ b/SPECS-EXTENDED/podman/podman.spec @@ -35,7 +35,7 @@ Name: podman Version: 4.1.1 -Release: 24%{?dist} +Release: 25%{?dist} License: ASL 2.0 and BSD and ISC and MIT and MPLv2.0 Summary: Manage Pods, Containers and Container Images Vendor: Microsoft Corporation @@ -50,7 +50,7 @@ BuildRequires: go-md2man BuildRequires: golang BuildRequires: gcc BuildRequires: glib2-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: git BuildRequires: go-rpm-macros BuildRequires: gpgme-devel @@ -386,6 +386,9 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ # rhcontainerbot account currently managed by lsm5 %changelog +* Wed Aug 21 2024 Chris Co - 4.1.1-25 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 4.1.1-24 - update to build dep latest glibc-static version diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec index abce26d0b52..5b01dfaeee9 100644 --- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec +++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec @@ -12,7 +12,7 @@ Summary: Signed GRand Unified Bootloader for %{buildarch} systems Name: grub2-efi-binary-signed-%{buildarch} Version: 2.06 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -79,6 +79,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname} /boot/efi/EFI/BOOT/%{grubpxeefiname} %changelog +* Tue Aug 13 2024 Daniel McIlvaney - 2.06-20 +- Move grub2-rpm-macros to the azurelinux-rpm-macros package + * Wed Jun 12 2024 George Mileka - 2.06-19 - disable code optimization for ip checksum calculation diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 48c4024c826..09d7400a75d 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 6.6.43.1 -Release: 7%{?dist} +Version: 6.6.47.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,12 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Sat Aug 10 2024 Thien Trung Vuong - 6.6.43.1-7 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 5b37fd246bc..c663891cc74 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -5,8 +5,8 @@ %define kernelver %{version}-%{release} Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} -Version: 6.6.43.1 -Release: 7%{?dist} +Version: 6.6.47.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -65,6 +65,12 @@ popd /lib/modules/%{kernelver}/vmlinuz-uki.efi %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Sat Aug 10 2024 Thien Trung Vuong - 6.6.43.1-7 - Bump release to match kernel diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index 1f6a9328f4c..f4b9637659c 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 16%{?dist} +Release: 17%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -86,6 +86,9 @@ popd /usr/share/man/man7/systemd-boot.7.gz %changelog +* Fri Aug 23 2024 Chris Co - 255-17 +- Bump release to match systemd spec + * Wed Jul 10 2024 Thien Trung Vuong - 255-16 - Bump release to match systemd spec diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json index d6207a3d5cc..72aede72c77 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "SymCrypt-OpenSSL-1.4.3.tar.gz": "9225dd28ff03ecface28df77617f22344e144817a9556d3df909484f5661004b" + "SymCrypt-OpenSSL-1.5.1.tar.gz": "946ac1bdd4d3e0d0381bca0df1b7281f9f7735430dfb6fce56344c7f2f3a7ecb" } } diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec index 8459cc4b497..c76637d4be4 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec @@ -1,6 +1,6 @@ Summary: The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations Name: SymCrypt-OpenSSL -Version: 1.4.3 +Version: 1.5.1 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -67,6 +67,13 @@ install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/sy %{_sysconfdir}/pki/tls/symcrypt_prov.cnf %changelog +* Wed Aug 21 2024 Maxwell Moyer-McKee - 1.5.1-1 +- Fix minor behavior differences with default provider + +* Thu Aug 15 2024 Maxwell Moyer-McKee - 1.5.0-1 +- Fix AES-CFB to match expected OpenSSL calling patterns +- Support ECC key X and Y coordinate export + * Thu May 16 2024 Maxwell Moyer-McKee - 1.4.3-1 - Additional bugfixes for TLS connections - Add variable length GCM IV support to the SymCrypt engine diff --git a/SPECS/WALinuxAgent/WALinuxAgent.signatures.json b/SPECS/WALinuxAgent/WALinuxAgent.signatures.json index 7a2b16ef86a..d7cecb63948 100644 --- a/SPECS/WALinuxAgent/WALinuxAgent.signatures.json +++ b/SPECS/WALinuxAgent/WALinuxAgent.signatures.json @@ -3,6 +3,7 @@ "WALinuxAgent-2.11.1.4.tar.gz": "956f12e31b0903f304cc070ddcbe4c8130c10e7ccc2597061e6467e911bc085d", "ephemeral-disk-warning": "8b18fc001e5dfa43a1f559a074e334330e6fc4fe5b8c586eafc894800cc1c1ad", "ephemeral-disk-warning.conf": "128e531c029e04afdab591f44d2b0a69d5a4eb9dec8867282d0acb1ebded76d0", - "ephemeral-disk-warning.service": "46b96609266ba56d28b09e4562a1bb03d874b06b929a7930b4df3292d7fcd303" + "ephemeral-disk-warning.service": "46b96609266ba56d28b09e4562a1bb03d874b06b929a7930b4df3292d7fcd303", + "module-setup.sh": "4dffe50e67a4d66adf4d9b4ac749a07586825ec322ed2539511782e6dce52219" } } diff --git a/SPECS/WALinuxAgent/WALinuxAgent.spec b/SPECS/WALinuxAgent/WALinuxAgent.spec index bdcc22d40e8..148b3876e56 100644 --- a/SPECS/WALinuxAgent/WALinuxAgent.spec +++ b/SPECS/WALinuxAgent/WALinuxAgent.spec @@ -1,7 +1,7 @@ Summary: The Windows Azure Linux Agent Name: WALinuxAgent Version: 2.11.1.4 -Release: 1%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,6 +11,7 @@ Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{versi Source1: ephemeral-disk-warning.service Source2: ephemeral-disk-warning.conf Source3: ephemeral-disk-warning +Source4: module-setup.sh # This patch adds azurelinux support into WALinuxAgent. The patch should be # removed in the next 2.12 update of WALinuxAgent. Patch0: 0001-add-azurelinux-support.patch @@ -22,6 +23,9 @@ Patch1: 0002-fix-bump-version-to-2.11.8.8.patch # This patch fixes a failure to assign IP address for infiband interfaces. # It should be removed in an upcoming release. Patch2: fix-argument-to-goalstate.patch +# This patch adds azurelinux support into the setup.py. This patch should be +# removed in the next 2.12 release/ +Patch3: update-setup.patch BuildRequires: python3-distro BuildRequires: python3-setuptools BuildRequires: python3-xml @@ -73,6 +77,9 @@ install -m 644 %{SOURCE1} %{buildroot}/%{_libdir}/systemd/system/ephemeral-disk- install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ephemeral-disk-warning.conf install -m 644 %{SOURCE3} %{buildroot}%{_bindir}/ephemeral-disk-warning +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/97walinuxagent/ +install -m 755 %{SOURCE4} %{buildroot}%{_prefix}/lib/dracut/modules.d/97walinuxagent/module-setup.sh + %check python3 setup.py check && python3 setup.py test @@ -89,6 +96,8 @@ python3 setup.py check && python3 setup.py test %files %{_libdir}/systemd/system/* %{_sysconfdir}/udev/rules.d/* +%dir %attr(0700, root, root) %{_prefix}/lib/dracut/modules.d/97walinuxagent +%{_prefix}/lib/dracut/modules.d/97walinuxagent/module-setup.sh %defattr(0644,root,root,0755) %license LICENSE.txt %attr(0755,root,root) %{_bindir}/waagent @@ -103,6 +112,12 @@ python3 setup.py check && python3 setup.py test %changelog +* Thu Aug 15 2024 Chris Co - 2.11.1.4-3 +- Add patch to update setup.py with azurelinux support + +* Fri Aug 09 2024 Cameron Baird - 2.11.1.4-2 +- Package dracut setup script with WALinuxAgent + * Sat Aug 03 2024 Chris Co - 2.11.1.4-1 - Upgrade to version 2.11.1.4 - Add patch for azurelinux support diff --git a/SPECS/WALinuxAgent/module-setup.sh b/SPECS/WALinuxAgent/module-setup.sh new file mode 100644 index 00000000000..4509fc775b5 --- /dev/null +++ b/SPECS/WALinuxAgent/module-setup.sh @@ -0,0 +1,16 @@ +#!/usr/bin/bash +# called by dracut +check() { + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_multiple chmod cut readlink + inst_rules 66-azure-storage.rules 99-azure-product-uuid.rules +} \ No newline at end of file diff --git a/SPECS/WALinuxAgent/update-setup.patch b/SPECS/WALinuxAgent/update-setup.patch new file mode 100644 index 00000000000..fa0894d0c35 --- /dev/null +++ b/SPECS/WALinuxAgent/update-setup.patch @@ -0,0 +1,22 @@ +From 187f0d694626cf11e24aa45b2ff6789c4b739fc1 Mon Sep 17 00:00:00 2001 +From: "narrieta@microsoft" +Date: Wed, 14 Aug 2024 21:19:57 -0700 +Subject: [PATCH] Update setup.py + +--- + setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 2d51fae8c2..0bb053d4c2 100755 +--- a/setup.py ++++ b/setup.py +@@ -147,7 +147,7 @@ def get_data_files(name, version, fullname): # pylint: disable=R0912 + src=["config/clearlinux/waagent.conf"]) + set_systemd_files(data_files, dest=systemd_dir_path, + src=["init/clearlinux/waagent.service"]) +- elif name == 'mariner': ++ elif name in ["mariner", "azurelinux"]: + set_bin_files(data_files, dest=agent_bin_path) + set_conf_files(data_files, dest="/etc", + src=["config/mariner/waagent.conf"]) diff --git a/SPECS/abseil-cpp/abseil-cpp.spec b/SPECS/abseil-cpp/abseil-cpp.spec index 91017411d82..561dbcc3a83 100644 --- a/SPECS/abseil-cpp/abseil-cpp.spec +++ b/SPECS/abseil-cpp/abseil-cpp.spec @@ -5,7 +5,7 @@ Summary: C++ Common Libraries Name: abseil-cpp Version: 20240116.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -18,6 +18,8 @@ BuildRequires: make BuildRequires: gmock-devel BuildRequires: gtest BuildRequires: gtest-devel +BuildRequires: python3 +BuildRequires: tzdata %if 0%{?with_check} BuildRequires: ninja-build @@ -25,6 +27,8 @@ BuildRequires: gcc-c++ BuildRequires: gmock %endif +Requires: tzdata + %description Abseil is an open-source collection of C++ library code designed to augment the C++ standard library. The Abseil library code is collected from @@ -68,7 +72,7 @@ Development headers for %{name} -DABSL_ENABLE_INSTALL:BOOL=ON \ -DABSL_BUILD_TESTING:BOOL=ON \ -DABSL_BUILD_TEST_HELPERS:BOOL=ON \ - -DCMAKE_BUILD_TYPE:STRING=None \ + -DCMAKE_BUILD_TYPE:STRING=RelWithDebInfo \ -DCMAKE_CXX_STANDARD:STRING=17 %cmake_build @@ -76,7 +80,7 @@ Development headers for %{name} %cmake_install %check -%ctest --output-on-failure +%ctest --output-on-failure --exclude-regex waiter_test %files %license LICENSE @@ -90,6 +94,17 @@ Development headers for %{name} %{_libdir}/pkgconfig/*.pc %changelog +* Thu Jul 25 2024 Devin Anderson - 20240116.0-2 +- Change the build type back to 'RelWithDebInfo' so that 'abseil' compiles with + 'NDEBUG' defined so that packages that link to 'abseil' with 'NDEBUG' defined + (e.g. 'grpc', 're2', 'protobuf') don't crash with deadlock messages related + to 'absl::Mutex' due to ABI breakage. +- Take dependency on 'tzdata' so that functionality in absl/time works. See + https://github.com/abseil/abseil-cpp/issues/329 for details. +- Disable flaky waiter tests, which sleep on the monotonic timer and then, + inexplicably, test how much time has passed against the system timer. +- Add explicit dependency on 'python3', which is used at build time. + * Tue Mar 19 2024 Betty Lakes - 20240116.0-1 - Upgrade version to 20240116.0 diff --git a/SPECS/avahi/avahi.spec b/SPECS/avahi/avahi.spec index 5d31fb58c25..8ab176bfdff 100644 --- a/SPECS/avahi/avahi.spec +++ b/SPECS/avahi/avahi.spec @@ -3,7 +3,7 @@ Summary: Local network service discovery Name: avahi Version: 0.8 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -175,6 +175,16 @@ rm -fv docs/INSTALL %build # Use autogen to kill rpaths rm -fv missing + +# AZL: avahi-daemon hangs in libssp's fail() routine when built with libssp support enabled. +# This support is dynamically set when avahi's configure scans the current build environment +# for the presence of the standalone libssp built by gcc. +# This standalone implementation of libssp is generally obsoleted in most modern systems, +# and instead the libc's implementation of SSP is used. +# So we will remove the libssp files from here if we find they are present. Avahi's configure +# will instead use glibc's ssp implementation which does not hang and is proper. +rm -fv /usr/lib64/libssp.* + NOCONFIGURE=1 ./autogen.sh # Note that "--with-distro=none" is necessary to prevent initscripts from being installed @@ -405,6 +415,9 @@ exit 0 %endif %changelog +* Wed Aug 14 2024 Chris Co - 0.8-2 +- Remove libssp from build environment to fix avahi-daemon hang + * Wed Apr 20 2022 Olivia Crain - 0.8-1 - Upgrade to latest upstream version to fix CVE-2017-6519 - Add upstream patch to fix CVE-2021-3502 diff --git a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json index 8dc5fbed370..1d3cacafb5e 100644 --- a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json +++ b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json @@ -18,6 +18,7 @@ "macros.check": "79367176c3c7d10c0158b6e5d881e0fc3c8fd50c5957dad2f097c2d4a37833e7", "macros.fonts": "f52edc646414c5dd0f5f4cdd570f2f9dbe6fb97d4f0db360908deb56d96492f8", "macros.forge": "52cdffd48217cafe33afe47c625cd6aac6460848cd76de66fe61031c26beeaf4", + "macros.grub2": "b03f6f713601214406971de53538dfc25136bf836f09a663eaffc4332a72c38b", "macros.mono-srpm": "a9201ae36fc482e966134e38f42412378e955faf296b214cb6dd63981af8bc49", "macros.nodejs-srpm": "b2515cc7fad3f14849cff8593b10543a3f73edccff4c3c6d0d2764dae19c38e8", "macros.ocaml-srpm": "c35c6db7ede8ea534212329d010920646f80368e1fbd0b9025e48ed0a85a09ce", @@ -34,4 +35,4 @@ "rpmrc": "c197369d806430f581de9d5f0e89384d231745712f394ce39497ada47d1f4efe", "verify-package-notes.sh": "121715379dcfda33f4e66b3eb5520c80c55c1b0d88348f8895d45d3b89dfe965" } -} \ No newline at end of file +} diff --git a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec index eb29cefc97b..8b4df1dacf6 100644 --- a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec +++ b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec @@ -7,7 +7,7 @@ Summary: Azure Linux specific rpm macro files Name: azurelinux-rpm-macros Version: %{azl}.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPL+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -47,6 +47,7 @@ Source28: https://src.fedoraproject.org/rpms/python-rpm-macros/blob/f40/f/ Source29: https://src.fedoraproject.org/rpms/python-rpm-macros/blob/f40/f/brp-fix-pyc-reproducibility Source30: https://src.fedoraproject.org/rpms/python-rpm-macros/blob/f40/f/brp-python-hardlink Source31: https://src.fedoraproject.org/rpms/python-rpm-macros/blob/f40/f/import_all_modules.py +Source32: macros.grub2 ### Provides: redhat-rpm-config Provides: openblas-srpm-macros @@ -59,6 +60,9 @@ Provides: rust-srpm-macros Obsoletes: mariner-rpm-macros <= 2.0-25 Provides: mariner-rpm-macros = %{version}-%{release} +Obsoletes: grub2-rpm-macros <= 2.06-19%{?dist} +Provides: grub2-rpm-macros = %{version}-%{release} + BuildArch: noarch %description @@ -124,6 +128,7 @@ install -p -m 644 -t %{buildroot}%{rcluadir}/srpm python.lua %{_rpmconfigdir}/macros.d/macros.rust-srpm %{_rpmconfigdir}/macros.d/macros.fonts %{_rpmconfigdir}/macros.d/macros.forge +%{_rpmconfigdir}/macros.d/macros.grub2 %{_rpmconfigdir}/macros.d/macros.suse %dir %{rcluadir} @@ -138,6 +143,9 @@ install -p -m 644 -t %{buildroot}%{rcluadir}/srpm python.lua %{_rpmconfigdir}/macros.d/macros.check %changelog +* Tue Aug 13 2024 Daniel McIlvaney - 3.0-6 +- Move grub2-rpm-macros to the azurelinux-rpm-macros package + * Tue May 21 2024 Mykhailo Bykhovtsev - 3.0-5 - Moved ocaml-srpm-macros into its own package. diff --git a/SPECS/grub2/macros.grub2 b/SPECS/azurelinux-rpm-macros/macros.grub2 similarity index 100% rename from SPECS/grub2/macros.grub2 rename to SPECS/azurelinux-rpm-macros/macros.grub2 diff --git a/SPECS/bash/bash-tty-tests.patch b/SPECS/bash/bash-tty-tests.patch new file mode 100644 index 00000000000..fda2d3a559c --- /dev/null +++ b/SPECS/bash/bash-tty-tests.patch @@ -0,0 +1,58 @@ +diff --git a/tests/exec.right b/tests/exec.right +--- a/tests/exec.right ++++ b/tests/exec.right +@@ -60,7 +60,6 @@ this is ohio-state + 0 + 1 + testb +-expand_aliases on + 1 + 1 + 1 +diff --git a/tests/execscript b/tests/execscript +--- a/tests/execscript ++++ b/tests/execscript +@@ -108,8 +108,6 @@ ${THIS_SH} ./exec6.sub + # checks for properly deciding what constitutes an executable file + ${THIS_SH} ./exec7.sub + +-${THIS_SH} -i ${PWD}/exec8.sub +- + ${THIS_SH} ./exec9.sub + + ${THIS_SH} ./exec10.sub +diff --git a/tests/read.right b/tests/read.right +--- a/tests/read.right ++++ b/tests/read.right +@@ -34,17 +34,6 @@ xyz + a = xyz + a = -xyz 123- + a = abc +-timeout 1: ok +-unset or null 1 +-timeout 2: ok +-unset or null 2 +-timeout 3: ok +-unset or null 3 +-./read2.sub: line 45: read: -3: invalid timeout specification +-1 +- +-abcde +-abcde + ./read3.sub: line 17: read: -1: invalid number + abc + defg +diff --git a/tests/read.tests b/tests/read.tests +--- a/tests/read.tests ++++ b/tests/read.tests +@@ -95,9 +95,6 @@ echo " foo" | { IFS=$':' ; read line; recho "$line"; } + # test read -d delim behavior + ${THIS_SH} ./read1.sub + +-# test read -t timeout behavior +-${THIS_SH} ./read2.sub +- + # test read -n nchars behavior + ${THIS_SH} ./read3.sub + + \ No newline at end of file diff --git a/SPECS/bash/bash.spec b/SPECS/bash/bash.spec index 4b37ec039e0..04880a5062d 100644 --- a/SPECS/bash/bash.spec +++ b/SPECS/bash/bash.spec @@ -1,7 +1,7 @@ Summary: Bourne-Again SHell Name: bash Version: 5.2.15 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source1: bash_completion Patch0: bash-5.1.patch # Non-interactive shells beginning with argv[0][0] == '-' should run the startup files when not in posix mode. Patch1: bash-2.03-profile.patch +Patch2: bash-tty-tests.patch BuildRequires: readline Requires: readline Requires(post): /bin/cp @@ -260,7 +261,10 @@ dircolors -p > %{buildroot}%{_sysconfdir}/dircolors rm -rf %{buildroot}/%{_infodir} %check -make NON_ROOT_USERNAME=nobody %{?_smp_mflags} check +# Remove tests that get stuck waiting on /dev/tty input +rm -v tests/run-read +rm -v tests/run-history +make check %post if [ $1 -eq 1 ] ; then @@ -330,6 +334,9 @@ fi %defattr(-,root,root) %changelog +* Fri Aug 16 2024 Andrew Phelps - 5.2.15-3 +- Fix check tests + * Mon Jun 17 2024 Daniel McIlvaney - 5.2.15-2 - When non-interactive shells are started with '-bash' load startup files. From - Fedora upstream: https://src.fedoraproject.org/rpms/bash/blob/f40/f/bash-2.03-profile.patch diff --git a/SPECS/busybox/CVE-2021-42380.patch b/SPECS/busybox/CVE-2021-42380.patch new file mode 100644 index 00000000000..dfcff1911db --- /dev/null +++ b/SPECS/busybox/CVE-2021-42380.patch @@ -0,0 +1,84 @@ +From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 26 May 2023 19:36:58 +0200 +Subject: [PATCH 01/19] awk: fix use-after-realloc (CVE-2021-42380), closes + 15601 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 728ee8685..2af823808 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -555,7 +555,7 @@ struct globals { + const char *g_progname; + int g_lineno; + int nfields; +- int maxfields; /* used in fsrealloc() only */ ++ unsigned maxfields; + var *Fields; + char *g_pos; + char g_saved_ch; +@@ -1931,9 +1931,9 @@ static void fsrealloc(int size) + { + int i, newsize; + +- if (size >= maxfields) { +- /* Sanity cap, easier than catering for overflows */ +- if (size > 0xffffff) ++ if ((unsigned)size >= maxfields) { ++ /* Sanity cap, easier than catering for over/underflows */ ++ if ((unsigned)size > 0xffffff) + bb_die_memory_exhausted(); + + i = maxfields; +@@ -2891,6 +2891,7 @@ static var *evaluate(node *op, var *res) + uint32_t opinfo; + int opn; + node *op1; ++ var *old_Fields_ptr; + + opinfo = op->info; + opn = (opinfo & OPNMASK); +@@ -2899,10 +2900,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn); + + /* execute inevitable things */ ++ old_Fields_ptr = NULL; + if (opinfo & OF_RES1) { + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); ++ /* Does L.v point to $n variable? */ ++ if ((size_t)(L.v - Fields) < maxfields) { ++ /* yes, remember where Fields[] is */ ++ old_Fields_ptr = Fields; ++ } + if (opinfo & OF_STR1) { + L.s = getvar_s(L.v); + debug_printf_eval("L.s:'%s'\n", L.s); +@@ -2921,8 +2928,15 @@ static var *evaluate(node *op, var *res) + */ + if (opinfo & OF_RES2) { + R.v = evaluate(op->r.n, TMPVAR1); +- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs? +- //L.v = NULL; ++ /* Seen in $5=$$5=$0: ++ * Evaluation of R.v ($$5=$0 expression) ++ * made L.v ($5) invalid. It's detected here. ++ */ ++ if (old_Fields_ptr) { ++ //if (old_Fields_ptr != Fields) ++ // debug_printf_eval("L.v moved\n"); ++ L.v += Fields - old_Fields_ptr; ++ } + if (opinfo & OF_STR2) { + R.s = getvar_s(R.v); + debug_printf_eval("R.s:'%s'\n", R.s); +-- +2.46.0 + diff --git a/SPECS/busybox/CVE-2023-42363.patch b/SPECS/busybox/CVE-2023-42363.patch new file mode 100644 index 00000000000..ad069a40865 --- /dev/null +++ b/SPECS/busybox/CVE-2023-42363.patch @@ -0,0 +1,64 @@ +From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Mon, 20 May 2024 17:55:28 +0200 +Subject: [PATCH 19/19] awk: fix use after free (CVE-2023-42363) + +function old new delta +evaluate 3377 3385 +8 + +Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 + +Signed-off-by: Natanael Copa +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 0981c6735..ff6d6350b 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2981,19 +2981,14 @@ static var *evaluate(node *op, var *res) + /* yes, remember where Fields[] is */ + old_Fields_ptr = Fields; + } +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -3013,6 +3008,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { +-- +2.46.0 + diff --git a/SPECS/busybox/CVE-2023-42365.patch b/SPECS/busybox/CVE-2023-42365.patch new file mode 100644 index 00000000000..a59c72fee10 --- /dev/null +++ b/SPECS/busybox/CVE-2023-42365.patch @@ -0,0 +1,1660 @@ +From 84ff1825dd82e8de45020e3def34d1430d8e5a99 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 16:16:58 +0200 +Subject: [PATCH 02/19] awk: fix splitting with default FS + +function old new delta +awk_split 543 544 +1 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 2af823808..b3748b502 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2049,13 +2049,17 @@ static int awk_split(const char *s, node *spl, char **slist) + } + return n; + } +- /* space split */ ++ /* space split: "In the special case that FS is a single space, ++ * fields are separated by runs of spaces and/or tabs and/or newlines" ++ */ + while (*s) { +- s = skip_whitespace(s); ++ /* s = skip_whitespace(s); -- WRONG (also skips \v \f \r) */ ++ while (*s == ' ' || *s == '\t' || *s == '\n') ++ s++; + if (!*s) + break; + n++; +- while (*s && !isspace(*s)) ++ while (*s && !(*s == ' ' || *s == '\t' || *s == '\n')) + *s1++ = *s++; + *s1++ = '\0'; + } +@@ -2304,7 +2308,6 @@ static int awk_getline(rstream *rsm, var *v) + setvar_i(intvar[ERRNO], errno); + } + b[p] = '\0'; +- + } while (p > pp); + + if (p == 0) { +@@ -3145,7 +3148,7 @@ static var *evaluate(node *op, var *res) + /* make sure that we never return a temp var */ + if (L.v == TMPVAR0) + L.v = res; +- /* if source is a temporary string, jusk relink it to dest */ ++ /* if source is a temporary string, just relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) + /* Why check !NUMBER? if R.v is a number but has cached R.v->string, +-- +2.46.0 + +From 528808bcd25f7d237874dc82fad2adcddf354b42 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 18:05:42 +0200 +Subject: [PATCH 03/19] awk: get rid of one indirection level for iF (input + file structure) + +function old new delta +try_to_assign - 91 +91 +next_input_file 214 216 +2 +awk_main 827 826 -1 +evaluate 3403 3396 -7 +is_assignment 91 - -91 +------------------------------------------------------------------------------ +(add/remove: 1/1 grow/shrink: 1/2 up/down: 93/-99) Total: -6 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 78 +++++++++++++++++++++++++++------------------------ + 1 file changed, 41 insertions(+), 37 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b3748b502..22f52417d 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -546,7 +546,6 @@ struct globals { + chain beginseq, mainseq, endseq; + chain *seq; + node *break_ptr, *continue_ptr; +- rstream *iF; + xhash *ahash; /* argument names, used only while parsing function bodies */ + xhash *fnhash; /* function names, used only in parsing stage */ + xhash *vhash; /* variables and arrays */ +@@ -579,11 +578,12 @@ struct globals2 { + + var *intvar[NUM_INTERNAL_VARS]; /* often used */ + ++ rstream iF; ++ + /* former statics from various functions */ + char *split_f0__fstrings; + +- rstream next_input_file__rsm; +- smallint next_input_file__files_happen; ++ smallint next_input_file__input_file_seen; + + smalluint exitcode; + +@@ -618,7 +618,6 @@ struct globals2 { + #define seq (G1.seq ) + #define break_ptr (G1.break_ptr ) + #define continue_ptr (G1.continue_ptr) +-#define iF (G1.iF ) + #define ahash (G1.ahash ) + #define fnhash (G1.fnhash ) + #define vhash (G1.vhash ) +@@ -644,6 +643,7 @@ struct globals2 { + #define t_string (G.t_string ) + #define t_lineno (G.t_lineno ) + #define intvar (G.intvar ) ++#define iF (G.iF ) + #define fsplitter (G.fsplitter ) + #define rsplitter (G.rsplitter ) + #define g_buf (G.g_buf ) +@@ -2799,7 +2799,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + + /* if expr looks like "var=value", perform assignment and return 1, + * otherwise return 0 */ +-static int is_assignment(const char *expr) ++static int try_to_assign(const char *expr) + { + char *exprc, *val; + +@@ -2819,39 +2819,44 @@ static int is_assignment(const char *expr) + } + + /* switch to next input file */ +-static rstream *next_input_file(void) ++static int next_input_file(void) + { +-#define rsm (G.next_input_file__rsm) +-#define files_happen (G.next_input_file__files_happen) +- +- const char *fname, *ind; ++#define input_file_seen (G.next_input_file__input_file_seen) ++ const char *fname; + +- if (rsm.F) +- fclose(rsm.F); +- rsm.F = NULL; +- rsm.pos = rsm.adv = 0; ++ if (iF.F) { ++ fclose(iF.F); ++ iF.F = NULL; ++ iF.pos = iF.adv = 0; ++ } + + for (;;) { ++ const char *ind; ++ + if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) { +- if (files_happen) +- return NULL; ++ if (input_file_seen) ++ return FALSE; + fname = "-"; +- rsm.F = stdin; ++ iF.F = stdin; + break; + } + ind = getvar_s(incvar(intvar[ARGIND])); + fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind)); +- if (fname && *fname && !is_assignment(fname)) { +- rsm.F = xfopen_stdin(fname); ++ if (fname && *fname) { ++ /* "If a filename on the command line has the form ++ * var=val it is treated as a variable assignment" ++ */ ++ if (try_to_assign(fname)) ++ continue; ++ iF.F = xfopen_stdin(fname); + break; + } + } + +- files_happen = TRUE; + setvar_s(intvar[FILENAME], fname); +- return &rsm; +-#undef rsm +-#undef files_happen ++ input_file_seen = TRUE; ++ return TRUE; ++#undef input_file_seen + } + + /* +@@ -3231,12 +3236,12 @@ static var *evaluate(node *op, var *res) + } + } + } else { +- if (!iF) +- iF = next_input_file(); +- rsm = iF; ++ if (!iF.F) ++ next_input_file(); ++ rsm = &iF; + } + +- if (!rsm || !rsm->F) { ++ if (!rsm->F) { + setvar_i(intvar[ERRNO], errno); + setvar_i(res, -1); + break; +@@ -3659,7 +3664,7 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + setvar_s(intvar[FS], opt_F); + } + while (list_v) { +- if (!is_assignment(llist_pop(&list_v))) ++ if (!try_to_assign(llist_pop(&list_v))) + bb_show_usage(); + } + +@@ -3718,15 +3723,14 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + awk_exit(); + + /* input file could already be opened in BEGIN block */ +- if (!iF) +- iF = next_input_file(); +- +- /* passing through input files */ +- while (iF) { ++ if (!iF.F) ++ goto next_file; /* no, it wasn't, go try opening */ ++ /* Iterate over input files */ ++ for (;;) { + nextfile = FALSE; + setvar_i(intvar[FNR], 0); + +- while ((i = awk_getline(iF, intvar[F0])) > 0) { ++ while ((i = awk_getline(&iF, intvar[F0])) > 0) { + nextrec = FALSE; + incvar(intvar[NR]); + incvar(intvar[FNR]); +@@ -3735,11 +3739,11 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + if (nextfile) + break; + } +- + if (i < 0) + syntax_error(strerror(errno)); +- +- iF = next_input_file(); ++ next_file: ++ if (!next_input_file()) ++ break; + } + + awk_exit(); +-- +2.46.0 + +From 5c8a9dfd976493e4351abadf6686b621763b564c Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 18:21:38 +0200 +Subject: [PATCH 04/19] awk: remove a local variable "caching" a struct member + +Since we take its address, the variable lives on stack (not a GPR). +Thus, nothing is improved by caching it. + +function old new delta +awk_getline 642 639 -3 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 22f52417d..4a0eb9281 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2236,7 +2236,7 @@ static int awk_getline(rstream *rsm, var *v) + { + char *b; + regmatch_t pmatch[1]; +- int size, a, p, pp = 0; ++ int a, p, pp = 0; + int fd, so, eo, r, rp; + char c, *m, *s; + +@@ -2249,12 +2249,11 @@ static int awk_getline(rstream *rsm, var *v) + m = rsm->buffer; + a = rsm->adv; + p = rsm->pos; +- size = rsm->size; + c = (char) rsplitter.n.info; + rp = 0; + + if (!m) +- m = qrealloc(m, 256, &size); ++ m = qrealloc(m, 256, &rsm->size); + + do { + b = m + a; +@@ -2298,10 +2297,10 @@ static int awk_getline(rstream *rsm, var *v) + a = 0; + } + +- m = qrealloc(m, a+p+128, &size); ++ m = qrealloc(m, a+p+128, &rsm->size); + b = m + a; + pp = p; +- p += safe_read(fd, b+p, size-p-1); ++ p += safe_read(fd, b+p, rsm->size - p - 1); + if (p < pp) { + p = 0; + r = 0; +@@ -2325,7 +2324,6 @@ static int awk_getline(rstream *rsm, var *v) + rsm->buffer = m; + rsm->adv = a + eo; + rsm->pos = p - eo; +- rsm->size = size; + + debug_printf_eval("returning from %s(): %d\n", __func__, r); + +-- +2.46.0 + +From 21dce1c3c3d74a60959b6d8b0c76f38d463b8187 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 27 May 2023 19:11:28 +0200 +Subject: [PATCH 05/19] awk: do not read ARGIND, only set it (gawk compat) + +function old new delta +next_input_file 216 243 +27 +evaluate 3396 3402 +6 +awk_main 826 829 +3 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/0 up/down: 36/0) Total: 36 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 4a0eb9281..77e0b0aab 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -583,6 +583,7 @@ struct globals2 { + /* former statics from various functions */ + char *split_f0__fstrings; + ++ unsigned next_input_file__argind; + smallint next_input_file__input_file_seen; + + smalluint exitcode; +@@ -2820,6 +2821,7 @@ static int try_to_assign(const char *expr) + static int next_input_file(void) + { + #define input_file_seen (G.next_input_file__input_file_seen) ++#define argind (G.next_input_file__argind) + const char *fname; + + if (iF.F) { +@@ -2829,17 +2831,22 @@ static int next_input_file(void) + } + + for (;;) { +- const char *ind; +- +- if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) { ++ /* GNU Awk 5.1.1 does not _read_ ARGIND (but does read ARGC). ++ * It only sets ARGIND to 1, 2, 3... for every command-line filename ++ * (VAR=VAL params cause a gap in numbering). ++ * If there are none and stdin is used, then ARGIND is not modified: ++ * if it is set by e.g. 'BEGIN { ARGIND="foo" }', that value will ++ * still be there. ++ */ ++ argind++; ++ if (argind >= getvar_i(intvar[ARGC])) { + if (input_file_seen) + return FALSE; + fname = "-"; + iF.F = stdin; + break; + } +- ind = getvar_s(incvar(intvar[ARGIND])); +- fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind)); ++ fname = getvar_s(findvar(iamarray(intvar[ARGV]), utoa(argind))); + if (fname && *fname) { + /* "If a filename on the command line has the form + * var=val it is treated as a variable assignment" +@@ -2847,6 +2854,7 @@ static int next_input_file(void) + if (try_to_assign(fname)) + continue; + iF.F = xfopen_stdin(fname); ++ setvar_i(intvar[ARGIND], argind); + break; + } + } +@@ -2854,6 +2862,7 @@ static int next_input_file(void) + setvar_s(intvar[FILENAME], fname); + input_file_seen = TRUE; + return TRUE; ++#undef argind + #undef input_file_seen + } + +-- +2.46.0 + +From b76b420b5da1aadad823faf12327b610614f5951 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 17:25:56 +0200 +Subject: [PATCH 06/19] awk: fix closing of non-opened file + +function old new delta +setvar_ERRNO - 53 +53 +.rodata 105252 105246 -6 +awk_getline 639 620 -19 +evaluate 3402 3377 -25 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 0/3 up/down: 53/-50) Total: 3 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 77e0b0aab..83a08aa95 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -1006,6 +1006,11 @@ static var *setvar_i(var *v, double value) + return v; + } + ++static void setvar_ERRNO(void) ++{ ++ setvar_i(intvar[ERRNO], errno); ++} ++ + static const char *getvar_s(var *v) + { + /* if v is numeric and has no cached string, convert it to string */ +@@ -2305,7 +2310,7 @@ static int awk_getline(rstream *rsm, var *v) + if (p < pp) { + p = 0; + r = 0; +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + } + b[p] = '\0'; + } while (p > pp); +@@ -3249,7 +3254,7 @@ static var *evaluate(node *op, var *res) + } + + if (!rsm->F) { +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + setvar_i(res, -1); + break; + } +@@ -3388,16 +3393,18 @@ static var *evaluate(node *op, var *res) + */ + if (rsm->F) + err = rsm->is_pipe ? pclose(rsm->F) : fclose(rsm->F); +-//TODO: fix this case: +-// $ awk 'BEGIN { print close(""); print ERRNO }' +-// -1 +-// close of redirection that was never opened +-// (we print 0, 0) + free(rsm->buffer); + hash_remove(fdhash, L.s); ++ } else { ++ err = -1; ++ /* gawk 'BEGIN { print close(""); print ERRNO }' ++ * -1 ++ * close of redirection that was never opened ++ */ ++ errno = ENOENT; + } + if (err) +- setvar_i(intvar[ERRNO], errno); ++ setvar_ERRNO(); + R_d = (double)err; + break; + } +-- +2.46.0 + +From 05e60007d42b8e4005085a22e122ef70bf888fa5 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 17:51:59 +0200 +Subject: [PATCH 07/19] awk: code shrink + +function old new delta +awk_getline 620 591 -29 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 47 ++++++++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 83a08aa95..eb419e063 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2242,9 +2242,9 @@ static int awk_getline(rstream *rsm, var *v) + { + char *b; + regmatch_t pmatch[1]; +- int a, p, pp = 0; +- int fd, so, eo, r, rp; +- char c, *m, *s; ++ int p, pp; ++ int fd, so, eo, retval, rp; ++ char *m, *s; + + debug_printf_eval("entered %s()\n", __func__); + +@@ -2253,22 +2253,22 @@ static int awk_getline(rstream *rsm, var *v) + */ + fd = fileno(rsm->F); + m = rsm->buffer; +- a = rsm->adv; +- p = rsm->pos; +- c = (char) rsplitter.n.info; +- rp = 0; +- + if (!m) + m = qrealloc(m, 256, &rsm->size); ++ p = rsm->pos; ++ rp = 0; ++ pp = 0; + + do { +- b = m + a; ++ b = m + rsm->adv; + so = eo = p; +- r = 1; ++ retval = 1; + if (p > 0) { ++ char c = (char) rsplitter.n.info; + if (rsplitter.n.info == TI_REGEXP) { + if (regexec(icase ? rsplitter.n.r.ire : rsplitter.n.l.re, +- b, 1, pmatch, 0) == 0) { ++ b, 1, pmatch, 0) == 0 ++ ) { + so = pmatch[0].rm_so; + eo = pmatch[0].rm_eo; + if (b[eo] != '\0') +@@ -2297,43 +2297,44 @@ static int awk_getline(rstream *rsm, var *v) + } + } + +- if (a > 0) { +- memmove(m, m+a, p+1); ++ if (rsm->adv > 0) { ++ memmove(m, m+rsm->adv, p+1); + b = m; +- a = 0; ++ rsm->adv = 0; + } + +- m = qrealloc(m, a+p+128, &rsm->size); +- b = m + a; ++ b = m = qrealloc(m, p+128, &rsm->size); + pp = p; + p += safe_read(fd, b+p, rsm->size - p - 1); + if (p < pp) { + p = 0; +- r = 0; ++ retval = 0; + setvar_ERRNO(); + } + b[p] = '\0'; + } while (p > pp); + + if (p == 0) { +- r--; ++ retval--; + } else { +- c = b[so]; b[so] = '\0'; ++ char c = b[so]; ++ b[so] = '\0'; + setvar_s(v, b+rp); + v->type |= VF_USER; + b[so] = c; +- c = b[eo]; b[eo] = '\0'; ++ c = b[eo]; ++ b[eo] = '\0'; + setvar_s(intvar[RT], b+so); + b[eo] = c; + } + + rsm->buffer = m; +- rsm->adv = a + eo; ++ rsm->adv += eo; + rsm->pos = p - eo; + +- debug_printf_eval("returning from %s(): %d\n", __func__, r); ++ debug_printf_eval("returning from %s(): %d\n", __func__, retval); + +- return r; ++ return retval; + } + + /* formatted output into an allocated buffer, return ptr to buffer */ +-- +2.46.0 + +From 4d7339204f9f823f592562d9903db3ae79a6c640 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 28 May 2023 18:00:51 +0200 +Subject: [PATCH 08/19] awk: shrink - use setvar_sn() to set variables from + non-NUL terminated strings + +function old new delta +setvar_sn - 39 +39 +exec_builtin 1145 1136 -9 +awk_getline 591 559 -32 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 0/2 up/down: 39/-41) Total: -2 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index eb419e063..b5774a339 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -979,6 +979,11 @@ static var *setvar_s(var *v, const char *value) + return setvar_p(v, (value && *value) ? xstrdup(value) : NULL); + } + ++static var *setvar_sn(var *v, const char *value, int len) ++{ ++ return setvar_p(v, (value && *value && len > 0) ? xstrndup(value, len) : NULL); ++} ++ + /* same as setvar_s but sets USER flag */ + static var *setvar_u(var *v, const char *value) + { +@@ -2317,15 +2322,9 @@ static int awk_getline(rstream *rsm, var *v) + if (p == 0) { + retval--; + } else { +- char c = b[so]; +- b[so] = '\0'; +- setvar_s(v, b+rp); ++ setvar_sn(v, b+rp, so-rp); + v->type |= VF_USER; +- b[so] = c; +- c = b[eo]; +- b[eo] = '\0'; +- setvar_s(intvar[RT], b+so); +- b[eo] = c; ++ setvar_sn(intvar[RT], b+so, eo-so); + } + + rsm->buffer = m; +@@ -2677,8 +2676,6 @@ static NOINLINE var *exec_builtin(node *op, var *res) + } + + case B_ss: { +- char *s; +- + l = strlen(as[0]); + i = getvar_i(av[1]) - 1; + if (i > l) +@@ -2688,8 +2685,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + n = (nargs > 2) ? getvar_i(av[2]) : l-i; + if (n < 0) + n = 0; +- s = xstrndup(as[0]+i, n); +- setvar_p(res, s); ++ setvar_sn(res, as[0]+i, n); + break; + } + +@@ -2766,8 +2762,7 @@ static NOINLINE var *exec_builtin(node *op, var *res) + i = strftime(g_buf, MAXVARFMT, + ((nargs > 0) ? as[0] : "%a %b %d %H:%M:%S %Z %Y"), + localtime(&tt)); +- g_buf[i] = '\0'; +- setvar_s(res, g_buf); ++ setvar_sn(res, g_buf, i); + break; + + case B_mt: +-- +2.46.0 + +From 721bf6eaf4739a2865b071b38d3478f334234d26 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 29 May 2023 10:55:40 +0200 +Subject: [PATCH 09/19] awk: printf(INVALID_FMT) prints it verbatim + +function old new delta +awk_printf 628 640 +12 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b5774a339..c49ad6e02 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2389,7 +2389,7 @@ static char *awk_printf(node *n, size_t *len) + while (1) { + if (isalpha(c)) + break; +- if (c == '*') ++ if (c == '*') /* gawk supports %*d and %*.*f, we don't... */ + syntax_error("%*x formats are not supported"); + c = *++f; + if (!c) { /* "....%...." and no letter found after % */ +@@ -2422,12 +2422,18 @@ static char *awk_printf(node *n, size_t *len) + double d = getvar_i(arg); + if (strchr("diouxX", c)) { + //TODO: make it wider here (%x -> %llx etc)? ++//Can even print the value into a temp string with %.0f, ++//then replace diouxX with s and print that string. ++//This will correctly print even very large numbers, ++//but some replacements are not equivalent: ++//%09d -> %09s: breaks zero-padding; ++//%+d -> %+s: won't prepend +; etc + s = xasprintf(s, (int)d); + } else if (strchr("eEfFgGaA", c)) { + s = xasprintf(s, d); + } else { +-//TODO: GNU Awk 5.0.1: printf "%W" prints "%W", does not error out +- syntax_error(EMSG_INV_FMT); ++ /* gawk 5.1.1 printf("%W") prints "%W", does not error out */ ++ s = xstrndup(s, f - s); + } + } + slen = strlen(s); +-- +2.46.0 + +From 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 30 May 2023 16:42:18 +0200 +Subject: [PATCH 10/19] awk: fix precedence of = relative to == + +Discovered while adding code to disallow assignments to non-lvalues + +function old new delta +parse_expr 936 991 +55 +.rodata 105243 105247 +4 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 66 +++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index c49ad6e02..0f062dcdb 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n) + #undef P + #undef PRIMASK + #undef PRIMASK2 +-#define P(x) (x << 24) ++/* Smaller 'x' means _higher_ operator precedence */ ++#define PRECEDENCE(x) (x << 24) ++#define P(x) PRECEDENCE(x) + #define PRIMASK 0x7F000000 + #define PRIMASK2 0x7E000000 + +@@ -360,7 +362,7 @@ enum { + OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100, + OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400, + OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700, +- OC_DONE = 0x2800, ++ OC_CONST = 0x2800, OC_DONE = 0x2900, + + ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200, + ST_WHILE = 0x3300 +@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', +- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', ++ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) +@@ -1301,7 +1303,7 @@ static uint32_t next_token(uint32_t expected) + save_tclass = tc; + save_info = t_info; + tc = TC_BINOPX; +- t_info = OC_CONCAT | SS | P(35); ++ t_info = OC_CONCAT | SS | PRECEDENCE(35); + } + + t_tclass = tc; +@@ -1361,9 +1363,8 @@ static node *parse_expr(uint32_t term_tc) + { + node sn; + node *cn = &sn; +- node *vn, *glptr; ++ node *glptr; + uint32_t tc, expected_tc; +- var *v; + + debug_printf_parse("%s() term_tc(%x):", __func__, term_tc); + debug_parse_print_tc(term_tc); +@@ -1374,11 +1375,12 @@ static node *parse_expr(uint32_t term_tc) + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc; + + while (!((tc = next_token(expected_tc)) & term_tc)) { ++ node *vn; + + if (glptr && (t_info == TI_LESS)) { + /* input redirection (<) attached to glptr node */ + debug_printf_parse("%s: input redir\n", __func__); +- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37)); ++ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37)); + cn->a.n = glptr; + expected_tc = TS_OPERAND | TS_UOPPRE; + glptr = NULL; +@@ -1390,24 +1392,42 @@ static node *parse_expr(uint32_t term_tc) + * previous operators with higher priority */ + vn = cn; + while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2)) +- || ((t_info == vn->info) && t_info == TI_COLON) ++ || (t_info == vn->info && t_info == TI_COLON) + ) { + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } + if (t_info == TI_TERNARY) + //TODO: why? +- t_info += P(6); ++ t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); + cn->a.n = vn->a.n; + if (tc & TS_BINOP) { + cn->l.n = vn; +-//FIXME: this is the place to detect and reject assignments to non-lvalues. +-//Currently we allow "assignments" to consts and temporaries, nonsense like this: +-// awk 'BEGIN { "qwe" = 1 }' +-// awk 'BEGIN { 7 *= 7 }' +-// awk 'BEGIN { length("qwe") = 1 }' +-// awk 'BEGIN { (1+1) += 3 }' ++ ++ /* Prevent: ++ * awk 'BEGIN { "qwe" = 1 }' ++ * awk 'BEGIN { 7 *= 7 }' ++ * awk 'BEGIN { length("qwe") = 1 }' ++ * awk 'BEGIN { (1+1) += 3 }' ++ */ ++ /* Assignment? (including *= and friends) */ ++ if (((t_info & OPCLSMASK) == OC_MOVE) ++ || ((t_info & OPCLSMASK) == OC_REPLACE) ++ ) { ++ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info); ++ /* Left side is a (variable or array element) ++ * or function argument ++ * or $FIELD ? ++ */ ++ if ((vn->info & OPCLSMASK) != OC_VAR ++ && (vn->info & OPCLSMASK) != OC_FNARG ++ && (vn->info & OPCLSMASK) != OC_FIELD ++ ) { ++ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */ ++ } ++ } ++ + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP; + if (t_info == TI_PGETLINE) { + /* it's a pipe */ +@@ -1443,6 +1463,8 @@ static node *parse_expr(uint32_t term_tc) + /* one should be very careful with switch on tclass - + * only simple tclasses should be used (TC_xyz, not TS_xyz) */ + switch (tc) { ++ var *v; ++ + case TC_VARIABLE: + case TC_ARRAY: + debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__); +@@ -1463,14 +1485,14 @@ static node *parse_expr(uint32_t term_tc) + case TC_NUMBER: + case TC_STRING: + debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__); +- cn->info = OC_VAR; ++ cn->info = OC_CONST; + v = cn->l.v = xzalloc(sizeof(var)); +- if (tc & TC_NUMBER) ++ if (tc & TC_NUMBER) { + setvar_i(v, t_double); +- else { ++ } else { + setvar_s(v, t_string); +- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */ + } ++ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */ + break; + + case TC_REGEXP: +@@ -3124,6 +3146,8 @@ static var *evaluate(node *op, var *res) + + /* -- recursive node type -- */ + ++ case XC( OC_CONST ): ++ debug_printf_eval("CONST "); + case XC( OC_VAR ): + debug_printf_eval("VAR\n"); + L.v = op->l.v; +-- +2.46.0 + +From 5f84c5633663f6ee8c9cc3a4608b86d4b56b39d6 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sat, 3 Jun 2023 00:39:33 +0200 +Subject: [PATCH 11/19] awk: fix backslash handling in sub() builtins + +function old new delta +awk_sub 559 544 -15 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 41 +++++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 0f062dcdb..f77573806 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2492,7 +2492,7 @@ static char *awk_printf(node *n, size_t *len) + * store result into (dest), return number of substitutions. + * If nm = 0, replace all matches. + * If src or dst is NULL, use $0. +- * If subexp != 0, enable subexpression matching (\1-\9). ++ * If subexp != 0, enable subexpression matching (\0-\9). + */ + static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int subexp) + { +@@ -2520,35 +2520,32 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + residx += eo; + if (++match_no >= nm) { + const char *s; +- int nbs; ++ int bslash; + + /* replace */ + residx -= (eo - so); +- nbs = 0; ++ bslash = 0; + for (s = repl; *s; s++) { +- char c = resbuf[residx++] = *s; +- if (c == '\\') { +- nbs++; +- continue; ++ char c = *s; ++ if (c == '\\' && s[1]) { ++ bslash ^= 1; ++ if (bslash) ++ continue; + } +- if (c == '&' || (subexp && c >= '0' && c <= '9')) { +- int j; +- residx -= ((nbs + 3) >> 1); +- j = 0; ++ if ((!bslash && c == '&') ++ || (subexp && bslash && c >= '0' && c <= '9') ++ ) { ++ int n, j = 0; + if (c != '&') { + j = c - '0'; +- nbs++; + } +- if (nbs % 2) { +- resbuf[residx++] = c; +- } else { +- int n = pmatch[j].rm_eo - pmatch[j].rm_so; +- resbuf = qrealloc(resbuf, residx + replen + n, &resbufsize); +- memcpy(resbuf + residx, sp + pmatch[j].rm_so, n); +- residx += n; +- } +- } +- nbs = 0; ++ n = pmatch[j].rm_eo - pmatch[j].rm_so; ++ resbuf = qrealloc(resbuf, residx + replen + n, &resbufsize); ++ memcpy(resbuf + residx, sp + pmatch[j].rm_so, n); ++ residx += n; ++ } else ++ resbuf[residx++] = c; ++ bslash = 0; + } + } + +-- +2.46.0 + +From f4789164e0716a8b1f98cf4149a3eb2dad485b8b Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 6 Jun 2023 12:48:11 +0200 +Subject: [PATCH 12/19] awk: code shrink + +function old new delta +awk_sub 544 548 +4 +exec_builtin 1136 1130 -6 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 1/1 up/down: 4/-6) Total: -2 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index f77573806..b3871ffc5 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2494,7 +2494,7 @@ static char *awk_printf(node *n, size_t *len) + * If src or dst is NULL, use $0. + * If subexp != 0, enable subexpression matching (\0-\9). + */ +-static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int subexp) ++static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest /*,int subexp*/) + { + char *resbuf; + const char *sp; +@@ -2502,6 +2502,8 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + int regexec_flags; + regmatch_t pmatch[10]; + regex_t sreg, *regex; ++ /* True only if called to implement gensub(): */ ++ int subexp = (src != dest); + + resbuf = NULL; + residx = 0; +@@ -2549,7 +2551,6 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + } + } + +- regexec_flags = REG_NOTBOL; + sp += eo; + if (match_no == nm) + break; +@@ -2570,6 +2571,7 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest, int + sp++; + residx++; + } ++ regexec_flags = REG_NOTBOL; + } + + resbuf = qrealloc(resbuf, residx + strlen(sp), &resbufsize); +@@ -2798,16 +2800,16 @@ static NOINLINE var *exec_builtin(node *op, var *res) + res = do_match(an[1], as[0]); + break; + +- case B_ge: +- awk_sub(an[0], as[1], getvar_i(av[2]), av[3], res, TRUE); ++ case B_ge: /* gensub(regex, repl, matchnum, string) */ ++ awk_sub(an[0], as[1], /*matchnum:*/getvar_i(av[2]), /*src:*/av[3], /*dst:*/res/*, TRUE*/); + break; + +- case B_gs: +- setvar_i(res, awk_sub(an[0], as[1], 0, av[2], av[2], FALSE)); ++ case B_gs: /* gsub(regex, repl, string) */ ++ setvar_i(res, awk_sub(an[0], as[1], /*matchnum:all*/0, /*src:*/av[2], /*dst:*/av[2]/*, FALSE*/)); + break; + +- case B_su: +- setvar_i(res, awk_sub(an[0], as[1], 1, av[2], av[2], FALSE)); ++ case B_su: /* sub(regex, repl, string) */ ++ setvar_i(res, awk_sub(an[0], as[1], /*matchnum:first*/1, /*src:*/av[2], /*dst:*/av[2]/*, FALSE*/)); + break; + } + +-- +2.46.0 + +From 113685fbcd4c3432ec9b640583d50ba8da2102e8 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Wed, 7 Jun 2023 10:54:34 +0200 +Subject: [PATCH 13/19] awk: fix SEGV on read error in -f PROGFILE + +function old new delta +awk_main 829 843 +14 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index b3871ffc5..df9b7fdc9 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3609,8 +3609,6 @@ static var *evaluate(node *op, var *res) + #undef sreg + } + +-/* -------- main & co. -------- */ +- + static int awk_exit(void) + { + unsigned i; +@@ -3717,6 +3715,8 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + g_progname = llist_pop(&list_f); + fd = xopen_stdin(g_progname); + s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ ++ if (!s) ++ bb_perror_msg_and_die("read error from '%s'", g_progname); + close(fd); + parse_program(s); + free(s); +-- +2.46.0 + +From 2ca39ffd447ca874fcea933194829717d5573247 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 8 Jun 2023 10:42:39 +0200 +Subject: [PATCH 14/19] awk: fix subst code to handle "start of word" pattern + correctly (needs REG_STARTEND) + +function old new delta +awk_sub 637 714 +77 + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 49 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index df9b7fdc9..171f0a7ea 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2504,17 +2504,46 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest /*,in + regex_t sreg, *regex; + /* True only if called to implement gensub(): */ + int subexp = (src != dest); +- ++#if defined(REG_STARTEND) ++ const char *src_string; ++ size_t src_strlen; ++ regexec_flags = REG_STARTEND; ++#else ++ regexec_flags = 0; ++#endif + resbuf = NULL; + residx = 0; + match_no = 0; +- regexec_flags = 0; + regex = as_regex(rn, &sreg); + sp = getvar_s(src ? src : intvar[F0]); ++#if defined(REG_STARTEND) ++ src_string = sp; ++ src_strlen = strlen(src_string); ++#endif + replen = strlen(repl); +- while (regexec(regex, sp, 10, pmatch, regexec_flags) == 0) { +- int so = pmatch[0].rm_so; +- int eo = pmatch[0].rm_eo; ++ for (;;) { ++ int so, eo; ++ ++#if defined(REG_STARTEND) ++// REG_STARTEND: "This flag is a BSD extension, not present in POSIX" ++ size_t start_ofs = sp - src_string; ++ pmatch[0].rm_so = start_ofs; ++ pmatch[0].rm_eo = src_strlen; ++ if (regexec(regex, src_string, 10, pmatch, regexec_flags) != 0) ++ break; ++ eo = pmatch[0].rm_eo - start_ofs; ++ so = pmatch[0].rm_so - start_ofs; ++#else ++// BUG: ++// gsub(/\ +Date: Mon, 10 Jul 2023 17:25:21 +0200 +Subject: [PATCH 15/19] Update applet size estimates + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 171f0a7ea..efdff2778 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -7,7 +7,7 @@ + * Licensed under GPLv2 or later, see file LICENSE in this source tree. + */ + //config:config AWK +-//config: bool "awk (23 kb)" ++//config: bool "awk (24 kb)" + //config: default y + //config: help + //config: Awk is used as a pattern scanning and processing language. +-- +2.46.0 + +From 92ab29fcf04bc3ff3d3ad897f1c2463d8b8d1410 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 2 Oct 2023 15:24:06 +0200 +Subject: [PATCH 16/19] awk: implement -E; do not reorder -f and -e + +function old new delta +awk_main 843 891 +48 +next_input_file 243 261 +18 +packed_usage 34631 34638 +7 +.rodata 105391 105390 -1 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/1 up/down: 73/-1) Total: 72 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 113 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 65 insertions(+), 48 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index efdff2778..bc95c4155 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -40,7 +40,7 @@ + //usage:#define awk_full_usage "\n\n" + //usage: " -v VAR=VAL Set variable" + //usage: "\n -F SEP Use SEP as field separator" +-//usage: "\n -f FILE Read program from FILE" ++//usage: "\n -f/-E FILE Read program from FILE" + //usage: IF_FEATURE_AWK_GNU_EXTENSIONS( + //usage: "\n -e AWK_PROGRAM" + //usage: ) +@@ -76,8 +76,8 @@ + * 1: -argz + */ + #define OPTSTR_AWK "+" \ +- "F:v:*f:*" \ +- IF_FEATURE_AWK_GNU_EXTENSIONS("e:*") \ ++ "F:v:f:" \ ++ IF_FEATURE_AWK_GNU_EXTENSIONS("e:E:") \ + "W:" + enum { + OPTBIT_F, /* define field separator */ +@@ -560,6 +560,7 @@ struct globals { + var *Fields; + char *g_pos; + char g_saved_ch; ++ smallint got_program; + smallint icase; + smallint exiting; + smallint nextrec; +@@ -635,6 +636,7 @@ struct globals2 { + #define Fields (G1.Fields ) + #define g_pos (G1.g_pos ) + #define g_saved_ch (G1.g_saved_ch ) ++#define got_program (G1.got_program ) + #define icase (G1.icase ) + #define exiting (G1.exiting ) + #define nextrec (G1.nextrec ) +@@ -2899,11 +2901,13 @@ static int next_input_file(void) + } + fname = getvar_s(findvar(iamarray(intvar[ARGV]), utoa(argind))); + if (fname && *fname) { +- /* "If a filename on the command line has the form +- * var=val it is treated as a variable assignment" +- */ +- if (try_to_assign(fname)) +- continue; ++ if (got_program != 2) { /* there was no -E option */ ++ /* "If a filename on the command line has the form ++ * var=val it is treated as a variable assignment" ++ */ ++ if (try_to_assign(fname)) ++ continue; ++ } + iF.F = xfopen_stdin(fname); + setvar_i(intvar[ARGIND], argind); + break; +@@ -3659,13 +3663,7 @@ static int awk_exit(void) + int awk_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int awk_main(int argc UNUSED_PARAM, char **argv) + { +- unsigned opt; +- char *opt_F; +- llist_t *list_v = NULL; +- llist_t *list_f = NULL; +-#if ENABLE_FEATURE_AWK_GNU_EXTENSIONS +- llist_t *list_e = NULL; +-#endif ++ int ch; + int i; + + INIT_G(); +@@ -3714,49 +3712,68 @@ int awk_main(int argc UNUSED_PARAM, char **argv) + } + } + } +- opt = getopt32(argv, OPTSTR_AWK, &opt_F, &list_v, &list_f, IF_FEATURE_AWK_GNU_EXTENSIONS(&list_e,) NULL); +- argv += optind; +- //argc -= optind; +- if (opt & OPT_W) +- bb_simple_error_msg("warning: option -W is ignored"); +- if (opt & OPT_F) { +- unescape_string_in_place(opt_F); +- setvar_s(intvar[FS], opt_F); +- } +- while (list_v) { +- if (!try_to_assign(llist_pop(&list_v))) +- bb_show_usage(); +- } + +- /* Parse all supplied programs */ + fnhash = hash_init(); + ahash = hash_init(); +- while (list_f) { +- int fd; +- char *s; + +- g_progname = llist_pop(&list_f); +- fd = xopen_stdin(g_progname); +- s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ +- if (!s) +- bb_perror_msg_and_die("read error from '%s'", g_progname); +- close(fd); +- parse_program(s); +- free(s); +- } +- g_progname = "cmd. line"; ++ /* Cannot use getopt32: need to preserve order of -e / -f / -E / -i */ ++ while ((ch = getopt(argc, argv, OPTSTR_AWK)) >= 0) { ++ switch (ch) { ++ case 'F': ++ unescape_string_in_place(optarg); ++ setvar_s(intvar[FS], optarg); ++ break; ++ case 'v': ++ if (!try_to_assign(optarg)) ++ bb_show_usage(); ++ break; ++//TODO: implement -i LIBRARY, it is easy-ish ++ case 'E': ++ case 'f': { ++ int fd; ++ char *s; ++ g_progname = optarg; ++ fd = xopen_stdin(g_progname); ++ s = xmalloc_read(fd, NULL); /* it's NUL-terminated */ ++ if (!s) ++ bb_perror_msg_and_die("read error from '%s'", g_progname); ++ close(fd); ++ parse_program(s); ++ free(s); ++ got_program = 1; ++ if (ch == 'E') { ++ got_program = 2; ++ goto stop_option_parsing; ++ } ++ break; ++ } + #if ENABLE_FEATURE_AWK_GNU_EXTENSIONS +- while (list_e) { +- parse_program(llist_pop(&list_e)); +- } ++ case 'e': ++ g_progname = "cmd. line"; ++ parse_program(optarg); ++ got_program = 1; ++ break; + #endif +-//FIXME: preserve order of -e and -f +-//TODO: implement -i LIBRARY and -E FILE too, they are easy-ish +- if (!(opt & (OPT_f | OPT_e))) { ++ case 'W': ++ bb_simple_error_msg("warning: option -W is ignored"); ++ break; ++ default: ++//bb_error_msg("ch:%d", ch); ++ bb_show_usage(); ++ } ++ } ++ stop_option_parsing: ++ ++ argv += optind; ++ //argc -= optind; ++ ++ if (!got_program) { + if (!*argv) + bb_show_usage(); ++ g_progname = "cmd. line"; + parse_program(*argv++); + } ++ + /* Free unused parse structures */ + //hash_free(fnhash); // ~250 bytes when empty, used only for function names + //^^^^^^^^^^^^^^^^^ does not work, hash_clear() inside SEGVs +-- +2.46.0 + +From 789ccac7d9d1a9e433570ac9628992a01f946643 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Sun, 31 Dec 2023 15:49:54 +0100 +Subject: [PATCH 17/19] awk: fix handling of empty fields + +Patch by M Rubon : +Busybox awk handles references to empty (not provided in the input) +fields differently during the first line of input, as compared to +subsequent lines. + +$ (echo a ; echo b) | awk '$2 != 0' #wrong +b + +No field $2 value is provided in the input. When awk references field +$2 for the "a" line, it is seen to have a different behaviour than +when it is referenced for the "b" line. + +Problem in BusyBox v1.36.1 embedded in OpenWrt 23.05.0 +Same problem also in 21.02 versions of OpenWrt +Same problem in BusyBox v1.37.0.git + +I get the correct expected output from Ubuntu gawk and Debian mawk, +and from my fix. +will@dev:~$ (echo a ; echo b) | awk '$2 != 0' #correct +a +b +will@dev:~/busybox$ (echo a ; echo b ) | ./busybox awk '$2 != 0' #fixed +a +b + +I built and poked into the source code at editors/awk.c The function +fsrealloc(int size) is core to allocating, initializing, reallocating, +and reinitializing fields, both real input line fields and imaginary +fields that the script references but do not exist in the input. + +When fsrealloc() needs more field space than it has previously +allocated, it initializes those new fields differently than how they +are later reinitialized for the next input line. This works fine for +fields defined in the input, like $1, but does not work the first time +when there is no input for that field (e.g. field $99) + +My one-line fix simply makes the initialization and clrvar() +reinitialization use the same value for .type. I am not sure if there +are regression tests to run, but I have not done those. + +I'm not sure if I understand why clrvar() is not setting .type to a +default constant value, but in any case I have left that untouched. + +function old new delta +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 0/0 up/down: 0/0) Total: 0 bytes + +Signed-off-by: Denys Vlasenko +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index bc95c4155..aa485c782 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -555,8 +555,9 @@ struct globals { + //we are reusing ahash as fdhash, via define (see later) + const char *g_progname; + int g_lineno; +- int nfields; +- unsigned maxfields; ++ int num_fields; /* number of existing $N's */ ++ unsigned num_alloc_fields; /* current size of Fields[] */ ++ /* NB: Fields[0] corresponds to $1, not to $0 */ + var *Fields; + char *g_pos; + char g_saved_ch; +@@ -631,8 +632,8 @@ struct globals2 { + // for fdhash in execution stage. + #define g_progname (G1.g_progname ) + #define g_lineno (G1.g_lineno ) +-#define nfields (G1.nfields ) +-#define maxfields (G1.maxfields ) ++#define num_fields (G1.num_fields ) ++#define num_alloc_fields (G1.num_alloc_fields) + #define Fields (G1.Fields ) + #define g_pos (G1.g_pos ) + #define g_saved_ch (G1.g_saved_ch ) +@@ -1966,30 +1967,30 @@ static void fsrealloc(int size) + { + int i, newsize; + +- if ((unsigned)size >= maxfields) { ++ if ((unsigned)size >= num_alloc_fields) { + /* Sanity cap, easier than catering for over/underflows */ + if ((unsigned)size > 0xffffff) + bb_die_memory_exhausted(); + +- i = maxfields; +- maxfields = size + 16; ++ i = num_alloc_fields; ++ num_alloc_fields = size + 16; + +- newsize = maxfields * sizeof(Fields[0]); ++ newsize = num_alloc_fields * sizeof(Fields[0]); + debug_printf_eval("fsrealloc: xrealloc(%p, %u)\n", Fields, newsize); + Fields = xrealloc(Fields, newsize); + debug_printf_eval("fsrealloc: Fields=%p..%p\n", Fields, (char*)Fields + newsize - 1); + /* ^^^ did Fields[] move? debug aid for L.v getting "upstaged" by R.v in evaluate() */ + +- for (; i < maxfields; i++) { +- Fields[i].type = VF_SPECIAL; ++ for (; i < num_alloc_fields; i++) { ++ Fields[i].type = VF_SPECIAL | VF_DIRTY; + Fields[i].string = NULL; + } + } +- /* if size < nfields, clear extra field variables */ +- for (i = size; i < nfields; i++) { ++ /* if size < num_fields, clear extra field variables */ ++ for (i = size; i < num_fields; i++) { + clrvar(Fields + i); + } +- nfields = size; ++ num_fields = size; + } + + static int regexec1_nonempty(const regex_t *preg, const char *s, regmatch_t pmatch[]) +@@ -2126,7 +2127,7 @@ static void split_f0(void) + /* set NF manually to avoid side effects */ + clrvar(intvar[NF]); + intvar[NF]->type = VF_NUMBER | VF_SPECIAL; +- intvar[NF]->number = nfields; ++ intvar[NF]->number = num_fields; + #undef fstrings + } + +@@ -2976,7 +2977,7 @@ static var *evaluate(node *op, var *res) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); + /* Does L.v point to $n variable? */ +- if ((size_t)(L.v - Fields) < maxfields) { ++ if ((size_t)(L.v - Fields) < num_alloc_fields) { + /* yes, remember where Fields[] is */ + old_Fields_ptr = Fields; + } +@@ -3517,7 +3518,7 @@ static var *evaluate(node *op, var *res) + res = intvar[F0]; + } else { + split_f0(); +- if (i > nfields) ++ if (i > num_fields) + fsrealloc(i); + res = &Fields[i - 1]; + } +-- +2.46.0 + +From e1a68741067167dc4837e0a26d3d5c318a631fc7 Mon Sep 17 00:00:00 2001 +From: Ron Yorston +Date: Fri, 19 Jan 2024 15:41:17 +0000 +Subject: [PATCH 18/19] awk: fix segfault when compiled by clang + +A 32-bit build of BusyBox using clang segfaulted in the test +"awk assign while assign". Specifically, on line 7 of the test +input where the adjustment of the L.v pointer when the Fields +array was reallocated + + L.v += Fields - old_Fields_ptr; + +was out by 4 bytes. + +Rearrange to code so both gcc and clang generate code that works. + +Signed-off-by: Ron Yorston +Signed-off-by: Bernhard Reutner-Fischer +Signed-off-by: Muhammad Falak R Wani +--- + editors/awk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editors/awk.c b/editors/awk.c +index aa485c782..0981c6735 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3006,7 +3006,7 @@ static var *evaluate(node *op, var *res) + if (old_Fields_ptr) { + //if (old_Fields_ptr != Fields) + // debug_printf_eval("L.v moved\n"); +- L.v += Fields - old_Fields_ptr; ++ L.v = Fields + (L.v - old_Fields_ptr); + } + if (opinfo & OF_STR2) { + R.s = getvar_s(R.v); +-- +2.46.0 diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec index dc320f6e41b..aaa350b5906 100644 --- a/SPECS/busybox/busybox.spec +++ b/SPECS/busybox/busybox.spec @@ -1,7 +1,7 @@ Summary: Statically linked binary providing simplified versions of system commands Name: busybox Version: 1.36.1 -Release: 5%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,8 +11,12 @@ Source1: busybox-static.config Source2: busybox-petitboot.config Patch0: busybox-1.31.1-stime-fix.patch Patch1: CVE-2022-28391.patch +Patch2: CVE-2021-42380.patch +# Also Fixes CVE-2023-42364 +Patch3: CVE-2023-42363.patch +Patch4: CVE-2023-42365.patch BuildRequires: gcc -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: libselinux-devel >= 1.27.7-2 BuildRequires: libsepol-devel %if 0%{?with_check} @@ -99,6 +103,12 @@ SKIP_KNOWN_BUGS=1 ./runtest %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Wed Aug 21 2024 Chris Co - 1.36.1-7 +- Bump to rebuild with updated glibc + +* Wed Aug 12 2024 Muhammad Falak - 1.36.1-6 +- Address CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365 + * Wed May 22 2024 Suresh Babu Chalamalasetty - 1.36.1-5 - update to build dep latest glibc-static version diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index c16ab1fba7a..8348c78a905 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -11,7 +11,7 @@ "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", - "certdata.microsoft.txt": "89655788a99b61c94aa18ad060b7e032d3e63b9db1417b1496e767662126c75a", + "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd", "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index 473ec541c49..8b16547d594 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -45,7 +45,7 @@ Name: ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well. Epoch: 1 Version: %{azl}.0.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %changelog +* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 +- Updating Microsoft trusted root CAs. + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 3.0.0-6 - Updating Microsoft trusted root CAs. diff --git a/SPECS/ca-certificates/certdata.microsoft.txt b/SPECS/ca-certificates/certdata.microsoft.txt index 764941deb8c..b216a7d614e 100644 --- a/SPECS/ca-certificates/certdata.microsoft.txt +++ b/SPECS/ca-certificates/certdata.microsoft.txt @@ -37618,3 +37618,1537 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "D-TRUST EV Root CA 2 2023" +# +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\151 +\046\011\176\200\113\114\240\247\214\170\142\123\137\132\157\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\105\126\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\071\061\060\063\063\132\027\015\063\070\060\065\060 +\071\060\071\061\060\063\062\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\105\126\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\330\216\243\211\200\013\262\127\122\334\251\123\114 +\067\271\177\143\027\023\357\247\133\043\133\151\165\260\231\012 +\027\301\213\304\333\250\340\314\061\272\302\362\315\135\351\267 +\370\035\257\152\304\225\207\327\107\311\225\330\202\004\120\075 +\201\010\377\344\075\263\261\326\305\262\375\210\011\333\234\204 +\354\045\027\024\207\177\060\170\233\152\130\311\266\163\050\074 +\064\367\231\367\177\323\246\370\034\105\174\255\054\214\224\077 +\330\147\020\123\176\042\315\116\045\121\360\045\044\065\021\136 +\020\306\354\207\146\211\201\150\272\314\053\235\107\163\037\275 +\315\221\244\162\152\234\242\033\030\240\157\354\120\364\175\100 +\302\250\060\317\275\163\310\023\053\020\023\036\213\232\250\072 +\224\163\323\030\151\012\112\377\301\001\003\377\171\177\265\110 +\177\173\356\350\051\157\066\114\225\141\206\330\371\242\163\212 +\356\256\057\226\356\150\315\075\115\050\102\371\105\053\062\033 +\106\125\026\152\246\113\051\371\273\225\126\277\106\035\354\035 +\223\035\300\145\262\037\241\103\256\126\236\240\261\217\153\022 +\267\140\155\170\013\312\212\134\355\036\226\016\203\246\110\225 +\215\073\243\041\304\256\130\306\000\262\204\264\043\244\226\206 +\065\270\330\236\330\254\064\111\230\143\225\305\313\155\110\107 +\342\362\056\030\036\320\061\253\335\164\354\371\334\214\270\034 +\216\150\043\272\320\363\120\334\317\145\217\163\072\062\307\174 +\376\312\202\042\117\276\216\142\107\146\345\315\207\342\350\325 +\017\030\237\345\004\162\113\106\074\020\362\104\302\144\126\161 +\116\165\350\234\311\046\164\305\175\131\321\012\133\017\155\376 +\236\165\034\030\306\032\072\174\330\015\004\314\315\267\105\145 +\172\261\217\270\256\204\110\076\263\172\115\250\003\342\342\176 +\001\026\131\150\030\103\063\260\322\334\260\032\103\065\356\245 +\332\251\106\134\256\206\201\101\001\112\164\046\354\237\006\277 +\302\005\067\144\165\170\051\150\375\305\365\353\376\107\371\344 +\205\260\341\173\061\235\246\177\162\243\271\304\054\056\314\231 +\127\016\041\014\105\001\224\145\353\145\011\306\143\042\013\063 +\111\222\110\074\374\315\316\260\076\216\236\213\370\376\111\305 +\065\162\107\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\252\374\221\020\033\207 +\221\137\026\271\277\117\113\221\136\000\034\261\062\200\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\145\166\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\223\313\245 +\037\231\021\354\232\015\137\054\025\223\306\077\276\020\215\170 +\102\360\156\220\107\107\216\243\222\062\215\160\217\366\133\215 +\276\211\316\107\001\152\033\040\040\211\133\310\202\020\154\340 +\347\231\252\153\306\052\240\143\065\221\152\205\045\255\027\070 +\245\233\176\120\362\166\352\205\005\052\047\101\053\261\201\321 +\242\366\100\165\251\016\313\361\125\110\330\354\321\354\263\350 +\316\024\241\065\354\302\136\065\032\253\246\026\001\006\216\352 +\334\057\243\212\312\054\221\353\122\216\137\014\233\027\317\313 +\163\007\031\304\152\302\163\124\357\174\103\122\143\301\021\312 +\302\105\261\364\073\123\365\151\256\074\343\245\336\254\350\124 +\267\262\221\375\254\251\037\362\207\344\027\306\111\250\174\330 +\012\101\364\362\076\347\167\064\004\122\335\350\201\362\115\057 +\124\105\235\025\341\117\314\345\336\064\127\020\311\043\162\027 +\160\215\120\160\037\126\154\314\271\377\072\132\117\143\172\303 +\156\145\007\035\204\241\377\251\014\143\211\155\262\100\210\071 +\327\037\167\150\265\374\234\325\326\147\151\133\250\164\333\374 +\211\366\033\062\367\244\044\246\166\267\107\123\357\215\111\217 +\251\266\203\132\245\226\220\105\141\365\336\003\117\046\017\250 +\213\360\003\226\260\254\025\320\161\132\152\173\224\346\160\223 +\332\361\151\340\262\142\115\236\217\377\211\235\233\135\315\105 +\351\224\002\042\215\340\065\177\350\361\004\171\161\154\124\203 +\370\063\271\005\062\033\130\125\021\117\320\345\047\107\161\354 +\355\332\147\326\142\246\113\115\017\151\242\311\274\354\042\113 +\224\307\150\224\027\176\342\216\050\076\266\306\352\365\064\154 +\237\067\210\007\070\333\206\161\372\315\225\110\103\156\243\117 +\202\207\327\064\230\156\113\223\171\140\165\151\017\360\032\325 +\123\372\041\014\302\077\351\077\037\030\214\222\135\170\247\166 +\147\031\273\262\352\177\351\160\011\126\126\243\260\014\013\055 +\066\136\305\351\304\325\203\313\206\027\227\054\154\023\157\207 +\132\257\111\246\035\333\315\070\004\056\137\342\112\065\016\055 +\113\370\242\044\004\215\330\341\143\136\002\222\064\332\230\141 +\134\034\157\130\166\144\263\374\002\270\365\235\012 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST EV Root CA 2 2023" +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\245\133\330\107\154\217\031\367\114\364\155\153\266\302\171\202 +\042\337\124\213 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\226\264\170\011\360\011\313\167\353\273\033\115\157\066\274\266 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST BR Root CA 2 2023" +# +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\163 +\073\060\004\110\133\331\115\170\056\163\113\311\241\334\146\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\102\122\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\070\065\066\063\061\132\027\015\063\070\060\065\060 +\071\060\070\065\066\063\060\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\102\122\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\256\377\011\131\221\200\012\112\150\346\044\077\270 +\247\344\310\072\012\072\026\315\311\043\141\240\223\161\362\253 +\213\163\217\240\147\145\140\322\124\153\143\121\157\111\063\340 +\162\007\023\175\070\315\006\222\007\051\122\153\116\167\154\004 +\323\225\372\335\114\214\331\135\301\141\175\113\347\050\263\104 +\201\173\121\257\335\063\261\150\174\326\116\114\376\053\150\271 +\312\146\151\304\354\136\127\177\367\015\307\234\066\066\345\007 +\140\254\300\114\352\010\154\357\006\174\117\133\050\172\010\374 +\223\135\233\366\234\264\213\206\272\041\271\364\360\350\131\132 +\050\241\064\204\032\045\221\266\265\217\357\262\371\200\372\371 +\075\074\021\162\330\343\057\206\166\305\171\054\301\251\220\223 +\106\230\147\313\203\152\240\120\043\247\073\366\201\071\340\355 +\360\271\277\145\361\330\313\172\373\357\163\003\316\000\364\175 +\327\340\135\073\146\270\334\216\272\203\313\207\166\003\374\045 +\331\347\043\157\006\375\147\363\340\377\204\274\107\277\265\026 +\030\106\151\024\314\005\367\333\323\111\254\153\314\253\344\265 +\013\103\044\136\113\153\115\147\337\326\265\076\117\170\037\224 +\161\044\352\336\160\374\361\223\376\236\223\132\344\224\132\227 +\124\014\065\173\137\154\356\000\037\044\354\003\272\002\365\166 +\364\237\324\232\355\205\054\070\042\057\307\330\057\166\021\117 +\375\154\134\350\365\216\047\207\177\031\112\041\107\220\035\171 +\215\034\133\370\317\112\205\344\355\263\133\215\276\304\144\050 +\135\101\304\156\254\070\132\117\043\164\164\251\022\303\366\322 +\271\021\025\063\007\221\330\073\067\072\143\060\006\321\305\042 +\066\050\142\043\020\340\106\314\227\254\326\053\135\144\044\325 +\356\034\016\336\373\010\132\165\052\366\143\155\316\013\102\276 +\321\272\160\034\234\041\345\017\061\151\027\327\374\012\264\336 +\355\200\234\313\222\264\213\365\336\131\242\130\011\245\143\107 +\013\341\101\062\064\101\331\232\261\331\250\260\033\132\336\015 +\015\364\342\262\135\065\200\271\201\324\204\151\221\002\313\165 +\320\215\305\265\075\011\221\011\217\024\241\024\164\171\076\326 +\311\025\035\244\131\131\042\334\366\212\105\075\074\022\326\076 +\135\062\057\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\147\220\360\326\336\265 +\030\325\106\051\176\134\253\370\236\010\274\144\225\020\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\142\162\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\064\367\263 +\167\123\333\060\026\271\055\245\041\361\100\041\165\353\353\110 +\026\201\075\163\340\236\047\052\353\167\251\023\244\152\012\132 +\132\024\063\075\150\037\201\256\151\375\214\237\145\154\064\102 +\331\055\320\177\170\026\261\072\254\043\061\255\136\177\256\347 +\256\053\372\272\374\074\227\225\100\223\137\303\055\003\243\355 +\244\157\123\327\372\100\016\060\365\000\040\054\000\114\214\073 +\264\243\037\266\277\221\062\253\257\222\230\323\026\346\324\321 +\124\134\103\133\056\256\357\127\052\250\264\157\244\357\015\126 +\024\332\041\253\040\166\236\003\374\046\270\236\077\076\003\046 +\346\114\333\235\137\102\204\075\105\003\003\034\131\210\312\334 +\056\141\044\132\244\352\047\013\163\022\276\122\263\012\317\062 +\027\342\036\207\032\026\225\110\155\132\340\320\317\011\222\046 +\146\221\330\243\141\016\252\201\201\177\350\122\202\321\102\347 +\340\035\030\372\244\205\066\347\206\340\015\353\274\324\311\326 +\074\103\361\135\111\156\176\201\233\151\265\211\142\217\210\122 +\330\327\376\047\301\043\305\313\053\002\273\261\137\376\373\103 +\205\003\106\276\135\306\312\041\046\377\327\002\236\164\112\334 +\370\023\025\261\201\127\066\313\145\134\321\035\061\167\351\045 +\303\303\262\062\067\325\361\230\011\344\155\143\200\010\253\006 +\222\201\324\351\160\217\247\077\262\355\206\214\202\152\065\310 +\102\132\202\321\122\032\105\017\025\245\000\360\224\173\145\047 +\127\071\103\317\174\177\346\275\065\263\173\361\031\114\336\072 +\226\317\351\166\356\003\347\302\103\122\074\152\201\350\301\132 +\200\275\021\135\223\153\373\307\346\144\077\273\151\034\351\335 +\045\213\257\164\311\124\100\312\313\223\023\012\355\373\146\222 +\021\312\365\300\372\330\203\125\003\174\323\305\042\106\165\160 +\153\171\110\006\052\202\232\277\346\353\026\016\042\105\001\274 +\335\066\224\064\251\065\046\212\327\227\271\356\010\162\277\064 +\222\160\203\200\253\070\252\131\150\335\100\244\030\220\262\363 +\325\003\312\046\312\357\325\307\340\217\123\216\360\000\343\250 +\355\237\371\255\167\340\053\143\117\236\303\356\067\273\170\011 +\204\236\271\156\373\051\231\220\350\200\323\237\044 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST BR Root CA 2 2023" +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\055\260\160\356\161\224\257\151\150\027\333\171\316\130\237\240 +\153\226\367\207 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\341\011\355\323\140\324\126\033\107\037\267\014\137\033\137\205 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST EV Root CA 1 2020" +# +# Issuer: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:5f:02:41:d7:7a:87:7c:4c:03:a3:ac:96:8d:fb:ff:d0 +# Subject: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 10:00:00 2020 +# Not Valid After : Sun Feb 11 09:59:59 2035 +# Fingerprint (SHA-256): 08:17:0D:1A:A3:64:53:90:1A:2F:95:92:45:E3:47:DB:0C:8D:37:AB:AA:BC:56:B8:1A:A1:00:DC:95:89:70:DB +# Fingerprint (SHA1): 61:DB:8C:21:59:69:03:90:D8:7C:9C:12:86:54:CF:9D:3D:F4:DD:07 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 1 2020" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\137\002\101\327\172\207\174\114\003\243\254\226\215\373 +\377\320 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\333\060\202\002\140\240\003\002\001\002\002\020\137 +\002\101\327\172\207\174\114\003\243\254\226\215\373\377\320\060 +\012\006\010\052\206\110\316\075\004\003\003\060\110\061\013\060 +\011\006\003\125\004\006\023\002\104\105\061\025\060\023\006\003 +\125\004\012\023\014\104\055\124\162\165\163\164\040\107\155\142 +\110\061\042\060\040\006\003\125\004\003\023\031\104\055\124\122 +\125\123\124\040\105\126\040\122\157\157\164\040\103\101\040\061 +\040\062\060\062\060\060\036\027\015\062\060\060\062\061\061\061 +\060\060\060\060\060\132\027\015\063\065\060\062\061\061\060\071 +\065\071\065\071\132\060\110\061\013\060\011\006\003\125\004\006 +\023\002\104\105\061\025\060\023\006\003\125\004\012\023\014\104 +\055\124\162\165\163\164\040\107\155\142\110\061\042\060\040\006 +\003\125\004\003\023\031\104\055\124\122\125\123\124\040\105\126 +\040\122\157\157\164\040\103\101\040\061\040\062\060\062\060\060 +\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201 +\004\000\042\003\142\000\004\361\013\335\206\103\040\031\337\227 +\205\350\042\112\233\317\235\230\277\264\005\046\311\313\343\246 +\322\217\305\236\170\173\061\211\251\211\255\047\074\145\020\202 +\374\337\303\235\116\360\063\043\304\322\062\365\034\260\337\063 +\027\135\305\360\261\212\371\357\271\267\024\312\051\112\302\017 +\251\177\165\145\111\052\060\147\364\144\367\326\032\167\332\303 +\302\227\141\102\173\111\255\243\202\001\015\060\202\001\011\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\035\006\003\125\035\016\004\026\004\024\177\020\001\026\067 +\072\244\050\344\120\370\244\367\354\153\062\266\376\351\213\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060 +\201\306\006\003\125\035\037\004\201\276\060\201\273\060\076\240 +\074\240\072\206\070\150\164\164\160\072\057\057\143\162\154\056 +\144\055\164\162\165\163\164\056\156\145\164\057\143\162\154\057 +\144\055\164\162\165\163\164\137\145\166\137\162\157\157\164\137 +\143\141\137\061\137\062\060\062\060\056\143\162\154\060\171\240 +\167\240\165\206\163\154\144\141\160\072\057\057\144\151\162\145 +\143\164\157\162\171\056\144\055\164\162\165\163\164\056\156\145 +\164\057\103\116\075\104\055\124\122\125\123\124\045\062\060\105 +\126\045\062\060\122\157\157\164\045\062\060\103\101\045\062\060 +\061\045\062\060\062\060\062\060\054\117\075\104\055\124\162\165 +\163\164\045\062\060\107\155\142\110\054\103\075\104\105\077\143 +\145\162\164\151\146\151\143\141\164\145\162\145\166\157\143\141 +\164\151\157\156\154\151\163\164\060\012\006\010\052\206\110\316 +\075\004\003\003\003\151\000\060\146\002\061\000\312\074\306\052 +\165\302\136\165\142\071\066\000\140\132\213\301\223\231\314\331 +\333\101\073\073\207\231\027\073\325\314\117\312\042\367\240\200 +\313\371\264\261\033\126\365\162\322\374\031\321\002\061\000\221 +\367\060\223\077\020\106\053\161\244\320\073\104\233\300\051\002 +\005\262\101\167\121\363\171\132\236\216\024\240\116\102\322\133 +\201\363\064\152\003\347\042\070\120\133\355\031\117\103\026 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST EV Root CA 1 2020" +# Issuer: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:5f:02:41:d7:7a:87:7c:4c:03:a3:ac:96:8d:fb:ff:d0 +# Subject: CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 10:00:00 2020 +# Not Valid After : Sun Feb 11 09:59:59 2035 +# Fingerprint (SHA-256): 08:17:0D:1A:A3:64:53:90:1A:2F:95:92:45:E3:47:DB:0C:8D:37:AB:AA:BC:56:B8:1A:A1:00:DC:95:89:70:DB +# Fingerprint (SHA1): 61:DB:8C:21:59:69:03:90:D8:7C:9C:12:86:54:CF:9D:3D:F4:DD:07 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 1 2020" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\141\333\214\041\131\151\003\220\330\174\234\022\206\124\317\235 +\075\364\335\007 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\214\055\235\160\237\110\231\021\006\021\373\351\313\060\300\156 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\137\002\101\327\172\207\174\114\003\243\254\226\215\373 +\377\320 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R2" +# +# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:ae:c5:8d:04:25:1a:ab:11:25:aa +# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8 +# Fingerprint (SHA1): 9A:44:49:76:32:DB:DE:FA:D0:BC:FB:5A:7B:17:BD:9E:56:09:24:94 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R2" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\256\305\215\004\045\032\253\021\045\252 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\127\060\202\003\077\240\003\002\001\002\002\015\002 +\003\345\256\305\215\004\045\032\253\021\045\252\060\015\006\011 +\052\206\110\206\367\015\001\001\014\005\000\060\107\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003 +\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163 +\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024 +\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157 +\164\040\122\062\060\036\027\015\061\066\060\066\062\062\060\060 +\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060 +\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157 +\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003 +\023\013\107\124\123\040\122\157\157\164\040\122\062\060\202\002 +\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 +\003\202\002\017\000\060\202\002\012\002\202\002\001\000\316\336 +\375\246\373\354\354\024\064\074\007\006\132\154\131\367\031\065 +\335\367\301\235\125\252\323\315\073\244\223\162\357\012\372\155 +\235\366\360\205\200\133\241\110\122\237\071\305\267\356\050\254 +\357\313\166\150\024\271\337\255\001\154\231\037\304\042\035\237 +\376\162\167\340\054\133\257\344\004\277\117\162\240\032\064\230 +\350\071\150\354\225\045\173\166\241\346\151\271\205\031\275\211 +\214\376\255\355\066\352\163\274\377\203\342\313\175\301\322\316 +\112\263\215\005\236\213\111\223\337\301\133\320\156\136\360\056 +\060\056\202\374\372\274\264\027\012\110\345\210\233\305\233\153 +\336\260\312\264\003\360\332\364\220\270\145\144\367\134\114\255 +\350\176\146\136\231\327\270\302\076\310\320\023\235\255\356\344 +\105\173\211\125\367\212\037\142\122\204\022\263\302\100\227\343 +\212\037\107\221\246\164\132\322\370\261\143\050\020\270\263\011 +\270\126\167\100\242\046\230\171\306\376\337\045\356\076\345\240 +\177\324\141\017\121\113\074\077\214\332\341\160\164\330\302\150 +\241\371\301\014\351\241\342\177\273\125\074\166\006\356\152\116 +\314\222\210\060\115\232\275\117\013\110\232\204\265\230\243\325 +\373\163\301\127\141\335\050\126\165\023\256\207\216\347\014\121 +\011\020\165\210\114\274\215\371\173\074\324\042\110\037\052\334 +\353\153\273\104\261\313\063\161\062\106\257\255\112\361\214\350 +\164\072\254\347\032\042\163\200\322\060\367\045\102\307\042\073 +\073\022\255\226\056\306\303\166\007\252\040\267\065\111\127\351 +\222\111\350\166\026\162\061\147\053\226\176\212\243\307\224\126 +\042\277\152\113\176\001\041\262\043\062\337\344\232\104\155\131 +\133\135\365\000\240\034\233\306\170\227\215\220\377\233\310\252 +\264\257\021\121\071\136\331\373\147\255\325\133\021\235\062\232 +\033\275\325\272\133\245\311\313\045\151\123\125\047\134\340\312 +\066\313\210\141\373\036\267\320\313\356\026\373\323\246\114\336 +\222\245\324\342\337\365\006\124\336\056\235\113\264\223\060\252 +\201\316\335\032\334\121\163\015\117\160\351\345\266\026\041\031 +\171\262\346\211\013\165\144\312\325\253\274\011\301\030\241\377 +\324\124\241\205\074\375\024\044\003\262\207\323\244\267\002\003 +\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001 +\377\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 +\026\004\024\273\377\312\216\043\237\117\231\312\333\342\150\246 +\245\025\047\027\036\331\016\060\015\006\011\052\206\110\206\367 +\015\001\001\014\005\000\003\202\002\001\000\037\312\316\335\307 +\276\241\237\331\047\114\013\334\027\230\021\152\210\336\075\346 +\161\126\162\262\236\032\116\234\325\053\230\044\135\233\153\173 +\260\063\202\011\275\337\045\106\352\230\236\266\033\376\203\074 +\322\142\141\301\004\355\316\340\305\311\310\023\023\125\347\250 +\143\255\214\173\001\376\167\060\341\316\150\233\005\370\022\356 +\171\061\240\101\105\065\050\012\161\244\044\117\214\334\074\202 +\007\137\146\334\175\020\376\014\141\263\005\225\356\341\256\201 +\017\250\370\307\217\115\250\043\002\046\153\035\203\122\125\316 +\265\057\000\312\200\100\340\341\164\254\140\365\207\200\235\256 +\066\144\221\135\260\150\030\352\212\141\311\167\250\227\304\311 +\307\245\374\125\113\363\360\177\271\145\075\047\150\320\314\153 +\372\123\235\341\221\032\311\135\032\226\155\062\207\355\003\040 +\310\002\316\132\276\331\352\375\262\115\304\057\033\337\137\172 +\365\370\213\306\356\061\072\045\121\125\147\215\144\062\173\351 +\236\303\202\272\052\055\351\036\264\340\110\006\242\374\147\257 +\037\042\002\163\373\040\012\257\235\124\113\241\315\377\140\107 +\260\077\135\357\033\126\275\227\041\226\055\012\321\136\235\070 +\002\107\154\271\364\366\043\045\270\240\152\232\053\167\010\372 +\304\261\050\220\046\130\010\074\342\176\252\327\075\157\272\061 +\210\012\005\353\047\265\241\111\356\240\105\124\173\346\047\145 +\231\040\041\250\243\274\373\030\226\273\122\157\014\355\203\121 +\114\351\131\342\040\140\305\302\145\222\202\214\363\020\037\016 +\212\227\276\167\202\155\077\217\035\135\274\111\047\275\314\117 +\017\341\316\166\206\004\043\305\300\214\022\133\375\333\204\240 +\044\361\110\377\144\174\320\276\134\026\321\357\231\255\300\037 +\373\313\256\274\070\042\006\046\144\332\332\227\016\077\050\025 +\104\250\117\000\312\360\232\314\317\164\152\264\076\074\353\225 +\354\265\323\132\330\201\231\351\103\030\067\353\263\273\321\130 +\142\101\363\146\322\217\252\170\225\124\040\303\132\056\164\053 +\325\321\276\030\151\300\254\325\244\317\071\272\121\204\003\145 +\351\142\300\142\376\330\115\125\226\342\320\021\372\110\064\021 +\354\236\355\005\035\344\310\326\035\206\313 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R2" +# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:ae:c5:8d:04:25:1a:ab:11:25:aa +# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8 +# Fingerprint (SHA1): 9A:44:49:76:32:DB:DE:FA:D0:BC:FB:5A:7B:17:BD:9E:56:09:24:94 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R2" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\232\104\111\166\062\333\336\372\320\274\373\132\173\027\275\236 +\126\011\044\224 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\036\071\300\123\346\036\051\202\013\312\122\125\066\135\127\334 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\256\305\215\004\045\032\253\021\045\252 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R3" +# +# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:b8:82:eb:20:f8:25:27:6d:3d:66 +# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48 +# Fingerprint (SHA1): ED:E5:71:80:2B:C8:92:B9:5B:83:3C:D2:32:68:3F:09:CD:A0:1E:46 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R3" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\270\202\353\040\370\045\047\155\075\146 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\011\060\202\001\216\240\003\002\001\002\002\015\002 +\003\345\270\202\353\040\370\045\047\155\075\146\060\012\006\010 +\052\206\110\316\075\004\003\003\060\107\061\013\060\011\006\003 +\125\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012 +\023\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123 +\145\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006 +\003\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122 +\063\060\036\027\015\061\066\060\066\062\062\060\060\060\060\060 +\060\132\027\015\063\066\060\066\062\062\060\060\060\060\060\060 +\132\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154 +\145\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163 +\040\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107 +\124\123\040\122\157\157\164\040\122\063\060\166\060\020\006\007 +\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142 +\000\004\037\117\063\207\063\051\212\241\204\336\313\307\041\130 +\101\211\352\126\235\053\113\205\306\035\114\047\274\177\046\121 +\162\157\342\237\326\243\312\314\105\024\106\213\255\357\176\206 +\214\354\261\176\057\377\251\161\235\030\204\105\004\101\125\156 +\053\352\046\177\273\220\001\343\113\031\272\344\124\226\105\011 +\261\325\154\221\104\255\204\023\216\232\214\015\200\014\062\366 +\340\047\243\102\060\100\060\016\006\003\125\035\017\001\001\377 +\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 +\004\024\301\361\046\272\240\055\256\205\201\317\323\361\052\022 +\275\270\012\147\375\274\060\012\006\010\052\206\110\316\075\004 +\003\003\003\151\000\060\146\002\061\000\366\341\040\225\024\173 +\124\243\220\026\021\277\204\310\352\157\153\027\236\036\106\230 +\040\233\237\323\015\331\254\323\057\315\174\370\133\056\125\273 +\277\335\222\367\244\014\334\061\341\242\002\061\000\374\227\146 +\146\345\103\026\023\203\335\307\337\057\276\024\070\355\001\316 +\261\027\032\021\165\351\275\003\217\046\176\204\345\311\140\246 +\225\327\124\131\267\347\021\054\211\324\271\356\027 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R3" +# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:b8:82:eb:20:f8:25:27:6d:3d:66 +# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48 +# Fingerprint (SHA1): ED:E5:71:80:2B:C8:92:B9:5B:83:3C:D2:32:68:3F:09:CD:A0:1E:46 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R3" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\355\345\161\200\053\310\222\271\133\203\074\322\062\150\077\011 +\315\240\036\106 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\076\347\235\130\002\224\106\121\224\345\340\042\112\213\347\163 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\270\202\353\040\370\045\047\155\075\146 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R4" +# +# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:c0:68:ef:63:1a:9c:72:90:50:52 +# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D +# Fingerprint (SHA1): 77:D3:03:67:B5:E0:0C:15:F6:0C:38:61:DF:7C:E1:3B:92:46:4D:47 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R4" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\300\150\357\143\032\234\162\220\120\122 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\011\060\202\001\216\240\003\002\001\002\002\015\002 +\003\345\300\150\357\143\032\234\162\220\120\122\060\012\006\010 +\052\206\110\316\075\004\003\003\060\107\061\013\060\011\006\003 +\125\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012 +\023\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123 +\145\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006 +\003\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122 +\064\060\036\027\015\061\066\060\066\062\062\060\060\060\060\060 +\060\132\027\015\063\066\060\066\062\062\060\060\060\060\060\060 +\132\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154 +\145\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163 +\040\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107 +\124\123\040\122\157\157\164\040\122\064\060\166\060\020\006\007 +\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142 +\000\004\363\164\163\247\150\213\140\256\103\270\065\305\201\060 +\173\113\111\235\373\301\141\316\346\336\106\275\153\325\141\030 +\065\256\100\335\163\367\211\221\060\132\353\074\356\205\174\242 +\100\166\073\251\306\270\107\330\052\347\222\221\152\163\351\261 +\162\071\237\051\237\242\230\323\137\136\130\206\145\017\241\204 +\145\006\321\334\213\311\307\163\310\214\152\057\345\304\253\321 +\035\212\243\102\060\100\060\016\006\003\125\035\017\001\001\377 +\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 +\004\024\200\114\326\353\164\377\111\066\243\325\330\374\265\076 +\305\152\360\224\035\214\060\012\006\010\052\206\110\316\075\004 +\003\003\003\151\000\060\146\002\061\000\350\100\377\203\336\003 +\364\237\256\035\172\247\056\271\257\117\366\203\035\016\055\205 +\001\035\321\331\152\354\017\302\257\307\136\126\136\134\325\034 +\130\042\050\013\367\060\266\057\261\174\002\061\000\360\141\074 +\247\364\240\202\343\041\325\204\035\163\206\234\055\257\312\064 +\233\361\237\271\043\066\342\274\140\003\235\200\263\232\126\310 +\341\342\273\024\171\312\315\041\324\224\265\111\103 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R4" +# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:c0:68:ef:63:1a:9c:72:90:50:52 +# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): 34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D +# Fingerprint (SHA1): 77:D3:03:67:B5:E0:0C:15:F6:0C:38:61:DF:7C:E1:3B:92:46:4D:47 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R4" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\167\323\003\147\265\340\014\025\366\014\070\141\337\174\341\073 +\222\106\115\107 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\103\226\203\167\031\115\166\263\235\145\122\344\035\042\245\350 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\300\150\357\143\032\234\162\220\120\122 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GTS Root R1" +# +# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17 +# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): D9:47:43:2A:BD:E7:B7:FA:90:FC:2E:6B:59:10:1B:12:80:E0:E1:C7:E4:E4:0F:A3:C6:88:7F:FF:57:A7:F4:CF +# Fingerprint (SHA1): E5:8C:1C:C4:91:3B:38:63:4B:E9:10:6E:E3:AD:8E:6B:9D:D9:81:4A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\223\157\061\260\023\111\210\153\242\027 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\127\060\202\003\077\240\003\002\001\002\002\015\002 +\003\345\223\157\061\260\023\111\210\153\242\027\060\015\006\011 +\052\206\110\206\367\015\001\001\014\005\000\060\107\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003 +\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163 +\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024 +\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157 +\164\040\122\061\060\036\027\015\061\066\060\066\062\062\060\060 +\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060 +\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157 +\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003 +\023\013\107\124\123\040\122\157\157\164\040\122\061\060\202\002 +\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 +\003\202\002\017\000\060\202\002\012\002\202\002\001\000\266\021 +\002\213\036\343\241\167\233\073\334\277\224\076\267\225\247\100 +\074\241\375\202\371\175\062\006\202\161\366\366\214\177\373\350 +\333\274\152\056\227\227\243\214\113\371\053\366\261\371\316\204 +\035\261\371\305\227\336\357\271\362\243\351\274\022\211\136\247 +\252\122\253\370\043\047\313\244\261\234\143\333\327\231\176\360 +\012\136\353\150\246\364\306\132\107\015\115\020\063\343\116\261 +\023\243\310\030\154\113\354\374\011\220\337\235\144\051\045\043 +\007\241\264\322\075\056\140\340\317\322\011\207\273\315\110\360 +\115\302\302\172\210\212\273\272\317\131\031\326\257\217\260\007 +\260\236\061\361\202\301\300\337\056\246\155\154\031\016\265\330 +\176\046\032\105\003\075\260\171\244\224\050\255\017\177\046\345 +\250\010\376\226\350\074\150\224\123\356\203\072\210\053\025\226 +\011\262\340\172\214\056\165\326\234\353\247\126\144\217\226\117 +\150\256\075\227\302\204\217\300\274\100\300\013\134\275\366\207 +\263\065\154\254\030\120\177\204\340\114\315\222\323\040\351\063 +\274\122\231\257\062\265\051\263\045\052\264\110\371\162\341\312 +\144\367\346\202\020\215\350\235\302\212\210\372\070\146\212\374 +\143\371\001\371\170\375\173\134\167\372\166\207\372\354\337\261 +\016\171\225\127\264\275\046\357\326\001\321\353\026\012\273\216 +\013\265\305\305\212\125\253\323\254\352\221\113\051\314\031\244 +\062\045\116\052\361\145\104\320\002\316\252\316\111\264\352\237 +\174\203\260\100\173\347\103\253\247\154\243\217\175\211\201\372 +\114\245\377\325\216\303\316\113\340\265\330\263\216\105\317\166 +\300\355\100\053\375\123\017\260\247\325\073\015\261\212\242\003 +\336\061\255\314\167\352\157\173\076\326\337\221\042\022\346\276 +\372\330\062\374\020\143\024\121\162\336\135\326\026\223\275\051 +\150\063\357\072\146\354\007\212\046\337\023\327\127\145\170\047 +\336\136\111\024\000\242\000\177\232\250\041\266\251\261\225\260 +\245\271\015\026\021\332\307\154\110\074\100\340\176\015\132\315 +\126\074\321\227\005\271\313\113\355\071\113\234\304\077\322\125 +\023\156\044\260\326\161\372\364\301\272\314\355\033\365\376\201 +\101\330\000\230\075\072\310\256\172\230\067\030\005\225\002\003 +\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001 +\377\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 +\026\004\024\344\257\053\046\161\032\053\110\047\205\057\122\146 +\054\357\360\211\023\161\076\060\015\006\011\052\206\110\206\367 +\015\001\001\014\005\000\003\202\002\001\000\237\252\102\046\333 +\013\233\276\377\036\226\222\056\076\242\145\112\152\230\272\042 +\313\175\301\072\330\202\012\006\306\366\245\336\300\116\207\146 +\171\241\371\246\130\234\252\371\265\346\140\347\340\350\261\036 +\102\101\063\013\067\075\316\211\160\025\312\265\044\250\317\153 +\265\322\100\041\230\317\042\064\317\073\305\042\204\340\305\016 +\212\174\135\210\344\065\044\316\233\076\032\124\036\156\333\262 +\207\247\374\363\372\201\125\024\142\012\131\251\042\005\061\076 +\202\326\356\333\127\064\274\063\225\323\027\033\350\047\242\213 +\173\116\046\032\172\132\144\266\321\254\067\361\375\240\363\070 +\354\162\360\021\165\235\313\064\122\215\346\166\153\027\306\337 +\206\253\047\216\111\053\165\146\201\020\041\246\352\076\364\256 +\045\377\174\025\336\316\214\045\077\312\142\160\012\367\057\011 +\146\007\310\077\034\374\360\333\105\060\337\142\210\301\265\017 +\235\303\237\112\336\131\131\107\305\207\042\066\346\202\247\355 +\012\271\342\007\240\215\173\172\112\074\161\322\342\003\241\037 +\062\007\335\033\344\102\316\014\000\105\141\200\265\013\040\131 +\051\170\275\371\125\313\143\305\074\114\364\266\377\333\152\137 +\061\153\231\236\054\301\153\120\244\327\346\030\024\275\205\077 +\147\253\106\237\240\377\102\247\072\177\134\313\135\260\160\035 +\053\064\365\324\166\011\014\353\170\114\131\005\363\063\102\303 +\141\025\020\033\167\115\316\042\214\324\205\362\105\175\267\123 +\352\357\100\132\224\012\134\040\137\116\100\135\142\042\166\337 +\377\316\141\275\214\043\170\322\067\002\340\216\336\321\021\067 +\211\366\277\355\111\007\142\256\222\354\100\032\257\024\011\331 +\320\116\262\242\367\276\356\356\330\377\334\032\055\336\270\066 +\161\342\374\171\267\224\045\321\110\163\133\241\065\347\263\231 +\147\165\301\031\072\053\107\116\323\102\216\375\061\310\026\146 +\332\322\014\074\333\263\216\311\241\015\200\017\173\026\167\024 +\277\377\333\011\224\262\223\274\040\130\025\351\333\161\103\363 +\336\020\303\000\334\250\052\225\266\302\326\077\220\153\166\333 +\154\376\214\274\362\160\065\014\334\231\031\065\334\327\310\106 +\143\325\066\161\256\127\373\267\202\155\334 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GTS Root R1" +# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Serial Number:02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17 +# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US +# Not Valid Before: Wed Jun 22 00:00:00 2016 +# Not Valid After : Sun Jun 22 00:00:00 2036 +# Fingerprint (SHA-256): D9:47:43:2A:BD:E7:B7:FA:90:FC:2E:6B:59:10:1B:12:80:E0:E1:C7:E4:E4:0F:A3:C6:88:7F:FF:57:A7:F4:CF +# Fingerprint (SHA1): E5:8C:1C:C4:91:3B:38:63:4B:E9:10:6E:E3:AD:8E:6B:9D:D9:81:4A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GTS Root R1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\345\214\034\304\221\073\070\143\113\351\020\156\343\255\216\153 +\235\331\201\112 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\005\376\320\277\161\250\243\166\143\332\001\340\330\122\334\100 +END +CKA_ISSUER MULTILINE_OCTAL +\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124 +\123\040\122\157\157\164\040\122\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\223\157\061\260\023\111\210\153\242\027 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "GlobalSign" +# +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Serial Number:02:03:e5:7e:f5:3f:93:fd:a5:09:21:b2:a6 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Not Valid Before: Tue Nov 13 00:00:00 2012 +# Not Valid After : Tue Jan 19 03:14:07 2038 +# Fingerprint (SHA-256): B0:85:D7:0B:96:4F:19:1A:73:E4:AF:0D:54:AE:7A:0E:07:AA:FD:AF:9B:71:DD:08:62:13:8A:B7:32:5A:24:A2 +# Fingerprint (SHA1): 6B:A0:B0:98:E1:71:EF:5A:AD:FE:48:15:80:77:10:F4:BD:6F:0B:28 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\176\365\077\223\375\245\011\041\262\246 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\001\334\060\202\001\203\240\003\002\001\002\002\015\002 +\003\345\176\365\077\223\375\245\011\041\262\246\060\012\006\010 +\052\206\110\316\075\004\003\002\060\120\061\044\060\042\006\003 +\125\004\013\023\033\107\154\157\142\141\154\123\151\147\156\040 +\105\103\103\040\122\157\157\164\040\103\101\040\055\040\122\064 +\061\023\060\021\006\003\125\004\012\023\012\107\154\157\142\141 +\154\123\151\147\156\061\023\060\021\006\003\125\004\003\023\012 +\107\154\157\142\141\154\123\151\147\156\060\036\027\015\061\062 +\061\061\061\063\060\060\060\060\060\060\132\027\015\063\070\060 +\061\061\071\060\063\061\064\060\067\132\060\120\061\044\060\042 +\006\003\125\004\013\023\033\107\154\157\142\141\154\123\151\147 +\156\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040 +\122\064\061\023\060\021\006\003\125\004\012\023\012\107\154\157 +\142\141\154\123\151\147\156\061\023\060\021\006\003\125\004\003 +\023\012\107\154\157\142\141\154\123\151\147\156\060\131\060\023 +\006\007\052\206\110\316\075\002\001\006\010\052\206\110\316\075 +\003\001\007\003\102\000\004\270\306\171\323\217\154\045\016\237 +\056\071\031\034\003\244\256\232\345\071\007\011\026\312\143\261 +\271\206\370\212\127\301\127\316\102\372\163\241\367\145\102\377 +\036\301\000\262\156\163\016\377\307\041\345\030\244\252\331\161 +\077\250\324\271\316\214\035\243\102\060\100\060\016\006\003\125 +\035\017\001\001\377\004\004\003\002\001\206\060\017\006\003\125 +\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003 +\125\035\016\004\026\004\024\124\260\173\255\105\270\342\100\177 +\373\012\156\373\276\063\311\074\243\204\325\060\012\006\010\052 +\206\110\316\075\004\003\002\003\107\000\060\104\002\040\042\117 +\164\162\271\140\257\361\346\234\240\026\005\120\137\303\136\073 +\156\141\164\357\276\001\304\276\030\110\131\141\202\062\002\040 +\046\235\124\143\100\336\067\140\120\317\310\330\355\235\202\256 +\067\230\274\243\217\114\114\251\064\053\154\357\373\225\233\046 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "GlobalSign" +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Serial Number:02:03:e5:7e:f5:3f:93:fd:a5:09:21:b2:a6 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 +# Not Valid Before: Tue Nov 13 00:00:00 2012 +# Not Valid After : Tue Jan 19 03:14:07 2038 +# Fingerprint (SHA-256): B0:85:D7:0B:96:4F:19:1A:73:E4:AF:0D:54:AE:7A:0E:07:AA:FD:AF:9B:71:DD:08:62:13:8A:B7:32:5A:24:A2 +# Fingerprint (SHA1): 6B:A0:B0:98:E1:71:EF:5A:AD:FE:48:15:80:77:10:F4:BD:6F:0B:28 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\153\240\260\230\341\161\357\132\255\376\110\025\200\167\020\364 +\275\157\013\050 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\046\051\370\155\341\210\277\242\145\177\252\304\315\017\177\374 +END +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 +\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164 +\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004 +\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060 +\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151 +\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\015\002\003\345\176\365\077\223\375\245\011\041\262\246 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "NAVER Cloud Trust Services ECC Root G1" +# +# Issuer: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:7f:20:23:7e:e5:82:11:34:66:c8:37:e4:78:15:e5:be:12:ba:15 +# Subject: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 13:20:29 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): A7:C8:68:10:42:F3:67:5A:A8:50:5D:3B:A3:13:D8:0F:8A:C3:25:0F:DF:87:4A:D2:9B:83:46:89:C0:87:FB:11 +# Fingerprint (SHA1): 87:E7:3E:14:92:46:AA:63:43:08:E3:A3:14:2B:14:17:F0:0F:E2:5D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services ECC Root G1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\177\040\043\176\345\202\021\064\146\310\067\344\170 +\025\345\276\022\272\025 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\123\060\202\001\331\240\003\002\001\002\002\024\001 +\177\040\043\176\345\202\021\064\146\310\067\344\170\025\345\276 +\022\272\025\060\012\006\010\052\206\110\316\075\004\003\003\060 +\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061\051 +\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040\103 +\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166\151 +\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003\125 +\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144\040 +\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040\105 +\103\103\040\122\157\157\164\040\107\061\060\036\027\015\062\063 +\060\066\060\067\061\063\062\060\062\071\132\027\015\064\063\060 +\066\060\066\062\063\065\071\065\071\132\060\151\061\013\060\011 +\006\003\125\004\006\023\002\113\122\061\051\060\047\006\003\125 +\004\012\014\040\116\101\126\105\122\040\103\154\157\165\144\040 +\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040\103 +\157\162\160\056\061\057\060\055\006\003\125\004\003\014\046\116 +\101\126\105\122\040\103\154\157\165\144\040\124\162\165\163\164 +\040\123\145\162\166\151\143\145\163\040\105\103\103\040\122\157 +\157\164\040\107\061\060\166\060\020\006\007\052\206\110\316\075 +\002\001\006\005\053\201\004\000\042\003\142\000\004\205\015\213 +\257\263\117\217\363\007\022\306\003\352\022\126\240\000\115\051 +\345\041\335\120\247\034\143\202\260\231\371\356\140\006\071\161 +\251\264\033\311\015\241\335\316\361\170\011\052\041\007\345\232 +\267\211\122\104\333\004\215\334\102\320\312\134\177\353\260\374 +\064\370\332\350\202\323\046\352\111\010\365\072\330\226\266\141 +\373\005\003\070\320\254\300\002\203\137\101\376\124\243\102\060 +\100\060\035\006\003\125\035\016\004\026\004\024\072\012\077\255 +\175\216\062\275\362\154\373\211\122\343\320\366\052\301\217\171 +\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006 +\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 +\377\060\012\006\010\052\206\110\316\075\004\003\003\003\150\000 +\060\145\002\061\000\273\234\216\341\332\353\366\122\321\355\304 +\223\173\222\221\317\327\135\245\303\046\376\172\054\272\313\175 +\176\372\252\320\115\246\377\221\272\375\332\172\001\122\334\232 +\171\161\312\137\323\002\060\016\043\312\204\310\050\200\034\345 +\372\056\232\344\202\035\371\031\055\036\217\126\324\206\252\206 +\173\154\226\044\134\151\173\231\013\155\173\124\171\010\044\077 +\315\351\215\272\127\252\313 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "NAVER Cloud Trust Services ECC Root G1" +# Issuer: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:7f:20:23:7e:e5:82:11:34:66:c8:37:e4:78:15:e5:be:12:ba:15 +# Subject: CN=NAVER Cloud Trust Services ECC Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 13:20:29 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): A7:C8:68:10:42:F3:67:5A:A8:50:5D:3B:A3:13:D8:0F:8A:C3:25:0F:DF:87:4A:D2:9B:83:46:89:C0:87:FB:11 +# Fingerprint (SHA1): 87:E7:3E:14:92:46:AA:63:43:08:E3:A3:14:2B:14:17:F0:0F:E2:5D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services ECC Root G1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\207\347\076\024\222\106\252\143\103\010\343\243\024\053\024\027 +\360\017\342\135 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\022\202\014\366\155\236\342\365\227\353\273\232\257\247\154\000 +END +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\105\103\103\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\177\040\043\176\345\202\021\064\146\310\067\344\170 +\025\345\276\022\272\025 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "NAVER Cloud Trust Services RSA Root G1" +# +# Issuer: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:93:20:5e:a3:37:c2:a7:bb:27:56:b1:6e:35:c2:71:19:20:3e:f1 +# Subject: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 06:30:54 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): 49:A2:76:29:87:78:8D:48:34:B3:23:05:D7:67:76:0F:24:4D:50:77:42:E8:C2:53:9F:D4:CA:3A:D5:2C:16:EE +# Fingerprint (SHA1): C4:DA:90:EE:32:4D:7E:4D:04:1C:B1:F2:86:FB:B4:53:88:20:7C:A1 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services RSA Root G1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\223\040\136\243\067\302\247\273\047\126\261\156\065 +\302\161\031\040\076\361 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\242\060\202\003\212\240\003\002\001\002\002\024\001 +\223\040\136\243\067\302\247\273\047\126\261\156\065\302\161\031 +\040\076\361\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\060\151\061\013\060\011\006\003\125\004\006\023\002\113 +\122\061\051\060\047\006\003\125\004\012\014\040\116\101\126\105 +\122\040\103\154\157\165\144\040\124\162\165\163\164\040\123\145 +\162\166\151\143\145\163\040\103\157\162\160\056\061\057\060\055 +\006\003\125\004\003\014\046\116\101\126\105\122\040\103\154\157 +\165\144\040\124\162\165\163\164\040\123\145\162\166\151\143\145 +\163\040\122\123\101\040\122\157\157\164\040\107\061\060\036\027 +\015\062\063\060\066\060\067\060\066\063\060\065\064\132\027\015 +\064\063\060\066\060\066\062\063\065\071\065\071\132\060\151\061 +\013\060\011\006\003\125\004\006\023\002\113\122\061\051\060\047 +\006\003\125\004\012\014\040\116\101\126\105\122\040\103\154\157 +\165\144\040\124\162\165\163\164\040\123\145\162\166\151\143\145 +\163\040\103\157\162\160\056\061\057\060\055\006\003\125\004\003 +\014\046\116\101\126\105\122\040\103\154\157\165\144\040\124\162 +\165\163\164\040\123\145\162\166\151\143\145\163\040\122\123\101 +\040\122\157\157\164\040\107\061\060\202\002\042\060\015\006\011 +\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 +\060\202\002\012\002\202\002\001\000\305\122\320\304\171\311\305 +\003\145\070\147\100\242\322\045\144\057\227\023\062\206\041\157 +\036\342\241\165\142\262\041\070\147\071\274\274\337\346\127\133 +\161\337\312\205\276\237\261\314\350\131\004\334\334\066\031\032 +\276\352\217\374\030\347\126\014\330\161\166\163\150\272\370\042 +\313\320\250\115\354\000\311\311\064\352\354\004\107\242\202\370 +\247\234\166\272\167\045\271\371\060\206\326\165\047\210\211\113 +\334\271\240\043\342\205\360\172\137\176\121\217\160\026\201\124 +\212\152\226\162\174\106\015\344\056\102\374\255\241\300\146\002 +\223\213\351\022\316\124\241\031\201\170\267\175\011\005\051\347 +\266\326\371\376\174\311\050\147\361\043\310\161\010\205\206\151 +\006\222\164\351\042\327\063\132\273\145\123\131\375\235\356\235 +\245\333\160\215\254\376\254\110\046\242\331\013\331\370\124\231 +\200\222\331\001\211\336\171\164\365\356\254\052\060\171\202\312 +\142\147\256\346\041\020\307\252\362\126\122\234\107\167\212\230 +\270\123\251\050\374\044\220\166\210\276\113\047\247\367\043\226 +\256\037\120\070\212\351\175\154\355\257\170\373\231\021\161\256 +\273\265\225\331\207\342\214\060\132\072\147\160\230\167\303\061 +\344\265\066\212\001\204\336\332\273\022\330\142\107\332\045\174 +\136\133\353\077\111\162\200\125\343\020\333\344\036\172\037\373 +\215\271\335\222\126\266\145\046\217\115\017\126\252\112\341\340 +\120\162\367\366\264\115\044\015\033\236\176\177\125\026\074\234 +\174\217\354\203\017\021\357\306\316\364\041\341\114\145\103\100 +\072\104\222\312\224\330\100\203\261\021\133\074\334\144\365\141 +\323\126\112\326\177\267\043\160\163\105\165\337\202\271\255\321 +\327\143\230\331\174\211\212\361\351\052\056\207\075\370\147\267 +\035\323\242\162\026\024\257\157\055\336\136\061\117\265\106\057 +\226\055\103\006\166\003\120\306\063\261\103\055\025\307\072\223 +\205\220\054\342\127\355\037\226\205\072\345\141\334\352\377\226 +\265\176\366\015\210\306\261\071\223\216\314\235\214\125\157\165 +\175\250\300\336\170\013\021\334\126\061\270\125\144\325\003\341 +\301\360\217\053\171\353\103\001\306\032\016\272\000\112\100\202 +\210\201\370\336\362\252\226\016\255\002\003\001\000\001\243\102 +\060\100\060\035\006\003\125\035\016\004\026\004\024\357\010\015 +\155\202\150\056\032\332\132\355\363\376\342\242\006\363\233\347 +\370\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 +\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001 +\001\377\060\015\006\011\052\206\110\206\367\015\001\001\014\005 +\000\003\202\002\001\000\050\025\222\133\176\305\117\375\227\064 +\230\227\373\130\301\254\026\166\221\145\337\000\026\113\027\314 +\011\164\253\341\173\152\056\074\321\107\267\142\145\312\336\000 +\330\166\211\061\134\247\106\363\004\122\133\272\070\342\227\065 +\016\000\213\243\341\224\315\064\324\005\174\033\172\057\171\363 +\320\301\322\270\160\245\203\201\041\234\307\242\346\234\253\047 +\101\157\103\041\317\150\106\247\143\046\323\152\367\154\002\040 +\006\340\070\252\133\264\133\275\351\360\323\157\031\357\272\000 +\000\121\160\047\311\032\142\331\020\077\330\164\177\230\121\126 +\346\306\270\045\321\114\133\212\274\132\160\004\340\116\126\166 +\360\337\010\357\021\232\061\005\163\007\200\012\374\076\373\267 +\117\344\045\125\275\005\036\164\004\006\077\036\332\220\127\116 +\160\032\363\065\146\006\305\314\053\033\037\104\140\375\054\066 +\210\265\355\273\036\120\067\320\375\310\103\133\133\235\314\272 +\261\346\017\107\327\157\202\155\275\220\253\023\217\136\253\133 +\357\340\365\276\113\314\370\077\257\260\254\226\106\215\011\207 +\370\177\062\115\066\374\126\122\306\213\266\124\331\304\041\336 +\022\153\020\131\126\075\274\100\273\146\234\253\132\065\163\241 +\353\023\062\207\110\152\210\041\073\162\127\375\057\003\170\040 +\071\001\304\242\275\061\232\137\303\064\117\371\341\213\042\023 +\021\127\021\012\137\010\316\376\206\010\275\033\335\367\246\064 +\252\266\124\217\112\373\327\147\337\333\360\156\206\317\321\012 +\037\351\022\244\045\327\221\157\002\273\031\006\124\020\054\231 +\335\304\252\266\037\353\273\016\177\155\371\145\307\311\217\044 +\226\276\150\026\232\032\364\116\007\344\354\076\052\352\176\145 +\056\053\162\364\275\213\324\040\217\066\227\215\052\036\065\115 +\304\207\365\142\132\351\046\334\332\165\334\076\110\176\277\016 +\307\006\251\014\357\047\336\231\304\014\173\337\373\343\134\337 +\210\201\235\243\242\303\000\202\013\303\057\361\266\202\115\000 +\336\141\104\163\062\210\021\003\065\050\232\056\334\116\370\231 +\216\340\330\065\277\127\067\161\300\103\364\271\012\160\270\013 +\130\033\030\034\104\215\377\341\327\336\150\162\302\054\155\334 +\077\160\312\330\025\315 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "NAVER Cloud Trust Services RSA Root G1" +# Issuer: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Serial Number:01:93:20:5e:a3:37:c2:a7:bb:27:56:b1:6e:35:c2:71:19:20:3e:f1 +# Subject: CN=NAVER Cloud Trust Services RSA Root G1,O=NAVER Cloud Trust Services Corp.,C=KR +# Not Valid Before: Wed Jun 07 06:30:54 2023 +# Not Valid After : Sat Jun 06 23:59:59 2043 +# Fingerprint (SHA-256): 49:A2:76:29:87:78:8D:48:34:B3:23:05:D7:67:76:0F:24:4D:50:77:42:E8:C2:53:9F:D4:CA:3A:D5:2C:16:EE +# Fingerprint (SHA1): C4:DA:90:EE:32:4D:7E:4D:04:1C:B1:F2:86:FB:B4:53:88:20:7C:A1 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NAVER Cloud Trust Services RSA Root G1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\304\332\220\356\062\115\176\115\004\034\261\362\206\373\264\123 +\210\040\174\241 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\205\234\104\072\176\047\237\011\225\233\117\121\312\351\312\141 +END +CKA_ISSUER MULTILINE_OCTAL +\060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\051\060\047\006\003\125\004\012\014\040\116\101\126\105\122\040 +\103\154\157\165\144\040\124\162\165\163\164\040\123\145\162\166 +\151\143\145\163\040\103\157\162\160\056\061\057\060\055\006\003 +\125\004\003\014\046\116\101\126\105\122\040\103\154\157\165\144 +\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040 +\122\123\101\040\122\157\157\164\040\107\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\001\223\040\136\243\067\302\247\273\047\126\261\156\065 +\302\161\031\040\076\361 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "D-TRUST BR Root CA 1 2020" +# +# Issuer: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:7c:c9:8f:2b:84:d7:df:ea:0f:c9:65:9a:d3:4b:4d:96 +# Subject: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 09:45:00 2020 +# Not Valid After : Sun Feb 11 09:44:59 2035 +# Fingerprint (SHA-256): E5:9A:AA:81:60:09:C2:2B:FF:5B:25:BA:D3:7D:F3:06:F0:49:79:7C:1F:81:D8:5A:B0:89:E6:57:BD:8F:00:44 +# Fingerprint (SHA1): 1F:5B:98:F0:E3:B5:F7:74:3C:ED:E6:B0:36:7D:32:CD:F4:09:41:67 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 1 2020" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\174\311\217\053\204\327\337\352\017\311\145\232\323\113 +\115\226 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\333\060\202\002\140\240\003\002\001\002\002\020\174 +\311\217\053\204\327\337\352\017\311\145\232\323\113\115\226\060 +\012\006\010\052\206\110\316\075\004\003\003\060\110\061\013\060 +\011\006\003\125\004\006\023\002\104\105\061\025\060\023\006\003 +\125\004\012\023\014\104\055\124\162\165\163\164\040\107\155\142 +\110\061\042\060\040\006\003\125\004\003\023\031\104\055\124\122 +\125\123\124\040\102\122\040\122\157\157\164\040\103\101\040\061 +\040\062\060\062\060\060\036\027\015\062\060\060\062\061\061\060 +\071\064\065\060\060\132\027\015\063\065\060\062\061\061\060\071 +\064\064\065\071\132\060\110\061\013\060\011\006\003\125\004\006 +\023\002\104\105\061\025\060\023\006\003\125\004\012\023\014\104 +\055\124\162\165\163\164\040\107\155\142\110\061\042\060\040\006 +\003\125\004\003\023\031\104\055\124\122\125\123\124\040\102\122 +\040\122\157\157\164\040\103\101\040\061\040\062\060\062\060\060 +\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201 +\004\000\042\003\142\000\004\306\313\307\050\321\373\204\365\232 +\357\102\024\040\341\103\153\156\165\255\374\053\003\204\324\166 +\223\045\327\131\073\101\145\153\036\346\064\052\273\164\366\022 +\316\350\155\347\253\344\074\116\077\104\010\213\315\026\161\313 +\277\222\231\364\244\327\074\120\124\122\220\205\203\170\224\147 +\147\243\034\011\031\075\165\064\205\336\355\140\175\307\014\264 +\101\122\271\156\345\356\102\243\202\001\015\060\202\001\011\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\035\006\003\125\035\016\004\026\004\024\163\221\020\253\377 +\125\263\132\174\011\045\325\262\272\010\240\153\253\037\155\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060 +\201\306\006\003\125\035\037\004\201\276\060\201\273\060\076\240 +\074\240\072\206\070\150\164\164\160\072\057\057\143\162\154\056 +\144\055\164\162\165\163\164\056\156\145\164\057\143\162\154\057 +\144\055\164\162\165\163\164\137\142\162\137\162\157\157\164\137 +\143\141\137\061\137\062\060\062\060\056\143\162\154\060\171\240 +\167\240\165\206\163\154\144\141\160\072\057\057\144\151\162\145 +\143\164\157\162\171\056\144\055\164\162\165\163\164\056\156\145 +\164\057\103\116\075\104\055\124\122\125\123\124\045\062\060\102 +\122\045\062\060\122\157\157\164\045\062\060\103\101\045\062\060 +\061\045\062\060\062\060\062\060\054\117\075\104\055\124\162\165 +\163\164\045\062\060\107\155\142\110\054\103\075\104\105\077\143 +\145\162\164\151\146\151\143\141\164\145\162\145\166\157\143\141 +\164\151\157\156\154\151\163\164\060\012\006\010\052\206\110\316 +\075\004\003\003\003\151\000\060\146\002\061\000\224\220\055\023 +\372\341\143\370\141\143\350\255\205\170\124\221\234\270\223\070 +\076\032\101\332\100\026\123\102\010\312\057\216\361\076\201\126 +\300\252\330\355\030\304\260\256\364\076\372\046\002\061\000\363 +\050\342\306\333\053\231\373\267\121\270\044\243\244\224\172\032 +\077\346\066\342\003\127\063\212\060\313\202\307\326\024\021\325 +\165\143\133\024\225\234\037\001\317\330\325\162\247\017\073 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST BR Root CA 1 2020" +# Issuer: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Serial Number:7c:c9:8f:2b:84:d7:df:ea:0f:c9:65:9a:d3:4b:4d:96 +# Subject: CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue Feb 11 09:45:00 2020 +# Not Valid After : Sun Feb 11 09:44:59 2035 +# Fingerprint (SHA-256): E5:9A:AA:81:60:09:C2:2B:FF:5B:25:BA:D3:7D:F3:06:F0:49:79:7C:1F:81:D8:5A:B0:89:E6:57:BD:8F:00:44 +# Fingerprint (SHA1): 1F:5B:98:F0:E3:B5:F7:74:3C:ED:E6:B0:36:7D:32:CD:F4:09:41:67 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 1 2020" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\037\133\230\360\343\265\367\164\074\355\346\260\066\175\062\315 +\364\011\101\147 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\265\252\113\325\355\367\343\125\056\217\162\012\363\165\270\355 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\061\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\174\311\217\053\204\327\337\352\017\311\145\232\323\113 +\115\226 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/SPECS/cert-manager/CVE-2024-25620.patch b/SPECS/cert-manager/CVE-2024-25620.patch new file mode 100644 index 00000000000..cf31fc0371c --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-25620.patch @@ -0,0 +1,110 @@ +From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001 +From: Bhagyashri Pathak +Date: Thu, 8 Aug 2024 10:27:21 +0530 +Subject: [PATCH] CVE-2024-25620 patch + +--- + cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go | 4 ++++ + .../helm.sh/helm/v3/pkg/chartutil/errors.go | 8 ++++++++ + cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go | 20 +++++++++++++++++++ + .../helm/v3/pkg/lint/rules/chartfile.go | 4 ++++ + 4 files changed, 36 insertions(+) + +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go +index ae572ab..3834b4c 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go +@@ -16,6 +16,7 @@ limitations under the License. + package chart + + import ( ++ "path/filepath" + "strings" + "unicode" + +@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error { + if md.Name == "" { + return ValidationError("chart.metadata.name is required") + } ++ if md.Name != filepath.Base(md.Name) { ++ return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) ++ } + if md.Version == "" { + return ValidationError("chart.metadata.version is required") + } +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go +index fcdcc27..0a4046d 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go +@@ -33,3 +33,11 @@ type ErrNoValue struct { + } + + func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) } ++ ++type ErrInvalidChartName struct { ++ Name string ++} ++ ++func (e ErrInvalidChartName) Error() string { ++ return fmt.Sprintf("%q is not a valid chart name", e.Name) ++} +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go +index 2ce4edd..4ee9070 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go +@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=") + // directory, writing the chart's contents to that subdirectory. + func SaveDir(c *chart.Chart, dest string) error { + // Create the chart directory ++ err := validateName(c.Name()) ++ if err != nil { ++ return err ++ } + outdir := filepath.Join(dest, c.Name()) + if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() { + return errors.Errorf("file %s already exists and is not a directory", outdir) +@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) { + } + + func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error { ++ err := validateName(c.Name()) ++ if err != nil { ++ return err ++ } + base := filepath.Join(prefix, c.Name()) + + // Pull out the dependencies of a v1 Chart, since there's no way +@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error { + _, err := out.Write(body) + return err + } ++ ++// If the name has directory name has characters which would change the location ++// they need to be removed. ++func validateName(name string) error { ++ nname := filepath.Base(name) ++ ++ if nname != name { ++ return ErrInvalidChartName{name} ++ } ++ ++ return nil ++} +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go +index b49f2ce..f8f033c 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go +@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error { + if cf.Name == "" { + return errors.New("name is required") + } ++ name := filepath.Base(cf.Name) ++ if name != cf.Name { ++ return fmt.Errorf("chart name %q is invalid", cf.Name) ++ } + return nil + } + +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 2176f68fc98..0037de77af6 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.12.12 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version} Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-25620.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -57,8 +58,9 @@ Summary: cert-manager's webhook binary Webhook component providing API validation, mutation and conversion functionality for cert-manager. %prep -%autosetup -p1 -%setup -q -T -D -a 1 +%setup -q -a 1 +%autopatch -p1 + %build @@ -76,7 +78,6 @@ install -D -m0755 bin/cainjector %{buildroot}%{_bindir}/ install -D -m0755 bin/controller %{buildroot}%{_bindir}/ install -D -m0755 bin/cmctl %{buildroot}%{_bindir}/ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ - %files %files acmesolver @@ -105,6 +106,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Wed Aug 07 2024 Bhagyashri Pathak - 1.12.12-2 +- Patch for CVE-2024-25620 + * Wed Jul 10 2024 Tobias Brick - 1.12.12-1 - Upgrade to 1.12.12 to fix CVE-2024-26147 and CVE-2023-45142 diff --git a/SPECS/coreutils/coreutils.spec b/SPECS/coreutils/coreutils.spec index 14e0df6bc20..c2f2f7e168a 100644 --- a/SPECS/coreutils/coreutils.spec +++ b/SPECS/coreutils/coreutils.spec @@ -1,7 +1,7 @@ Summary: Basic system utilities Name: coreutils Version: 9.4 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,8 @@ Source1: serial-console.sh Patch0: coreutils-9.4-i18n-1.patch Patch1: coreutils-9.4-uname-1.patch Patch2: CVE-2024-0684.patch +BuildRequires: libacl-devel +BuildRequires: libattr-devel BuildRequires: libselinux-devel BuildRequires: libselinux-utils Requires: gmp @@ -71,8 +73,6 @@ sed -i 's/PET/-05/g' tests/misc/date-debug.sh sed -i 's/2>err\/merge-/2>\&1 > err\/merge-/g' tests/misc/sort-merge-fdlimit.sh sed -i 's/)\" = \"10x0/| head -n 1)\" = \"10x0/g' tests/split/r-chunk.sh sed -i '/mb.sh/d' Makefile -# remove capability test which incorrectly determines xattr support and then fails -sed -i '/tests\/cp\/capability.sh/d' Makefile LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 make -k check %post -p /sbin/ldconfig @@ -92,6 +92,9 @@ LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 make -k check %defattr(-,root,root) %changelog +* Thu Aug 8 2024 Chris Gunn - 9.4-6 +- Enable xattr and acl support. + * Thu Aug 1 2024 Riken Maharjan - 9.4-5 - Remove unecessary Requires on libselinux imported from Fedora 40 (License: MIT) - libselinux causes dependency cycle. diff --git a/SPECS/dracut/0002-disable-xattr.patch b/SPECS/dracut/0002-disable-xattr.patch deleted file mode 100644 index e5545b71c28..00000000000 --- a/SPECS/dracut/0002-disable-xattr.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/dracut-init.sh b/dracut-init.sh -index 40b66f5..f72de3d 100755 ---- a/dracut-init.sh -+++ b/dracut-init.sh -@@ -19,11 +19,7 @@ - # - export LC_MESSAGES=C - --if [[ $EUID == "0" ]] && ! [[ $DRACUT_NO_XATTR ]]; then -- export DRACUT_CP="cp --reflink=auto --sparse=auto --preserve=mode,timestamps,xattr,links -dfr" --else -- export DRACUT_CP="cp --reflink=auto --sparse=auto --preserve=mode,timestamps,links -dfr" --fi -+export DRACUT_CP="cp --reflink=auto --sparse=auto --preserve=mode,timestamps,links -dfr" - - # is_func - # Check whether $1 is a function. -diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c -index 96b20e9..433ebf7 100644 ---- a/src/install/dracut-install.c -+++ b/src/install/dracut-install.c -@@ -329,8 +329,7 @@ static int cp(const char *src, const char *dst) - - normal_copy: - pid = fork(); -- const char *preservation = (geteuid() == 0 -- && no_xattr == false) ? "--preserve=mode,xattr,timestamps,ownership" : "--preserve=mode,timestamps,ownership"; -+ const char *preservation = "--preserve=mode,timestamps"; - if (pid == 0) { - execlp("cp", "cp", "--reflink=auto", "--sparse=auto", preservation, "-fL", src, dst, NULL); - _exit(errno == ENOENT ? 127 : 126); diff --git a/SPECS/dracut/0007-feat-dracut.sh-support-multiple-config-dirs.patch b/SPECS/dracut/0007-feat-dracut.sh-support-multiple-config-dirs.patch deleted file mode 100644 index d2e767361a6..00000000000 --- a/SPECS/dracut/0007-feat-dracut.sh-support-multiple-config-dirs.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 1f59a485f2371eee0a691aa195e2a955a9b726d3 Mon Sep 17 00:00:00 2001 -From: Shreenidhi Shedi -Date: Sat, 18 Feb 2023 18:11:51 +0530 -Subject: [PATCH] feat(dracut.sh): support multiple config dirs - -Configuration can come from many places, users should not be restricted -to keep all configuration files in one directory. - -Signed-off-by: Shreenidhi Shedi ---- - dracut.sh | 29 ++++++++++++++++++----------- - man/dracut.8.asc | 4 ++-- - 2 files changed, 20 insertions(+), 13 deletions(-) - -diff --git a/dracut.sh b/dracut.sh -index ff541e79..887b134d 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -154,8 +154,9 @@ Creates initial ramdisk images for preloading modules - -q, --quiet Decrease verbosity level. - -c, --conf [FILE] Specify configuration file to use. - Default: /etc/dracut.conf -- --confdir [DIR] Specify configuration directory to use *.conf files -- from. Default: /etc/dracut.conf.d -+ --confdir [LIST] Specify a space separated list of configuration -+ directories to use *.conf files from. -+ Default: /etc/dracut.conf.d - --tmpdir [DIR] Temporary directory to be used instead of default - ${TMPDIR:-/var/tmp}. - -r, --sysroot [DIR] Specify sysroot directory to collect files from. -@@ -674,7 +675,7 @@ while :; do - shift - ;; - --confdir) -- confdir="$2" -+ confdirs_l=("$2") - PARMS_TO_STORE+=" '$2'" - shift - ;; -@@ -920,15 +921,20 @@ elif [[ ! -e $conffile ]]; then - exit 1 - fi - --if [[ -z $confdir ]]; then -+if [ ${#confdirs_l[@]} -eq 0 ]; then - if [[ $allowlocal ]]; then -- confdir="$dracutbasedir/dracut.conf.d" -+ confdirs_l=("$dracutbasedir/dracut.conf.d") - else -- confdir="$dracutsysrootdir/etc/dracut.conf.d" -+ confdirs_l=("$dracutsysrootdir/etc/dracut.conf.d") - fi --elif [[ ! -d $confdir ]]; then -- printf "%s\n" "dracut[F]: Configuration directory '$confdir' not found." >&2 -- exit 1 -+else -+ # shellcheck disable=SC2068 -+ for d in ${confdirs_l[@]}; do -+ if [[ ! -d $d ]]; then -+ printf "%s\n" "dracut: Configuration directory '$d' not found." >&2 -+ exit 1 -+ fi -+ done - fi - - # source our config file -@@ -938,8 +944,9 @@ if [[ -f $conffile ]]; then - . "$conffile" - fi - --# source our config dir --for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do -+# source config files from all config dirs -+# shellcheck disable=SC2086 -+for f in $(dropindirs_sort ".conf" ${confdirs_l[@]} "$dracutbasedir/dracut.conf.d"); do - check_conf_file "$f" - # shellcheck disable=SC1090 - [[ -e $f ]] && . "$f" -diff --git a/man/dracut.8.asc b/man/dracut.8.asc -index 25f601bd..9cd5d08a 100644 ---- a/man/dracut.8.asc -+++ b/man/dracut.8.asc -@@ -300,8 +300,8 @@ example: - Default: - _/etc/dracut.conf_ - --**--confdir** __:: -- Specify configuration directory to use. -+**--confdir** __:: -+ Specify a space-separated list of dracut configuration directories to use. - + - Default: - _/etc/dracut.conf.d_ --- -2.34.1 - diff --git a/SPECS/dracut/50-noxattr.conf b/SPECS/dracut/50-noxattr.conf new file mode 100644 index 00000000000..7cafbef14f5 --- /dev/null +++ b/SPECS/dracut/50-noxattr.conf @@ -0,0 +1,2 @@ +# disable xattr +DRACUT_NO_XATTR=1 diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json index 5947ada7b70..9ea435fb927 100644 --- a/SPECS/dracut/dracut.signatures.json +++ b/SPECS/dracut/dracut.signatures.json @@ -5,6 +5,7 @@ "00-virtio.conf": "173e93feea30f328d4cda7d07f756446fe45830ad9a5ee99b007bed0579b9a64", "00-vrf.conf": "e2885a4b090d8ca3771e60ce6dcd8b849e28ce5002a5c7b71ff796a92deb2810", "00-xen.conf": "8b7a89b7716cb40a9c0d681caed6994d81ff4dfad4fe50cea15cd47b885dc5a6", + "50-noxattr.conf": "61d95f05890ac6ee3355d0a386dd5645d82b7a4202d90305d997fd18c6d139dd", "dracut-102.tar.gz": "601b175cbf4d2ee902bb7bda3af8826ae2ca060c1af880f6da5a833413f4ec70", "lgpl-2.1.txt": "dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551", "megaraid.conf": "914824cdbe0c525b71efa05a75e453335b0068beb8bc28bef2a5866d74bf7dd4", diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index 8b82b7a32eb..227c47be3d8 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 102 -Release: 2%{?dist} +Release: 4%{?dist} # The entire source code is GPLv2+ # except install/* which is LGPLv2+ License: GPLv2+ AND LGPLv2+ @@ -23,15 +23,14 @@ Source7: 00-hyperv.conf Source8: 00-virtio.conf Source9: 00-vrf.conf Source10: 00-xen.conf +Source11: 50-noxattr.conf # allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by # the Mariner team to allow skipping the user confirmation prompt during boot # when the overlay of the liveos is backed by ram. This allows the machine to # boot without being blocked on user input in such a scenario. Patch: allow-liveos-overlay-no-user-confirmation-prompt.patch -Patch: 0002-disable-xattr.patch Patch: 0006-dracut.sh-validate-instmods-calls.patch -Patch: 0007-feat-dracut.sh-support-multiple-config-dirs.patch Patch: 0011-Remove-reference-to-kernel-module-zlib-in-fips-module.patch Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch @@ -97,6 +96,13 @@ Requires: %{name} = %{version}-%{release} %description megaraid This package contains dracut configuration needed to build an initramfs with MegaRAID driver support. +%package noxattr +Summary: dracut configuration needed to disable preserving of xattr file metadata +Requires: %{name} = %{version}-%{release} + +%description noxattr +This package contains dracut configuration needed to disable preserving of xattr file metadata. + %package tools Summary: dracut tools to build the local initramfs Requires: %{name} = %{version}-%{release} @@ -175,6 +181,7 @@ install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/dracut.conf.d/00-hyperv.co install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/dracut.conf.d/00-virtio.conf install -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/dracut.conf.d/00-vrf.conf install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/dracut.conf.d/00-xen.conf +install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-noxattr.conf mkdir -p %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ install -p -m 0755 %{SOURCE4} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ @@ -252,6 +259,10 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} %defattr(-,root,root,0755) %{_sysconfdir}/dracut.conf.d/50-megaraid.conf +%files noxattr +%defattr(-,root,root,0755) +%{_sysconfdir}/dracut.conf.d/50-noxattr.conf + %files tools %defattr(-,root,root,0755) @@ -277,6 +288,13 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} %dir %{_sharedstatedir}/%{name}/overlay %changelog +* Mon Aug 19 2024 Cameron Baird - 102-4 +- Drop 0002-disable-xattr.patch +- Introduce dracut-noxattr subpackage to expose this behavior as an option + +* Thu Aug 08 2024 Cameron Baird - 102-3 +- Drop 0007-feat-dracut.sh-support-multiple-config-dirs.patch + * Tue Aug 06 2024 Thien Trung Vuong - 102-2 - Add fix for initrd not showing prompt when root device is locked diff --git a/SPECS/e2fsprogs/e2fsprogs.spec b/SPECS/e2fsprogs/e2fsprogs.spec index 547e4e2cf45..ff962e0fb86 100644 --- a/SPECS/e2fsprogs/e2fsprogs.spec +++ b/SPECS/e2fsprogs/e2fsprogs.spec @@ -1,7 +1,7 @@ Summary: Contains the utilities for the ext2 file system Name: e2fsprogs Version: 1.47.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 AND LGPLv2 AND BSD AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -62,6 +62,11 @@ rm -rf %{buildroot}%{_infodir} %find_lang %{name} %check +# This test is known to fail; remove it +# See upstream issue: https://github.com/tytso/e2fsprogs/issues/134 +# See also LFS: https://www.linuxfromscratch.org/lfs/downloads/stable/LFS-BOOK-12.1-NOCHUNKS.html#ch-system-e2fsprogs +rm -rvf tests/m_assume_storage_prezeroed + # Multi-threaded runs are flaky. make -j1 check test_status=$? @@ -143,6 +148,9 @@ done %defattr(-,root,root) %changelog +* Mon Aug 19 2024 Andrew Phelps - 1.47.0-2 +- Remove known bad package test + * Tue Nov 28 2023 Andrew Phelps - 1.47.0-1 - Upgrade to 1.47.0 diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index 46c1119df8d..99cf843b2be 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -3,7 +3,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.24.2 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,7 +13,7 @@ Source0: https://github.com/flannel-io/%{name}/archive/refs/tags/v%{versi Source1: %{name}-%{version}-vendor.tar.gz BuildRequires: gcc BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: golang >= 1.20 BuildRequires: kernel-headers @@ -50,6 +50,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog +* Wed Aug 21 2024 Chris Co - 0.24.2-6 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 0.24.2-5 - update to build dep latest glibc-static version diff --git a/SPECS/frr/CVE-2024-44070.patch b/SPECS/frr/CVE-2024-44070.patch new file mode 100644 index 00000000000..89ebf9e7ef5 --- /dev/null +++ b/SPECS/frr/CVE-2024-44070.patch @@ -0,0 +1,48 @@ +From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 31 Jul 2024 08:35:14 +0300 +Subject: [PATCH] bgpd: Check the actual remaining stream length before taking + TLV value + +``` + 0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11) + 4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17 + 5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13 + 6 0xe0d12c83712c in abort stdlib/abort.c:79:7 + 7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2 + 8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3 + 9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3 + 10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10 + 11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20 + 12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11 + 13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3 +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 2ed49935e52b..ac5d08b6fe6e 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) + args->total); + } + ++ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) { ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu", ++ sublength, STREAM_READABLE(BGP_INPUT(peer))); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); ++ } ++ + /* alloc and copy sub-tlv */ + /* TBD make sure these are freed when attributes are released */ + tlv = XCALLOC(MTYPE_ENCAP_TLV, diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec index 8899ef4526a..5a7dc0e1cbf 100644 --- a/SPECS/frr/frr.spec +++ b/SPECS/frr/frr.spec @@ -3,7 +3,7 @@ Summary: Routing daemon Name: frr Version: 9.1.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -16,6 +16,7 @@ Patch1: 0001-enable-openssl.patch Patch2: 0002-disable-eigrp-crypto.patch Patch3: 0003-fips-mode.patch Patch4: 0004-remove-grpc-test.patch +Patch5: CVE-2024-44070.patch BuildRequires: autoconf BuildRequires: automake @@ -198,6 +199,9 @@ rm tests/lib/*grpc* %{_sysusersdir}/%{name}.conf %changelog +* Wed Aug 21 2024 Brian Fjeldstad - 9.1.1-2 +- Fix CVE-2024-44070 + * Tue Aug 06 2024 Sumedh Sharma - 9.1.1-1 - Bump version to 9.1.1 to fix CVE-2024-31950 & CVE-2024-31951 diff --git a/SPECS/gdb/gdb.spec b/SPECS/gdb/gdb.spec index cc53179a28c..b79a5c8bbd2 100644 --- a/SPECS/gdb/gdb.spec +++ b/SPECS/gdb/gdb.spec @@ -1,7 +1,7 @@ Summary: C debugger Name: gdb Version: 13.2 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -43,7 +43,8 @@ another program was doing at the moment it crashed. --with-system-readline \ --with-system-zlib \ --disable-sim \ - --with-python=%{python3} + --with-python=%{python3} \ + --enable-unit-tests %make_build %install @@ -71,8 +72,18 @@ rm -vf %{buildroot}%{_libdir}/libaarch64-unknown-linux-gnu-sim.a %check # disable security hardening for tests -rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs -%make_build check TESTS="gdb.base/default.exp" +rm -vf $(dirname $(gcc -print-libgcc-file-name))/../specs + +# Run unit tests +pushd gdb +make run GDBFLAGS='-batch -ex "maintenance selftest"' +popd + +# Remove libctf test suite, which causes compilation errors with the base tests +rm -rvf libctf/testsuite + +# Run base tests +make check TESTS='gdb.base/default.exp' %files -f %{name}.lang %defattr(-,root,root) @@ -89,6 +100,10 @@ rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs %{_mandir}/*/* %changelog +* Fri Aug 16 2024 Andrew Phelps - 13.2-2 +- Fix package tests +- Enable and run unit tests + * Tue Nov 14 2023 Andrew Phelps - 13.2-1 - Upgrade to version 13.2 diff --git a/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch b/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch deleted file mode 100644 index 41eed5cf391..00000000000 --- a/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch +++ /dev/null @@ -1,158 +0,0 @@ -Backport of the below commit -CVE-2023-6246 -> https://sourceware.org/git?p=glibc.git;a=commit;h=6bd0e4efcc78f3c0115e5ea9739a1642807450da -CVE-2023-6779 -> https://sourceware.org/git?p=glibc.git;a=commit;h=7e5a0c286da33159d47d0122007aac016f3e02cd -CVE-2023-6780 -> https://sourceware.org/git?p=glibc.git;a=commit;h=ddf542da94caf97ff43cc2875c88749880b7259b - - -diff -ru glibc-2.38-orig/misc/Makefile glibc-2.38/misc/Makefile ---- glibc-2.38-orig/misc/Makefile 2024-06-17 21:53:24.532411335 +0000 -+++ glibc-2.38/misc/Makefile 2024-06-17 21:57:25.721213362 +0000 -@@ -351,6 +351,9 @@ - $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ - $(evaluate-test) - -+tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ -+ LD_PRELOAD=libc_malloc_debug.so.0 -+ - $(objpfx)tst-select: $(librt) - $(objpfx)tst-select-time64: $(librt) - $(objpfx)tst-pselect: $(librt) -diff -ru glibc-2.38-orig/misc/syslog.c glibc-2.38/misc/syslog.c ---- glibc-2.38-orig/misc/syslog.c 2024-06-17 21:53:24.552411404 +0000 -+++ glibc-2.38/misc/syslog.c 2024-06-17 22:39:50.400414890 +0000 -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - - static int LogType = SOCK_DGRAM; /* type of socket connection */ - static int LogFile = -1; /* fd for log */ -@@ -124,8 +125,9 @@ - { - /* Try to use a static buffer as an optimization. */ - char bufs[1024]; -- char *buf = NULL; -- size_t bufsize = 0; -+ char *buf = bufs; -+ size_t bufsize; -+ - int msgoff; - int saved_errno = errno; - -@@ -177,29 +179,54 @@ - #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ - "<%d>: %n", __pri, __msgoff - -- int l; -+ int l, vl; - if (has_ts) - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -- if (0 <= l && l < sizeof bufs) -+ if (l < 0) -+ goto out; -+ -+ char *pos; -+ size_t len; -+ -+ if (l < sizeof bufs) -+ { -+ /* At this point, there is still a chance that we can print the -+ remaining part of the log into bufs and use that. */ -+ pos = bufs + l; -+ len = sizeof (bufs) - l; -+ } -+ else - { -- va_list apc; -- va_copy (apc, ap); -+ buf = NULL; -+ /* We already know that bufs is too small to use for this log message. -+ The next vsnprintf into bufs is used only to calculate the total -+ required buffer length. We will discard bufs contents and allocate -+ an appropriately sized buffer later instead. */ -+ pos = bufs; -+ len = sizeof (bufs); -+ } - -- /* Restore errno for %m format. */ -- __set_errno (saved_errno); -+ { -+ va_list apc; -+ va_copy (apc, ap); - -- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, -- mode_flags); -- if (0 <= vl && vl < sizeof bufs - l) -- buf = bufs; -- bufsize = l + vl; -+ /* Restore errno for %m format. */ -+ __set_errno (saved_errno); - -- va_end (apc); -- } -+ va_end (apc); -+ -+ if (vl < 0 || vl >= INT_MAX - l) -+ goto out; -+ -+ if (vl >= len) -+ buf = NULL; -+ -+ bufsize = l + vl; -+ } - - if (buf == NULL) - { -@@ -209,25 +236,37 @@ - /* Tell the cancellation handler to free this buffer. */ - clarg.buf = buf; - -+ int cl; - if (has_ts) -- __snprintf (buf, l + 1, -- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else -- __snprintf (buf, l + 1, -- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ if (cl != l) -+ goto out; - - va_list apc; - va_copy (apc, ap); -- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -- mode_flags); -- va_end (apc); -+ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -+ mode_flags); -+ va_end (apc); -+ -+ if (cl != vl) -+ goto out; - } - else - { -+ int bl; - /* Nothing much to do but emit an error message. */ -- bufsize = __snprintf (bufs, sizeof bufs, -- "out of memory[%d]", __getpid ()); -+ bl = __snprintf (bufs, sizeof bufs, -+ "out of memory[%d]", __getpid ()); -+ if (bl < 0 || bl >= sizeof bufs) -+ goto out; -+ -+ bufsize = bl; - buf = bufs; -+ msgoff = 0; - } - } - -Only in glibc-2.38/misc: tst-syslog-long-progname.c diff --git a/SPECS/glibc/CVE-2023-6246.patch b/SPECS/glibc/CVE-2023-6246.patch new file mode 100644 index 00000000000..45c76b29a1b --- /dev/null +++ b/SPECS/glibc/CVE-2023-6246.patch @@ -0,0 +1,181 @@ +From 23514c72b780f3da097ecf33a793b7ba9c2070d2 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Mon, 15 Jan 2024 17:44:43 +0100 +Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal + (CVE-2023-6246) + +__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER +containing a long program name failed to update the required buffer +size, leading to the allocation and overflow of a too-small buffer on +the heap. This commit fixes that. It also adds a new regression test +that uses glibc.malloc.check. + +Reviewed-by: Adhemerval Zanella +Reviewed-by: Carlos O'Donell +Tested-by: Carlos O'Donell +(cherry picked from commit 6bd0e4efcc78f3c0115e5ea9739a1642807450da) +--- + misc/Makefile | 8 ++- + misc/syslog.c | 50 +++++++++++++------ + misc/tst-syslog-long-progname.c | 39 +++++++++++++++ + .../postclean.req | 0 + 4 files changed, 82 insertions(+), 15 deletions(-) + create mode 100644 misc/tst-syslog-long-progname.c + create mode 100644 misc/tst-syslog-long-progname.root/postclean.req + +diff --git a/misc/Makefile b/misc/Makefile +index fe0d49c1de..90b31952c5 100644 +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \ + $(objpfx)tst-allocate_once-mem.out + endif + +-tests-container := tst-syslog ++tests-container := \ ++ tst-syslog \ ++ tst-syslog-long-progname \ ++ # tests-container + + CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables + CFLAGS-tsearch.c += $(uses-callbacks) +@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ + $(evaluate-test) + ++tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ ++ LD_PRELOAD=libc_malloc_debug.so.0 ++ + $(objpfx)tst-select: $(librt) + $(objpfx)tst-select-time64: $(librt) + $(objpfx)tst-pselect: $(librt) +diff --git a/misc/syslog.c b/misc/syslog.c +index 1b8cb722c5..814d224a1e 100644 +--- a/misc/syslog.c ++++ b/misc/syslog.c +@@ -124,8 +124,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + { + /* Try to use a static buffer as an optimization. */ + char bufs[1024]; +- char *buf = NULL; +- size_t bufsize = 0; ++ char *buf = bufs; ++ size_t bufsize; ++ + int msgoff; + int saved_errno = errno; + +@@ -177,29 +178,50 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ + "<%d>: %n", __pri, __msgoff + +- int l; ++ int l, vl; + if (has_ts) + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); + else + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ ++ char *pos; ++ size_t len; ++ + if (0 <= l && l < sizeof bufs) + { +- va_list apc; +- va_copy (apc, ap); ++ /* At this point, there is still a chance that we can print the ++ remaining part of the log into bufs and use that. */ ++ pos = bufs + l; ++ len = sizeof (bufs) - l; ++ } ++ else ++ { ++ buf = NULL; ++ /* We already know that bufs is too small to use for this log message. ++ The next vsnprintf into bufs is used only to calculate the total ++ required buffer length. We will discard bufs contents and allocate ++ an appropriately sized buffer later instead. */ ++ pos = bufs; ++ len = sizeof (bufs); ++ } + +- /* Restore errno for %m format. */ +- __set_errno (saved_errno); ++ { ++ va_list apc; ++ va_copy (apc, ap); + +- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, +- mode_flags); +- if (0 <= vl && vl < sizeof bufs - l) +- buf = bufs; +- bufsize = l + vl; ++ /* Restore errno for %m format. */ ++ __set_errno (saved_errno); + +- va_end (apc); +- } ++ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); ++ ++ if (!(0 <= vl && vl < len)) ++ buf = NULL; ++ ++ bufsize = l + vl; ++ va_end (apc); ++ } + + if (buf == NULL) + { +diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c +new file mode 100644 +index 0000000000..88f37a8a00 +--- /dev/null ++++ b/misc/tst-syslog-long-progname.c +@@ -0,0 +1,39 @@ ++/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246) ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++extern char * __progname; ++ ++static int ++do_test (void) ++{ ++ char long_progname[2048]; ++ ++ memset (long_progname, 'X', sizeof (long_progname) - 1); ++ long_progname[sizeof (long_progname) - 1] = '\0'; ++ ++ __progname = long_progname; ++ ++ syslog (LOG_INFO, "Hello, World!"); ++ ++ return 0; ++} ++ ++#include +diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2 +-- +2.43.5 + diff --git a/SPECS/glibc/CVE-2023-6779.patch b/SPECS/glibc/CVE-2023-6779.patch new file mode 100644 index 00000000000..3690e606f2b --- /dev/null +++ b/SPECS/glibc/CVE-2023-6779.patch @@ -0,0 +1,106 @@ +From d0338312aace5bbfef85e03055e1212dd0e49578 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Mon, 15 Jan 2024 17:44:44 +0100 +Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal + (CVE-2023-6779) + +__vsyslog_internal used the return value of snprintf/vsnprintf to +calculate buffer sizes for memory allocation. If these functions (for +any reason) failed and returned -1, the resulting buffer would be too +small to hold output. This commit fixes that. + +All snprintf/vsnprintf calls are checked for negative return values and +the function silently returns upon encountering them. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit 7e5a0c286da33159d47d0122007aac016f3e02cd) +--- + misc/syslog.c | 39 ++++++++++++++++++++++++++++----------- + 1 file changed, 28 insertions(+), 11 deletions(-) + +diff --git a/misc/syslog.c b/misc/syslog.c +index 814d224a1e..53440e47ad 100644 +--- a/misc/syslog.c ++++ b/misc/syslog.c +@@ -185,11 +185,13 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + else + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ if (l < 0) ++ goto out; + + char *pos; + size_t len; + +- if (0 <= l && l < sizeof bufs) ++ if (l < sizeof bufs) + { + /* At this point, there is still a chance that we can print the + remaining part of the log into bufs and use that. */ +@@ -215,12 +217,15 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + __set_errno (saved_errno); + + vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); ++ va_end (apc); ++ ++ if (vl < 0) ++ goto out; + +- if (!(0 <= vl && vl < len)) ++ if (vl >= len) + buf = NULL; + + bufsize = l + vl; +- va_end (apc); + } + + if (buf == NULL) +@@ -231,25 +236,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + /* Tell the cancellation handler to free this buffer. */ + clarg.buf = buf; + ++ int cl; + if (has_ts) +- __snprintf (buf, l + 1, +- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); + else +- __snprintf (buf, l + 1, +- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ if (cl != l) ++ goto out; + + va_list apc; + va_copy (apc, ap); +- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, +- mode_flags); ++ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, ++ mode_flags); + va_end (apc); ++ ++ if (cl != vl) ++ goto out; + } + else + { ++ int bl; + /* Nothing much to do but emit an error message. */ +- bufsize = __snprintf (bufs, sizeof bufs, +- "out of memory[%d]", __getpid ()); ++ bl = __snprintf (bufs, sizeof bufs, ++ "out of memory[%d]", __getpid ()); ++ if (bl < 0 || bl >= sizeof bufs) ++ goto out; ++ ++ bufsize = bl; + buf = bufs; ++ msgoff = 0; + } + } + +-- +2.43.5 + diff --git a/SPECS/glibc/CVE-2023-6780.patch b/SPECS/glibc/CVE-2023-6780.patch new file mode 100644 index 00000000000..209368253a5 --- /dev/null +++ b/SPECS/glibc/CVE-2023-6780.patch @@ -0,0 +1,41 @@ +From d37c2b20a4787463d192b32041c3406c2bd91de0 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Mon, 15 Jan 2024 17:44:45 +0100 +Subject: [PATCH] syslog: Fix integer overflow in __vsyslog_internal + (CVE-2023-6780) + +__vsyslog_internal calculated a buffer size by adding two integers, but +did not first check if the addition would overflow. This commit fixes +that. + +Reviewed-by: Carlos O'Donell +Tested-by: Carlos O'Donell +(cherry picked from commit ddf542da94caf97ff43cc2875c88749880b7259b) +--- + misc/syslog.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/misc/syslog.c b/misc/syslog.c +index 53440e47ad..4af87f54fd 100644 +--- a/misc/syslog.c ++++ b/misc/syslog.c +@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; + #include + #include + #include ++#include + + static int LogType = SOCK_DGRAM; /* type of socket connection */ + static int LogFile = -1; /* fd for log */ +@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); + va_end (apc); + +- if (vl < 0) ++ if (vl < 0 || vl >= INT_MAX - l) + goto out; + + if (vl >= len) +-- +2.43.5 + diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec index e015978e701..75baaaa1d75 100644 --- a/SPECS/glibc/glibc.spec +++ b/SPECS/glibc/glibc.spec @@ -10,7 +10,7 @@ Summary: Main C library Name: glibc Version: 2.38 -Release: 6%{?dist} +Release: 7%{?dist} License: BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,7 +32,9 @@ Patch4: CVE-2018-20796.nopatch Patch5: https://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.38-memalign_fix-1.patch Patch6: CVE-2023-4911.patch Patch7: CVE-2023-5156.patch -Patch8: CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch +Patch8: CVE-2023-6246.patch +Patch9: CVE-2023-6779.patch +Patch10: CVE-2023-6780.patch BuildRequires: bison BuildRequires: gawk @@ -352,6 +354,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: %exclude %{_libdir}/locale/C.utf8 %changelog +* Wed Aug 21 2024 Chris Co - 2.38-7 +- Fix syslog failing to print issue + * Mon Jun 17 2024 Nicolas Guibourge - 2.38-6 - Address CVE-2023-4911, CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780 diff --git a/SPECS/grpc/grpc.signatures.json b/SPECS/grpc/grpc.signatures.json index 1a8c056a985..b65a1de704d 100644 --- a/SPECS/grpc/grpc.signatures.json +++ b/SPECS/grpc/grpc.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "grpc-1.62.0-submodules.tar.gz": "dba5605f82b99f65f7109644cbd0b92936f29f5308d2565c9cc6cfde27e215d0", - "grpc-1.62.0.tar.gz": "f40bde4ce2f31760f65dc49a2f50876f59077026494e67dccf23992548b1b04f" - } + "Signatures": { + "grpc-1.62.0-submodules.tar.gz": "dba5605f82b99f65f7109644cbd0b92936f29f5308d2565c9cc6cfde27e215d0", + "grpc-1.62.0.tar.gz": "f40bde4ce2f31760f65dc49a2f50876f59077026494e67dccf23992548b1b04f" + } } diff --git a/SPECS/grpc/grpc.spec b/SPECS/grpc/grpc.spec index f4237688c64..1474bbf659f 100644 --- a/SPECS/grpc/grpc.spec +++ b/SPECS/grpc/grpc.spec @@ -1,7 +1,7 @@ Summary: Open source remote procedure call (RPC) framework Name: grpc Version: 1.62.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,7 +10,7 @@ URL: https://www.grpc.io Source0: https://github.com/grpc/grpc/archive/v%{version}/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-submodules.tar.gz Patch0: grpcio-cython3.patch -BuildRequires: abseil-cpp-devel +BuildRequires: abseil-cpp-devel >= 20240116.0-2 BuildRequires: build-essential BuildRequires: c-ares-devel BuildRequires: cmake @@ -22,7 +22,7 @@ BuildRequires: protobuf-static BuildRequires: re2-devel BuildRequires: systemd-devel BuildRequires: zlib-devel -Requires: abseil-cpp +Requires: abseil-cpp >= 20240116.0-2 Requires: c-ares Requires: openssl Requires: protobuf @@ -153,6 +153,9 @@ export GRPC_PYTHON_CFLAGS="%{optflags} -std=c++$CXX_VERSION" %{python3_sitearch}/grpcio-%{version}-py%{python3_version}.egg-info %changelog +* Thu Jul 25 2024 Devin Anderson - 1.62.0-3 +- Bump release to rebuild with latest 'abseil-cpp'. + * Wed Mar 20 2024 Betty Lakes - 1.62.0-2 - Bump release to rebuild with latest 'abseil-cpp'. diff --git a/SPECS/grub2/grub2.signatures.json b/SPECS/grub2/grub2.signatures.json index 3e381bb7bfa..4add5867c59 100644 --- a/SPECS/grub2/grub2.signatures.json +++ b/SPECS/grub2/grub2.signatures.json @@ -2,7 +2,6 @@ "Signatures": { "gnulib-d271f868a8df9bbec29049d01e056481b7a1a263.tar.gz": "4e23415ae2977ffca15e07419ceff3e9334d0369eafc9e7ae2578f8dd9a4839c", "grub-2.06.tar.gz": "660eaa2355a4045d8d0cdb5765169d1cad9912ec07873b86c9c6d55dbaa9dfca", - "macros.grub2": "b03f6f713601214406971de53538dfc25136bf836f09a663eaffc4332a72c38b", "sbat.csv.in": "040bcd900845b53ef9124f70f8b40fbd169740681fdd519a688663a59a958cf1" } } diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec index 909d2ef104c..614c97ccb3f 100644 --- a/SPECS/grub2/grub2.spec +++ b/SPECS/grub2/grub2.spec @@ -6,7 +6,7 @@ Summary: GRand Unified Bootloader Name: grub2 Version: 2.06 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,7 +15,6 @@ URL: https://www.gnu.org/software/grub Source0: https://git.savannah.gnu.org/cgit/grub.git/snapshot/grub-%{version}.tar.gz Source1: https://git.savannah.gnu.org/cgit/gnulib.git/snapshot/gnulib-%{gnulibversion}.tar.gz Source2: sbat.csv.in -Source3: macros.grub2 # Incorporate relevant patches from Fedora 34 # EFI Secure Boot / Handover Protocol patches Patch0001: 0001-Add-support-for-Linux-EFI-stub-loading.patch @@ -48,7 +47,7 @@ Patch0157: 0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch # Fix to prevent user from overwriting signed grub binary using grub2-install Patch0166: 0166-grub-install-disable-support-for-EFI-platforms.patch # CVE-2021-3981 -Patch0167: 0167-restore-umask-for-grub-config.patch +Patch0167: 0167-restore-umask-for-grub-config.patch # Fix to reset the global errno to success upon success. Patch0170: 0170-fix-memory-alloc-errno-reset.patch Patch0171: CVE-2022-2601.patch @@ -193,14 +192,6 @@ Requires: %{name}-tools-minimal = %{version}-%{release} %description efi-binary-noprefix GRUB UEFI bootloader binaries with no prefix directory set -%package rpm-macros -Summary: GRUB RPM Macros -Group: System Environment/Base - -%description rpm-macros -GRUB RPM Macros for enabling package updates supporting -the grub2-mkconfig flow on AzureLinux - %package configuration Summary: Location for local grub configurations Group: System Environment/Base @@ -335,10 +326,6 @@ GRUB_MODULE_SOURCE= install -d $EFI_BOOT_DIR -# Install grub2 macros -mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -install -m 644 %{SOURCE3} %{buildroot}/%{_rpmconfigdir}/macros.d - %ifarch x86_64 GRUB_MODULE_NAME=grubx64.efi GRUB_PXE_MODULE_NAME=grubx64-noprefix.efi @@ -426,9 +413,6 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME %{_libdir}/grub/* %endif -%files rpm-macros -%{_rpmconfigdir}/macros.d/macros.grub2 - %files configuration %dir %{_sysconfdir}/grub.d %dir %{_sysconfdir}/default/grub.d @@ -444,6 +428,9 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME %config(noreplace) %{_sysconfdir}/grub.d/41_custom %changelog +* Tue Aug 13 2024 Daniel McIlvaney - 2.06-20 +- Move grub2-rpm-macros to the azurelinux-rpm-macros package + * Wed Jun 12 2024 George Mileka - 2.06-19 - disable code optimization for ip checksum calculation @@ -473,7 +460,7 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME - Enable support for grub2-mkconfig grub.cfg generation - Introduce rpm-macros, configuration subpackage - The Mariner /etc/default/grub now sources files from /etc/default/grub.d - before the remainder of grub2-mkconfig runs. This allows RPM to + before the remainder of grub2-mkconfig runs. This allows RPM to install package-specific configurations that the users can safely override. diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 36926b357de..99df6f631b2 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-6.6.43.1.tar.gz": "978e302c77d8ffbb7f6e6fafd1bc77c9fc84a7839d1ec3251f1c48d61eaf5c39" + "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 30691c07ed3..effb9b6aa51 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -10,7 +10,7 @@ Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 6.6.43.1 +Version: 6.6.47.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,12 @@ fi %{_sbindir}/lsvmbus %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Tue Jul 30 2024 CBL-Mariner Servicing Account - 6.6.43.1-1 - Auto-upgrade to 6.6.43.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 102bb20c12f..859c64cc1ef 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-6.6.43.1.tar.gz": "978e302c77d8ffbb7f6e6fafd1bc77c9fc84a7839d1ec3251f1c48d61eaf5c39" + "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 68a6610564e..1305e26df06 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -13,8 +13,8 @@ Summary: Linux API header files Name: kernel-headers -Version: 6.6.43.1 -Release: 7%{?dist} +Version: 6.6.47.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,12 @@ done %endif %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Sat Aug 10 2024 Thien Trung Vuong - 6.6.43.1-7 - Bump release to match kernel diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 9b06308cb89..1ad3dc7e3b8 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.43.1 Kernel Configuration +# Linux/x86_64 6.6.47.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -1073,6 +1073,7 @@ CONFIG_DEVICE_MIGRATION=y CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y CONFIG_ARCH_ENABLE_THP_MIGRATION=y CONFIG_CONTIG_ALLOC=y +CONFIG_PCP_BATCH_SCALE_MAX=5 CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_MMU_NOTIFIER=y CONFIG_KSM=y @@ -2497,16 +2498,6 @@ CONFIG_DM_VERITY_FEC=y # CONFIG_DM_INTEGRITY is not set # CONFIG_DM_ZONED is not set # CONFIG_DM_AUDIT is not set -CONFIG_DM_IMA_MEASURE_CACHE=y -CONFIG_DM_IMA_MEASURE_CRYPT=y -CONFIG_DM_IMA_MEASURE_INTEGRITY=y -CONFIG_DM_IMA_MEASURE_LINEAR=y -CONFIG_DM_IMA_MEASURE_MIRROR=y -CONFIG_DM_IMA_MEASURE_MULTIPATH=y -CONFIG_DM_IMA_MEASURE_RAID=y -CONFIG_DM_IMA_MEASURE_SNAPSHOT=y -CONFIG_DM_IMA_MEASURE_STRIPED=y -CONFIG_DM_IMA_MEASURE_VERITY=y CONFIG_TARGET_CORE=m CONFIG_TCM_IBLOCK=m CONFIG_TCM_FILEIO=m @@ -4739,6 +4730,7 @@ CONFIG_DVB_SP2=m # Graphics support # CONFIG_APERTURE_HELPERS=y +CONFIG_SCREEN_INFO=y CONFIG_VIDEO_CMDLINE=y CONFIG_VIDEO_NOMODESET=y # CONFIG_AUXDISPLAY is not set @@ -7353,6 +7345,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_IPE=y CONFIG_IPE_BOOT_POLICY="" diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 978c965239c..e9f921e7339 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.43.1 Kernel Configuration +# Linux/arm64 6.6.47.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -398,6 +398,7 @@ CONFIG_ARM64_ERRATUM_2645198=y CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y +CONFIG_ARM64_ERRATUM_3194386=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23144=y CONFIG_CAVIUM_ERRATUM_23154=y @@ -1097,6 +1098,7 @@ CONFIG_DEVICE_MIGRATION=y CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y CONFIG_ARCH_ENABLE_THP_MIGRATION=y CONFIG_CONTIG_ALLOC=y +CONFIG_PCP_BATCH_SCALE_MAX=5 CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_MMU_NOTIFIER=y CONFIG_KSM=y @@ -3027,16 +3029,6 @@ CONFIG_DM_VERITY_FEC=y # CONFIG_DM_INTEGRITY is not set # CONFIG_DM_ZONED is not set # CONFIG_DM_AUDIT is not set -CONFIG_DM_IMA_MEASURE_CACHE=y -CONFIG_DM_IMA_MEASURE_CRYPT=y -CONFIG_DM_IMA_MEASURE_INTEGRITY=y -CONFIG_DM_IMA_MEASURE_LINEAR=y -CONFIG_DM_IMA_MEASURE_MIRROR=y -CONFIG_DM_IMA_MEASURE_MULTIPATH=y -CONFIG_DM_IMA_MEASURE_RAID=y -CONFIG_DM_IMA_MEASURE_SNAPSHOT=y -CONFIG_DM_IMA_MEASURE_STRIPED=y -CONFIG_DM_IMA_MEASURE_VERITY=y CONFIG_TARGET_CORE=m CONFIG_TCM_IBLOCK=m CONFIG_TCM_FILEIO=m @@ -3401,6 +3393,7 @@ CONFIG_NET_VENDOR_MICROSEMI=y CONFIG_MSCC_OCELOT_SWITCH_LIB=m CONFIG_MSCC_OCELOT_SWITCH=m CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_MICROSOFT_MANA=m CONFIG_NET_VENDOR_MYRI=y CONFIG_MYRI10GE=m CONFIG_FEALNX=m @@ -6509,6 +6502,7 @@ CONFIG_DVB_SP2=m # Graphics support # CONFIG_APERTURE_HELPERS=y +CONFIG_SCREEN_INFO=y CONFIG_VIDEO_CMDLINE=y CONFIG_VIDEO_NOMODESET=y # CONFIG_AUXDISPLAY is not set @@ -8158,6 +8152,7 @@ CONFIG_INFINIBAND_BNXT_RE=m CONFIG_INFINIBAND_CXGB4=m CONFIG_INFINIBAND_EFA=m # CONFIG_INFINIBAND_ERDMA is not set +# CONFIG_MANA_INFINIBAND is not set CONFIG_MLX4_INFINIBAND=m CONFIG_MLX5_INFINIBAND=m CONFIG_INFINIBAND_MTHCA=m @@ -10415,6 +10410,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_IPE=y CONFIG_IPE_BOOT_POLICY="" diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 29ddae735ea..b0d8478290a 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -17,8 +17,8 @@ Summary: Unified Kernel Image Name: kernel-uki -Version: 6.6.43.1 -Release: 7%{?dist} +Version: 6.6.47.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,12 @@ ln -s /boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/lib/modules/%{kernelver}/v /lib/modules/%{kernelver}/vmlinuz-uki.efi %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Sat Aug 10 2024 Thien Trung Vuong - 6.6.43.1-7 - Include systemd-cryptsetup in UKI diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 3cbabb85b09..fb9ff8c6bbf 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,11 +1,11 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "e9fed088f50bc1f41239e2e93bd6dd882f64f8ffa45f6bb8d7c03b9da19a3a25", - "config_aarch64": "8f143b5dc7a374c10fc6174616af3d39594b55688b9e10c62b463db4bf1b5427", + "config": "e64e049e175bd2d2d68794689b26e3080f5ce0f9141264be4e68c5be9af750c7", + "config_aarch64": "a97fae26989a351d21d27bd99d3a1456e8e661a2754ca0f690e98cc0b3f33c7b", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.43.1.tar.gz": "978e302c77d8ffbb7f6e6fafd1bc77c9fc84a7839d1ec3251f1c48d61eaf5c39" + "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 7412aad9c05..198bd0f9ec9 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -29,8 +29,8 @@ Summary: Linux Kernel Name: kernel -Version: 6.6.43.1 -Release: 7%{?dist} +Version: 6.6.47.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -407,6 +407,12 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Thu Aug 22 2024 CBL-Mariner Servicing Account - 6.6.47.1-1 +- Auto-upgrade to 6.6.47.1 + +* Wed Aug 14 2024 CBL-Mariner Servicing Account - 6.6.44.1-1 +- Auto-upgrade to 6.6.44.1 + * Sat Aug 10 2024 Thien Trung Vuong - 6.6.43.1-7 - Include systemd-cryptsetup in UKI diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 9c629bae60a..2019b2431ce 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.1 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -19,7 +19,7 @@ URL: https://kubernetes.io/ Source0: https://dl.k8s.io/v%{version}/kubernetes-src.tar.gz#/%{name}-v%{version}.tar.gz Source1: kubelet.service BuildRequires: flex-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: golang BuildRequires: rsync BuildRequires: systemd-devel @@ -269,6 +269,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Wed Aug 21 2024 Chris Co - 1.30.1-2 +- Bump to rebuild with updated glibc + * Fri May 24 2024 CBL-Mariner Servicing Account - 1.30.1-1 - Auto-upgrade to 1.30.1 diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index e2eaef339b2..7b260bd4bb6 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -20,7 +20,7 @@ Summary: Container native virtualization Name: kubevirt Version: 1.2.0 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -33,7 +33,7 @@ Source0: https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio Patch0: Cleanup-housekeeping-cgroup-on-vm-del.patch %global debug_package %{nil} BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: golang >= 1.21 BuildRequires: golang-packaging BuildRequires: pkgconfig @@ -269,6 +269,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Wed Aug 21 2024 Chris Co - 1.2.0-5 +- Bump to rebuild with updated glibc + * Thu Jun 26 2024 Sharath Srikanth Chellappa - 1.2.0-4 - Deleting Hotplug_Grace_Period.patch since it is no longer required. diff --git a/SPECS/libarrow/libarrow.spec b/SPECS/libarrow/libarrow.spec index 5831c075cdb..82ddf659733 100644 --- a/SPECS/libarrow/libarrow.spec +++ b/SPECS/libarrow/libarrow.spec @@ -13,7 +13,7 @@ Name: libarrow Version: 15.0.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A toolbox for accelerated data interchange and in-memory processing License: Apache-2.0 URL: https://arrow.apache.org/ @@ -51,7 +51,7 @@ BuildRequires: pkgconfig BuildRequires: python3-devel BuildRequires: python3-numpy BuildRequires: python3-Cython -BuildRequires: abseil-cpp-devel +BuildRequires: abseil-cpp-devel >= 20240116.0-2 BuildRequires: c-ares-devel BuildRequires: thrift-devel %if %{with have_rapidjson} @@ -232,7 +232,7 @@ popd %{_libdir}/pkgconfig/arrow-json.pc %{_libdir}/pkgconfig/arrow.pc %{_datadir}/arrow/gdb/gdb_arrow.py -#%{_datadir}/gdb/auto-load/usr/lib64/libarrow.so.*-gdb.py +#%%{_datadir}/gdb/auto-load/usr/lib64/libarrow.so.*-gdb.py %files -n parquet-libs @@ -246,6 +246,10 @@ popd %{_libdir}/pkgconfig/parquet*.pc %changelog +* Thu Jul 25 2024 Devin Anderson - 15.0.0-6 +- Bump release to rebuild with latest 'abseil-cpp'. +- Fix 'rpm' warning about macro expansion inside a comment. + * Mon May 20 2024 Henry Beberman - 15.0.0-5 - Move to using source tarball from GitHub releases. @@ -375,4 +379,4 @@ popd - Arrow 8.0.0 GA * Thu Jan 13 2022 Kaleb S. KEITHLEY - 7.0.0-1 -- New upstream release. \ No newline at end of file +- New upstream release. diff --git a/SPECS/libguestfs/libguestfs.spec b/SPECS/libguestfs/libguestfs.spec index 9fef0cf838d..30d1aee3346 100644 --- a/SPECS/libguestfs/libguestfs.spec +++ b/SPECS/libguestfs/libguestfs.spec @@ -25,7 +25,7 @@ Summary: Access and modify virtual machine disk images Name: libguestfs Version: 1.52.0 -Release: 7%{?dist} +Release: 8%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -82,7 +82,7 @@ BuildRequires: gcc-c++ BuildRequires: gdisk BuildRequires: genisoimage BuildRequires: gfs2-utils -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: gobject-introspection-devel BuildRequires: gperf BuildRequires: grep @@ -1147,6 +1147,9 @@ rm ocaml/html/.gitignore %endif %changelog +* Wed Aug 21 2024 Chris Co - 1.52.0-8 +- Bump to rebuild with updated glibc + * Thu Jul 18 2024 BettyLakes - 1.52.0-7 - Return the tests diff --git a/SPECS/libsndfile/CVE-2022-33065.patch b/SPECS/libsndfile/CVE-2022-33065.patch new file mode 100644 index 00000000000..593fde8cd19 --- /dev/null +++ b/SPECS/libsndfile/CVE-2022-33065.patch @@ -0,0 +1,1005 @@ +From db88d0d6878ca9147874443b791254b29d2a9543 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 10:48:49 -0400 +Subject: [PATCH 02/17] ossfuzz: remove extraneous read_buffer pointer + +Clang complains about the +sndfile_fuzz_header.h:sf_init_file():read_buffer pointer being unused +within its scope. This seems to be true, and a survey of the commit +which added it didn't indicate that this is intentional. + +Remove the unused read_buffer pointer. + +Signed-off-by: Alex Stewart +--- + ossfuzz/sndfile_fuzz_header.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ossfuzz/sndfile_fuzz_header.h b/ossfuzz/sndfile_fuzz_header.h +index 898aec441..e82e9f8c0 100644 +--- a/ossfuzz/sndfile_fuzz_header.h ++++ b/ossfuzz/sndfile_fuzz_header.h +@@ -88,8 +88,7 @@ int sf_init_file(const uint8_t *data, + SNDFILE **sndfile, + VIO_DATA *vio_data, + SF_VIRTUAL_IO *vio, SF_INFO *sndfile_info) +-{ float* read_buffer = NULL ; +- ++{ + // Initialize the virtual IO structure. + vio->get_filelen = vfget_filelen ; + vio->seek = vfseek ; + +From 98fc031b1d65a1a5bfc9ab53fd3dff88ad0b4e11 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 11:10:59 -0400 +Subject: [PATCH 03/17] ossfuzz: fix sometimes undefined default case + +When vfseek() is called with a whence that is not SEEK_SET, SEEK_CUR, or +SEEK_END, it enters a default switch-case that does not set the +new_offset variable. The function then continues on and uses that unset +variable. + +Linux 3.1+ stdio allows for SEEK_DATA and SEEK_HOLE whence values, +though they aren't conceptually supported by the vfseek() function. + +Handle this case more sanely (and consistently with the lseek() +function) by setting errno to EINVAL when whence is an unsupported +value, and immediately returning -1 to flag the error. + +Signed-off-by: Alex Stewart +--- + ossfuzz/sndfile_fuzz_header.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ossfuzz/sndfile_fuzz_header.h b/ossfuzz/sndfile_fuzz_header.h +index e82e9f8c0..a95b097b6 100644 +--- a/ossfuzz/sndfile_fuzz_header.h ++++ b/ossfuzz/sndfile_fuzz_header.h +@@ -1,6 +1,8 @@ + #ifndef SNDFILE_FUZZ_HEADER_H + #define SNDFILE_FUZZ_HEADER_H + ++#include ++ + typedef struct + { + sf_count_t offset ; +@@ -32,6 +34,9 @@ static sf_count_t vfseek (sf_count_t offset, int whence, void *user_data) + break ; + + default : ++ // SEEK_DATA and SEEK_HOLE are not supported by this function. ++ errno = EINVAL ; ++ return -1 ; + break ; + } + + +From 58469844b5fb675e5bbe919fceda2db77ec868a7 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 13:22:06 -0400 +Subject: [PATCH 04/17] Makefile.am: fixup ossfuzz LDADD + +Automake cannot properly associate the libstandaloneengine.la target as +a dependency of the other ossfuzz targets, because it is specified with +the wrong path - leading to a make error when trying to build with +`--enable-ossfuzzers`. + +Specify the correct path. + +Signed-off-by: Alex Stewart +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 324d76329..55e8cf632 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -456,7 +456,7 @@ if USE_OSSFUZZ_STATIC + FUZZ_LDADD = $(LIB_FUZZING_ENGINE) + FUZZ_FLAG = + else +-FUZZ_LDADD = libstandaloneengine.la ++FUZZ_LDADD = ossfuzz/libstandaloneengine.la + FUZZ_FLAG = + endif + endif + +From 57ad7b69431073d52312a69addd46221029ccb08 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 10 Oct 2023 16:10:34 -0400 +Subject: [PATCH 05/17] mat4/mat5: fix int overflow in dataend calculation + +The clang sanitizer warns of a possible signed integer overflow when +calculating the `dataend` value in `mat4_read_header()`. + +``` +src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in +src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in +``` + +Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of +`dataend` before performing the calculation, to avoid the issue. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/789 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/mat4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 0b1b414b4..575683ba1 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + + +From 56e6c5408f1ee6d476b234c105fb28b4998e811b Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:36:02 -0400 +Subject: [PATCH 06/17] au: avoid int overflow while calculating data_end + +At several points in au_read_header(), we calculate the functional end +of the data segment by adding the (int)au_fmt.dataoffset and the +(int)au_fmt.datasize. This can overflow the implicit int_32 return value +and cause undefined behavior. + +Instead, precalculate the value and assign it to a 64-bit +(sf_count_t)data_end variable. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/au.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/au.c b/src/au.c +index 62bd691d6..f68f25871 100644 +--- a/src/au.c ++++ b/src/au.c +@@ -291,6 +291,7 @@ static int + au_read_header (SF_PRIVATE *psf) + { AU_FMT au_fmt ; + int marker, dword ; ++ sf_count_t data_end ; + + memset (&au_fmt, 0, sizeof (au_fmt)) ; + psf_binheader_readf (psf, "pm", 0, &marker) ; +@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf) + return SFE_AU_EMBED_BAD_LEN ; + } ; + ++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ; + if (psf->fileoffset > 0) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } +- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength) ++ else if (au_fmt.datasize == -1 || data_end == psf->filelength) + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; +- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ else if (data_end < psf->filelength) ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } + else + +From 839fa9131820d689b2038c81531b618b2932fbe3 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:46:29 -0400 +Subject: [PATCH 07/17] avr: fix int overflow in avr_read_header() + +Pre-cast hdr.frames to sf_count_t, to provide the calculation with +enough numeric space to avoid an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/avr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/avr.c b/src/avr.c +index 6c78ff69b..1bc1ffc90 100644 +--- a/src/avr.c ++++ b/src/avr.c +@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf) + psf->endian = SF_ENDIAN_BIG ; + + psf->dataoffset = AVR_HDR_SIZE ; +- psf->datalength = hdr.frames * (hdr.rez / 8) ; ++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ; + + if (psf->fileoffset > 0) + psf->filelength = AVR_HDR_SIZE + psf->datalength ; + +From 1116fa173ea8785c9d881936b2174be6a58c0055 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:54:21 -0400 +Subject: [PATCH 08/17] sds: fix int overflow warning in sample calculations + +The sds_*byte_read() functions compose their uint_32 sample buffers by +shifting 7bit samples into a 32bit wide buffer, and adding them +together. Because the 7bit samples are stored in 32bit ints, code +fuzzers become concerned that the addition operation can overflow and +cause undefined behavior. + +Instead, bitwise-OR the bytes together - which should accomplish the +same arithmetic operation, without risking an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Do the same for the 3byte and 4byte read functions. +--- + src/sds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 6bc761716..2a0f164c3 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 2) +- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ; ++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ; + psds->read_samples [k / 2] = (int) (sample - 0x80000000) ; + } ; + +@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 3) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ; + psds->read_samples [k / 3] = (int) (sample - 0x80000000) ; + } ; + +@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 4) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ; + psds->read_samples [k / 4] = (int) (sample - 0x80000000) ; + } ; + + +From 23188c9b1c34f06ca7f17243425d59403e9eb0db Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 17:26:51 -0400 +Subject: [PATCH 09/17] aiff: fix int overflow when counting header elements + +aiff_read_basc_chunk() tries to count the AIFF header size by keeping +track of the bytes returned by psf_binheader_readf(). Though improbable, +it is technically possible for these added bytes to exceed the int-sized +`count` accumulator. + +Use a 64-bit sf_count_t type for `count`, to ensure that it always has +enough numeric space. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/aiff.c b/src/aiff.c +index ac3655e9d..6d8f1bc83 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -1702,7 +1702,7 @@ static int + aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize) + { const char * type_str ; + basc_CHUNK bc ; +- int count ; ++ sf_count_t count ; + + count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ; + count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ; + +From 00bd0320d895ef5f3027c75a9df26546bc18f8b7 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 17:43:02 -0400 +Subject: [PATCH 10/17] ircam: fix int overflow in ircam_read_header() + +When reading the IRCAM header, it is possible for the calculated +blockwidth to exceed the bounds of a signed int32. + +Use a 64bit sf_count_t to store the blockwidth. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/common.h | 2 +- + src/ircam.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/common.h b/src/common.h +index cd9ac8b07..01f6ae095 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -439,7 +439,7 @@ typedef struct sf_private_tag + sf_count_t datalength ; /* Length in bytes of the audio data. */ + sf_count_t dataend ; /* Offset to file tailer. */ + +- int blockwidth ; /* Size in bytes of one set of interleaved samples. */ ++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */ + int bytewidth ; /* Size in bytes of one sample (one channel). */ + + void *dither ; +diff --git a/src/ircam.c b/src/ircam.c +index 8e7cdba81..3d73ba442 100644 +--- a/src/ircam.c ++++ b/src/ircam.c +@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf) + switch (encoding) + { case IRCAM_PCM_16 : + psf->bytewidth = 2 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; + break ; + + case IRCAM_PCM_32 : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; + break ; + + case IRCAM_FLOAT : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; + break ; + + case IRCAM_ALAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; + break ; + + case IRCAM_ULAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; + break ; + +From 590608bbbded2ca0966dc89c5d9b6bf659f4cb71 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:12:22 -0400 +Subject: [PATCH 11/17] mat4/mat5: fix int overflow when calculating blockwidth + +Pre-cast the components of the blockwidth calculation to sf_count_t to +avoid overflowing integers during calculation. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/mat4.c | 2 +- + src/mat5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 575683ba1..9f046f0c6 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf) + + psf->container_close = mat4_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_16 : +diff --git a/src/mat5.c b/src/mat5.c +index da5a6eca0..20f0ea64b 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf) + + psf->container_close = mat5_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_U8 : + +From 4ec860910a4ee91ed4fdf1c0a49f2dad96d595c9 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Mon, 16 Oct 2023 12:37:47 -0400 +Subject: [PATCH 12/17] common: fix int overflow in psf_binheader_readf() + +The psf_binheader_readf() function attempts to count and return the +number of bytes traversed in the header. During this accumulation, it is +possible to overflow the int-sized byte_count variable. + +Avoid this overflow by checking that the accumulated bytes do not exceed +INT_MAX and throwing an error if they do. This implies that files with +multi-gigabyte headers threaten to produce this error, but I imagine +those files don't really exist - and this error is better than the +undefined behavior which would have resulted previously. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/common.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/common.c b/src/common.c +index b877aa864..8982379a4 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -18,6 +18,7 @@ + + #include + ++#include + #include + #include + #if HAVE_UNISTD_H +@@ -990,6 +991,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + double *doubleptr ; + char c ; + int byte_count = 0, count = 0 ; ++ int read_bytes = 0 ; + + if (! format) + return psf_ftell (psf) ; +@@ -998,6 +1000,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + + while ((c = *format++)) + { ++ read_bytes = 0 ; + if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16)) + break ; + +@@ -1014,7 +1017,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + *intptr = GET_MARKER (ucptr) ; + break ; + +@@ -1022,7 +1025,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; ++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; + { int k ; + intdata = 0 ; + for (k = 0 ; k < 16 ; k++) +@@ -1034,14 +1037,14 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '1' : + charptr = va_arg (argptr, char*) ; + *charptr = 0 ; +- byte_count += header_read (psf, charptr, sizeof (char)) ; ++ read_bytes = header_read (psf, charptr, sizeof (char)) ; + break ; + + case '2' : /* 2 byte value with the current endian-ness */ + shortptr = va_arg (argptr, unsigned short*) ; + *shortptr = 0 ; + ucptr = (unsigned char*) shortptr ; +- byte_count += header_read (psf, ucptr, sizeof (short)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (short)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *shortptr = GET_BE_SHORT (ucptr) ; + else +@@ -1051,7 +1054,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '3' : /* 3 byte value with the current endian-ness */ + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 3) ; ++ read_bytes = header_read (psf, sixteen_bytes, 3) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = GET_BE_3BYTE (sixteen_bytes) ; + else +@@ -1062,7 +1065,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = psf_get_be32 (ucptr, 0) ; + else +@@ -1072,7 +1075,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '8' : /* 8 byte value with the current endian-ness */ + countptr = va_arg (argptr, sf_count_t *) ; + *countptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 8) ; ++ read_bytes = header_read (psf, sixteen_bytes, 8) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + countdata = psf_get_be64 (sixteen_bytes, 0) ; + else +@@ -1083,7 +1086,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'f' : /* Float conversion */ + floatptr = va_arg (argptr, float *) ; + *floatptr = 0.0 ; +- byte_count += header_read (psf, floatptr, sizeof (float)) ; ++ read_bytes = header_read (psf, floatptr, sizeof (float)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *floatptr = float32_be_read ((unsigned char*) floatptr) ; + else +@@ -1093,7 +1096,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'd' : /* double conversion */ + doubleptr = va_arg (argptr, double *) ; + *doubleptr = 0.0 ; +- byte_count += header_read (psf, doubleptr, sizeof (double)) ; ++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *doubleptr = double64_be_read ((unsigned char*) doubleptr) ; + else +@@ -1117,7 +1120,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + charptr = va_arg (argptr, char*) ; + count = va_arg (argptr, size_t) ; + memset (charptr, 0, count) ; +- byte_count += header_read (psf, charptr, count) ; ++ read_bytes = header_read (psf, charptr, count) ; + break ; + + case 'G' : +@@ -1128,7 +1131,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count)) + break ; + +- byte_count += header_gets (psf, charptr, count) ; ++ read_bytes = header_gets (psf, charptr, count) ; + break ; + + case 'z' : +@@ -1152,7 +1155,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'j' : /* Seek to position from current position. */ + count = va_arg (argptr, size_t) ; + header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ read_bytes = count ; + break ; + + case '!' : /* Clear buffer, forcing re-read. */ +@@ -1164,8 +1167,17 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + psf->error = SFE_INTERNAL ; + break ; + } ; ++ ++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes)) ++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ; ++ psf->error = SFE_INTERNAL ; ++ break ; ++ } else ++ { byte_count += read_bytes ; + } ; + ++ } ; /*end while*/ ++ + va_end (argptr) ; + + return byte_count ; + +From 6e162cb767e81cd15f4dc2a2fa253d2e36adfd70 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Thu, 19 Oct 2023 14:07:19 -0400 +Subject: [PATCH 13/17] nms_adpcm: fix int overflow in signal estimate + +It is possible (though functionally incorrect) for the signal estimate +calculation in nms_adpcm_update() to overflow the int value of s_e, +resulting in undefined behavior. + +Since adpcm state signal values are never practically larger than +16 bits, use smaller numeric sizes throughout the file to avoid the +overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Authored-by: Arthur Taylor +Signed-off-by: Alex Stewart +--- + src/nms_adpcm.c | 83 ++++++++++++++++++++++++------------------------- + 1 file changed, 41 insertions(+), 42 deletions(-) + +diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c +index 1aac375..c164a64 100644 +--- a/src/nms_adpcm.c ++++ b/src/nms_adpcm.c +@@ -48,36 +48,36 @@ + /* Variable names from ITU G.726 spec */ + struct nms_adpcm_state + { /* Log of the step size multiplier. Operated on by codewords. */ +- int yl ; ++ short yl ; + + /* Quantizer step size multiplier. Generated from yl. */ +- int y ; ++ short y ; + + /* Coefficents of the pole predictor */ +- int a [2] ; ++ short a [2] ; + + /* Coefficents of the zero predictor */ +- int b [6] ; ++ short b [6] ; + + /* Previous quantized deltas (multiplied by 2^14) */ +- int d_q [7] ; ++ short d_q [7] ; + + /* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */ +- int p [3] ; ++ short p [3] ; + + /* Previous reconstructed signal values. */ +- int s_r [2] ; ++ short s_r [2] ; + + /* Zero predictor components of the signal estimate. */ +- int s_ez ; ++ short s_ez ; + + /* Signal estimate, (including s_ez). */ +- int s_e ; ++ short s_e ; + + /* The most recent codeword (enc:generated, dec:inputted) */ +- int Ik ; ++ char Ik ; + +- int parity ; ++ char parity ; + + /* + ** Offset into code tables for the bitrate. +@@ -109,7 +109,7 @@ typedef struct + } NMS_ADPCM_PRIVATE ; + + /* Pre-computed exponential interval used in the antilog approximation. */ +-static unsigned int table_expn [] = ++static unsigned short table_expn [] = + { 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a, + 0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892, + 0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954, +@@ -117,21 +117,21 @@ static unsigned int table_expn [] = + } ; + + /* Table mapping codewords to scale factor deltas. */ +-static int table_scale_factor_step [] = ++static short table_scale_factor_step [] = + { 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */ + -0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */ + -0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */ + } ; + + /* Table mapping codewords to quantized delta interval steps. */ +-static unsigned int table_step [] = ++static unsigned short table_step [] = + { 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */ + 0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */ + 0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */ + } ; + + /* Binary search lookup table for quantizing using table_step. */ +-static int table_step_search [] = ++static short table_step_search [] = + { 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */ + 0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */ + 0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */ +@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) + ** Maps [1,20480] to [1,1024] in an exponential relationship. This is + ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385 + */ +-static inline int +-nms_adpcm_antilog (int exp) +-{ int ret ; ++static inline short ++nms_adpcm_antilog (short exp) ++{ int_fast32_t r ; + +- ret = 0x1000 ; +- ret += (((exp & 0x3f) * 0x166b) >> 12) ; +- ret *= table_expn [(exp & 0x7c0) >> 6] ; +- ret >>= (26 - (exp >> 11)) ; ++ r = 0x1000 ; ++ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ; ++ r *= table_expn [(exp & 0x7c0) >> 6] ; ++ r >>= (26 - (exp >> 11)) ; + +- return ret ; ++ return (short) r ; + } /* nms_adpcm_antilog */ + + static void + nms_adpcm_update (struct nms_adpcm_state *s) + { /* Variable names from ITU G.726 spec */ +- int a1ul ; +- int fa1 ; ++ short a1ul, fa1 ; ++ int_fast32_t se ; + int i ; + + /* Decay and Modify the scale factor in the log domain based on the codeword. */ +@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + else if (fa1 > 256) + fa1 = 256 ; + +- s->a [0] = (0xff * s->a [0]) >> 8 ; ++ s->a [0] = (s->a [0] * 0xff) >> 8 ; + if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0)) + s->a [0] -= 192 ; + else +@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + fa1 = -fa1 ; + } + +- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ; ++ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ; + if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0)) + s->a [1] -= 128 ; + else +@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s) + s->a [0] = a1ul ; + } ; + +- /* Compute the zero predictor estimate. Rotate past deltas too. */ +- s->s_ez = 0 ; ++ /* Compute the zero predictor estimate and rotate past deltas. */ ++ se = 0 ; + for (i = 5 ; i >= 0 ; i--) +- { s->s_ez += s->d_q [i] * s->b [i] ; ++ { se += (int_fast32_t) s->d_q [i] * s->b [i] ; + s->d_q [i + 1] = s->d_q [i] ; + } ; +- +- /* Compute the signal estimate. */ +- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ; +- +- /* Return to scale */ +- s->s_ez >>= 14 ; +- s->s_e >>= 14 ; ++ s->s_ez = se >> 14 ; ++ ++ /* Complete the signal estimate. */ ++ se += (int_fast32_t) s->a [0] * s->s_r [0] ; ++ se += (int_fast32_t) s->a [1] * s->s_r [1] ; ++ s->s_e = se >> 14 ; + + /* Rotate members to prepare for next iteration. */ + s->s_r [1] = s->s_r [0] ; +@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + static int16_t + nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I) + { /* Variable names from ITU G.726 spec */ +- int dqx ; ++ int_fast32_t dqx ; + + /* + ** The ordering of the 12-bit right-shift is a precision loss. It agrees +@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type) + /* + ** nms_adpcm_encode_sample() + ** +-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword ++** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword + ** using and updating the predictor state. + */ + static uint8_t + nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + { /* Variable names from ITU G.726 spec */ +- int d ; ++ int_fast32_t d ; + uint8_t I ; + + /* Down scale the sample from 16 => ~14 bits. */ +- sl = (sl * 0x1fdf) / 0x7fff ; ++ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ; + + /* Compute estimate, and delta from actual value */ + nms_adpcm_update (s) ; +@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + */ + static int16_t + nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I) +-{ int sl ; ++{ int_fast32_t sl ; + + nms_adpcm_update (s) ; + sl = nms_adpcm_reconstruct_sample (s, I) ; + +From cd44bfaf3708e778c8670cb7f707a597c3334376 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 11:50:53 -0400 +Subject: [PATCH 14/17] nms_adpcm: fix int overflow in sf.frames calc + +When calculating sf.frames from the blocks_total PNMS variable, it is +theoretically possible to overflow the blocks_total int boundaries, +leading to undefined behavior. + +Cast blocks_total to a long-sized sf_count_t before the calculation, to +provide it with enough numeric space and because that is the final +typing regardless. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/nms_adpcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c +index dca85f0b0..61d171c73 100644 +--- a/src/nms_adpcm.c ++++ b/src/nms_adpcm.c +@@ -1090,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf) + else + pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ; + +- psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; ++ psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; + psf->codec_close = nms_adpcm_close ; + psf->seek = nms_adpcm_seek ; + + +From 915e154e2deb327612ca413c838365b7c9bfbf16 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 11:57:23 -0400 +Subject: [PATCH 15/17] pcm: fix int overflow in pcm_init() + +Cast the int-sized bytewidth variable to a long-sized sf_count_t type +prior to calculating the blockwidth, to provide the calculation with +enough numeric space and sf_count_t is the final typing regardless. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcm.c b/src/pcm.c +index bdf461839..a42e48681 100644 +--- a/src/pcm.c ++++ b/src/pcm.c +@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf) + return SFE_INTERNAL ; + } ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8) + chars = SF_CHARS_SIGNED ; + +From ec149a79d457916479489d71b55e4d63015a08ea Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 12:01:00 -0400 +Subject: [PATCH 16/17] rf64: fix int overflow in rf64_read_header() + +When checking for mismatches between the filelength and riff_size, it is +possible to overflow the temporary riff_size value used in the +comparison by adding a static offset; which is probably fine, but it is +offensive to overflow fuzzers. + +Since filelength is always a positive value, simply move the offset to +the other side of the comparison operator as a negative value, avoid the +possibility of an overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/rf64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rf64.c b/src/rf64.c +index 123db445a..c60399fb3 100644 +--- a/src/rf64.c ++++ b/src/rf64.c +@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock) + } ; + } ; + +- if (psf->filelength != riff_size + 8) ++ if (psf->filelength - 8 != riff_size) + psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ; + else + psf_log_printf (psf, " Riff size : %D\n", riff_size) ; + +From 9f097e492a07c96e3b250d6ac0044499f64f6cea Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 12:19:12 -0400 +Subject: [PATCH 17/17] ima_adpcm: fix int overflow in ima_reader_init() + +When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to +provide the calculation with enough numeric space to avoid overflows. + +Other changes in this commit are syntactic, and only to satisfy the git +pre-commit syntax checker. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/ima_adpcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c +index bc61f4e5a..7464d1b33 100644 +--- a/src/ima_adpcm.c ++++ b/src/ima_adpcm.c +@@ -187,7 +187,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + ** to avoid having to branch when pulling apart the nibbles. + */ + count = ((samplesperblock - 2) | 7) + 2 ; +- pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof(short) * count) ; ++ pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ; + + if (! (pima = calloc (1, pimasize))) + return SFE_MALLOC_FAILED ; +@@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + case SF_FORMAT_AIFF : + psf_log_printf (psf, "still need to check block count\n") ; + pima->decode_block = aiff_ima_decode_block ; +- psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ; + break ; + + default : +@@ -391,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) + static int + wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) + { int chan, k, predictor, blockindx, indx, indxstart, diff ; +- short step, bytecode, stepindx [2] = { 0 }; ++ short step, bytecode, stepindx [2] = { 0 } ; + + pima->blockcount ++ ; + pima->samplecount = 0 ; diff --git a/SPECS/libsndfile/libsndfile.spec b/SPECS/libsndfile/libsndfile.spec index 2f40182458e..3f51c431217 100644 --- a/SPECS/libsndfile/libsndfile.spec +++ b/SPECS/libsndfile/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.2.2 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD AND GPLv2+ AND LGPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,6 +14,7 @@ Patch1: revert.patch # CVE disputed by project's owner, no repro. # See here for more details: https://github.com/libsndfile/libsndfile/issues/398. Patch100: CVE-2018-13419.nopatch +Patch101: CVE-2022-33065.patch BuildRequires: alsa-lib-devel BuildRequires: autogen @@ -138,6 +139,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %{_libdir}/pkgconfig/sndfile.pc %changelog +* Fri Aug 23 2024 Sumedh Sharma - 1.2.2-2 +- Add patch to resolve CVE-2022-33065 + * Thu Feb 22 2024 CBL-Mariner Servicing Account - 1.2.2-1 - Auto-upgrade to 1.2.2 diff --git a/SPECS/libtiff/CVE-2024-7006.patch b/SPECS/libtiff/CVE-2024-7006.patch new file mode 100644 index 00000000000..d4f5c2601b9 --- /dev/null +++ b/SPECS/libtiff/CVE-2024-7006.patch @@ -0,0 +1,60 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0e705e8..4cfdaad 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 58a4276..738df9f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +2.34.1 diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index e001438b4fd..875dcb048ee 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,7 @@ URL: https://gitlab.com/libtiff/libtiff Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz Patch0: CVE-2023-52356.patch Patch1: CVE-2023-6277.patch +Patch2: CVE-2024-7006.patch BuildRequires: autoconf BuildRequires: automake @@ -63,6 +64,9 @@ make %{?_smp_mflags} -k check %{_docdir}/* %changelog +* Tue Aug 13 2024 Aadhar Agarwal - 4.6.0-4 +- Add patch for CVE-2024-7006 + * Wed Aug 07 2024 Sumedh Sharma - 4.6.0-3 - Add patch to resolve CVE-2023-6277 diff --git a/SPECS/make/make.spec b/SPECS/make/make.spec index 9cdb6a84ef8..59ab232b731 100644 --- a/SPECS/make/make.spec +++ b/SPECS/make/make.spec @@ -1,7 +1,7 @@ Summary: Program for compiling packages Name: make Version: 4.4.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,8 @@ Source0: https://ftp.gnu.org/gnu/make/%{name}-%{version}.tar.gz %if 0%{?with_check} BuildRequires: perl(lib) BuildRequires: perl(FindBin) +BuildRequires: shadow-utils +BuildRequires: sudo %endif %description @@ -33,7 +35,9 @@ rm -rf %{buildroot}%{_infodir} %find_lang %{name} %check -%make_build check +chmod g+w . -R +useradd testuser -G root -m +sudo -u testuser -s /bin/bash -c "PATH=$PATH make check" %files -f %{name}.lang %defattr(-,root,root) @@ -43,6 +47,9 @@ rm -rf %{buildroot}%{_infodir} %{_mandir}/*/* %changelog +* Mon Aug 19 2024 Andrew Phelps - 4.4.1-2 +- Fix package tests by running as non-root user + * Mon Jan 22 2024 Andrew Phelps - 4.4.1-1 - Upgrade to version 4.4.1 diff --git a/SPECS/mdadm/mdadm.spec b/SPECS/mdadm/mdadm.spec index f0dbd6077ca..794dadb2509 100644 --- a/SPECS/mdadm/mdadm.spec +++ b/SPECS/mdadm/mdadm.spec @@ -2,7 +2,7 @@ Name: mdadm Version: 4.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The mdadm program controls Linux md devices (software RAID arrays) URL: http://www.kernel.org/pub/linux/utils/raid/mdadm/ License: GPLv2+ @@ -145,7 +145,7 @@ Patch198: mdadm-2.5.2-static.patch Patch199: disable-Werror.patch BuildRequires: make -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: systemd-rpm-macros BuildRequires: binutils-devel BuildRequires: gcc @@ -219,6 +219,9 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d %{_datadir}/mdadm/mdcheck %changelog +* Wed Aug 21 2024 Chris Co - 4.2-5 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 4.2-4 - update to build dep latest glibc-static version diff --git a/SPECS/moby-engine/CVE-2024-41110.patch b/SPECS/moby-engine/CVE-2024-41110.patch new file mode 100644 index 00000000000..f6e6d28cc69 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-41110.patch @@ -0,0 +1,199 @@ +From 0626c6db97b2cb3fc15bd3c5f2ade377fc8e9471 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Tue, 30 Jul 2024 10:20:38 +0000 +Subject: [PATCH] CVE-2024-41110 Authz plugin security fixes for 0-length + content and path validation Signed-off-by: Jameson Hyde + + +--- + pkg/authorization/authz.go | 38 +++++++++++-- + pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++- + 2 files changed, 115 insertions(+), 7 deletions(-) + +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go +index 1eb4431..d568a2b 100644 +--- a/pkg/authorization/authz.go ++++ b/pkg/authorization/authz.go +@@ -8,6 +8,8 @@ import ( + "io" + "mime" + "net/http" ++ "net/url" ++ "regexp" + "strings" + + "github.com/containerd/log" +@@ -53,10 +55,23 @@ type Ctx struct { + authReq *Request + } + ++func isChunked(r *http.Request) bool { ++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked ++ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") { ++ return true ++ } ++ for _, v := range r.TransferEncoding { ++ if strings.EqualFold(v, "chunked") { ++ return true ++ } ++ } ++ return false ++} ++ + // AuthZRequest authorized the request to the docker daemon using authZ plugins + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { + var body []byte +- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { ++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize { + var err error + body, r.Body, err = drainBody(r.Body) + if err != nil { +@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { + if sendBody(ctx.requestURI, rm.Header()) { + ctx.authReq.ResponseBody = rm.RawBody() + } +- + for _, plugin := range ctx.plugins { + log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name()) + +@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { + return nil, newBody, err + } + ++func isAuthEndpoint(urlPath string) (bool, error) { ++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional) ++ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath) ++ if err != nil { ++ return false, err ++ } ++ return matched, nil ++} ++ + // sendBody returns true when request/response body should be sent to AuthZPlugin +-func sendBody(url string, header http.Header) bool { ++func sendBody(inURL string, header http.Header) bool { ++ u, err := url.Parse(inURL) ++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected ++ if err != nil { ++ return false ++ } ++ + // Skip body for auth endpoint +- if strings.HasSuffix(url, "/auth") { ++ isAuth, err := isAuthEndpoint(u.Path) ++ if isAuth || err != nil { + return false + } + +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go +index c9b18d9..66b4d20 100644 +--- a/pkg/authorization/authz_unix_test.go ++++ b/pkg/authorization/authz_unix_test.go +@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) { + + func TestSendBody(t *testing.T) { + var ( +- url = "nothing.com" + testcases = []struct { ++ url string + contentType string + expected bool + }{ +@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) { + contentType: "", + expected: false, + }, ++ { ++ url: "nothing.com/auth", ++ contentType: "", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth?p1=test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "www.nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "https://www.nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "http://nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "www.nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "http://www.nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "www.nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "https://www.nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, + } + ) + + for _, testcase := range testcases { + header := http.Header{} + header.Set("Content-Type", testcase.contentType) ++ if testcase.url == "" { ++ testcase.url = "nothing.com" ++ } + +- if b := sendBody(url, header); b != testcase.expected { +- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) ++ if b := sendBody(testcase.url, header); b != testcase.expected { ++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b) + } + } + } +-- +2.33.8 diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 951a2cc4278..e350178d777 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -16,6 +16,7 @@ Source2: docker.socket Patch0: CVE-2022-2879.patch Patch1: enable-docker-proxy-libexec-search.patch +Patch2: CVE-2024-41110.patch %{?systemd_requires} @@ -111,6 +112,9 @@ fi %{_unitdir}/* %changelog +* Tue Aug 13 2024 Rohit Rawat - 25.0.3-5 +- Address CVE-2024-41110 + * Fri Aug 09 2024 Henry Beberman - 25.0.3-4 - Backport upstream change to search /usr/libexec for docker-proxy without daemon.json diff --git a/SPECS/openssh/openssh-8.2p1-visibility.patch b/SPECS/openssh/openssh-8.2p1-visibility.patch new file mode 100644 index 00000000000..89c35ef64de --- /dev/null +++ b/SPECS/openssh/openssh-8.2p1-visibility.patch @@ -0,0 +1,40 @@ +diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c +index dca158de..afdcb1d2 100644 +--- a/regress/misc/sk-dummy/sk-dummy.c ++++ b/regress/misc/sk-dummy/sk-dummy.c +@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...) + #endif + } + +-uint32_t ++uint32_t __attribute__((visibility("default"))) + sk_api_version(void) + { + return SSH_SK_VERSION_MAJOR; +@@ -220,7 +220,7 @@ check_options(struct sk_option **options) + return 0; + } + +-int ++int __attribute__((visibility("default"))) + sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, + const char *application, uint8_t flags, const char *pin, + struct sk_option **options, struct sk_enroll_response **enroll_response) +@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len, + return ret; + } + +-int ++int __attribute__((visibility("default"))) + sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, + const char *application, const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, const char *pin, struct sk_option **options, +@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + return ret; + } + +-int ++int __attribute__((visibility("default"))) + sk_load_resident_keys(const char *pin, struct sk_option **options, + struct sk_resident_key ***rks, size_t *nrks) + { diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 1bb6d805a0a..d4417c27812 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -3,7 +3,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: %{openssh_ver} -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,6 +32,10 @@ Patch306: pam_ssh_agent_auth-0.10.2-compat.patch # Fix NULL dereference from getpwuid() return value # https://sourceforge.net/p/pamsshagentauth/bugs/22/ Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch +# sk-dummy.so built with -fvisibility=hidden does not work +# The tests fail with the following error: +# dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version +Patch965: openssh-8.2p1-visibility.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: e2fsprogs-devel @@ -105,6 +109,8 @@ rm -f $(cat %{SOURCE4}) autoreconf popd +%patch -P 965 -p1 -b .visibility + %build # The -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth. export CFLAGS="$CFLAGS -fvisibility=hidden -fpic" @@ -262,6 +268,9 @@ fi %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Fri Aug 16 2024 Pawel Winogrodzki - 9.8p1-2 +- Fixed 'openssh' ptests. + * Mon Jul 01 2024 Jon Slobodzian - 9.8p1-1 - Upgrade to version 9.8p1. This fixes CVE-2024-6387 (a regression to CVE-2006-5051) in OpenSSH's server. diff --git a/SPECS/opentelemetry-cpp/opentelemetry-cpp.spec b/SPECS/opentelemetry-cpp/opentelemetry-cpp.spec index 32276a84105..b72fd6785db 100644 --- a/SPECS/opentelemetry-cpp/opentelemetry-cpp.spec +++ b/SPECS/opentelemetry-cpp/opentelemetry-cpp.spec @@ -1,14 +1,17 @@ +%global proto_name opentelemetry-proto +%global proto_version 1.1.0 + Summary: The OpenTelemetry C++ Client Name: opentelemetry-cpp Version: 1.14.2 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/open-telemetry/opentelemetry-cpp Source0: https://github.com/open-telemetry/opentelemetry-cpp/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Standard proto files source: https://github.com/open-telemetry/opentelemetry-proto -Source1: opentelemetry-proto-1.1.0.tar.gz +Source1: https://github.com/open-telemetry/%{proto_name}/archive/refs/tags/v%{proto_version}.tar.gz#/%{proto_name}-%{proto_version}.tar.gz + BuildRequires: c-ares-devel BuildRequires: cmake BuildRequires: curl-devel @@ -16,14 +19,14 @@ BuildRequires: gmock-devel BuildRequires: grpc-devel BuildRequires: grpc-plugins BuildRequires: gtest-devel -BuildRequires: abseil-cpp-devel +BuildRequires: abseil-cpp-devel >= 20240116.0-2 BuildRequires: nlohmann-json-devel BuildRequires: protobuf-devel BuildRequires: protobuf-static BuildRequires: protobuf-c-devel BuildRequires: re2-devel BuildRequires: systemd-devel -Requires: abseil-cpp +Requires: abseil-cpp >= 20240116.0-2 %description The official OpenTelemetry CPP client @@ -38,8 +41,8 @@ Development Libraries for OpenTelemetry CPP client %prep %autosetup -p1 -mkdir -p third_party/opentelemetry-proto -tar xf %{SOURCE1} -C third_party/opentelemetry-proto --strip-components=1 +mkdir -p third_party/%{proto_name} +tar xf %{SOURCE1} -C third_party/%{proto_name} --strip-components=1 %build mkdir build && cd build @@ -53,7 +56,7 @@ mkdir build && cd build -DWITH_ABSEIL=ON \ -DWITH_STL=ON \ -DWITH_ZPAGES=ON \ - -DOTELCPP_PROTO_PATH=../third_party/opentelemetry-proto \ + -DOTELCPP_PROTO_PATH=../third_party/%{proto_name} \ .. %make_build @@ -74,6 +77,10 @@ mkdir build && cd build %{_libdir}/cmake/opentelemetry-cpp/* %changelog +* Thu Jul 25 2024 Devin Anderson - 1.14.2-2 +- Bump release to rebuild with latest 'abseil-cpp'. +- Provide explicit fetch for protobuf archive. + * Mon Mar 18 2024 Betty Lakes - 1.14.2-1 - Upgrade to 1.14.2 - Upgrade opentelemetry-proto to 1.1.0 diff --git a/SPECS/perl-HTTP-Message/perl-HTTP-Message.spec b/SPECS/perl-HTTP-Message/perl-HTTP-Message.spec index fcad168b42f..db3d69320ad 100644 --- a/SPECS/perl-HTTP-Message/perl-HTTP-Message.spec +++ b/SPECS/perl-HTTP-Message/perl-HTTP-Message.spec @@ -1,6 +1,6 @@ Name: perl-HTTP-Message Version: 6.45 -Release: 1%{?dist} +Release: 2%{?dist} Summary: HTTP style message # CONTRIBUTING.md: CC0 # other files: GPL+ or Artistic @@ -42,6 +42,8 @@ BuildRequires: perl(Config) BuildRequires: perl(File::Spec) BuildRequires: perl(PerlIO::encoding) BuildRequires: perl(Test::More) +BuildRequires: perl(Test::Needs) +BuildRequires: perl(Clone) # Testing requires Time::Local on MacOS only BuildRequires: perl(Try::Tiny) Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) @@ -94,6 +96,9 @@ make test %{_mandir}/man3/* %changelog +* Fri Aug 16 2024 Daniel McIlvaney - 6.45-2 +- Add missing test requirements + * Mon Dec 18 2023 CBL-Mariner Servicing Account - 6.45-1 - Auto-upgrade to 6.45 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/postgresql/postgresql.service b/SPECS/postgresql/postgresql.service deleted file mode 100644 index 2a8dfc7e08c..00000000000 --- a/SPECS/postgresql/postgresql.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=PostgreSQL database server -Documentation=man:postgres(1) -After=network-online.target multi-user.target -Wants=network-online.target - -[Service] -Type=notify -User=postgres -ExecStart=/usr/bin/postgres -D /usr/local/pgsql/data -ExecReload=/bin/kill -HUP $MAINPID -KillMode=mixed -KillSignal=SIGTERM -TimeoutSec=infinity - -[Install] -WantedBy=multi-user.target diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json index aafb8f8a8e3..3c4c4d30b9a 100644 --- a/SPECS/postgresql/postgresql.signatures.json +++ b/SPECS/postgresql/postgresql.signatures.json @@ -1,6 +1,5 @@ { "Signatures": { - "postgresql.service": "2d209e10523c43e7011b4a85e9e32f5f5911a74a25012cdeaf5fdeb0a5664461", "postgresql-16.4.tar.bz2": "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f" } } diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec index f6c60edd2b7..ab75f7e1063 100644 --- a/SPECS/postgresql/postgresql.spec +++ b/SPECS/postgresql/postgresql.spec @@ -8,7 +8,7 @@ Distribution: Azure Linux Group: Applications/Databases URL: https://www.postgresql.org Source0: https://ftp.postgresql.org/pub/source/v%{version}/%{name}-%{version}.tar.bz2 -Source1: %{name}.service + # Common libraries needed BuildRequires: krb5-devel BuildRequires: libxml2-devel @@ -20,8 +20,6 @@ BuildRequires: pkgconfig(icu-uc) BuildRequires: readline-devel BuildRequires: tzdata BuildRequires: zlib-devel -BuildRequires: systemd-devel -BuildRequires: systemd-rpm-macros %if 0%{?with_check} BuildRequires: sudo @@ -35,10 +33,7 @@ Requires: openssl Requires: readline Requires: tzdata Requires: zlib -Requires: openssl-libs -Requires(pre): shadow-utils -Requires(post): shadow-utils -Requires(postun): shadow-utils + %description PostgreSQL is an object-relational database management system. @@ -76,7 +71,6 @@ developing applications that use postgresql. %build sed -i '/DEFAULT_PGSOCKET_DIR/s@/tmp@/run/postgresql@' src/include/pg_config_manual.h && ./configure \ - --with-systemd \ --enable-thread-safety \ --prefix=%{_prefix} \ --with-ldap \ @@ -93,7 +87,6 @@ cd contrib && make %{?_smp_mflags} %install make install DESTDIR=%{buildroot} cd contrib && make install DESTDIR=%{buildroot} -install -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service # For postgresql 10+, commands are renamed # Ref: https://wiki.postgresql.org/wiki/New_in_postgres_10 @@ -108,60 +101,10 @@ chown -Rv nobody . sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check" %ldconfig_scriptlets -%pre - -if ! getent group postgres >/dev/null; then - /sbin/groupadd -r postgres -fi - -if ! getent passwd postgres >/dev/null; then - /sbin/useradd -g postgres postgres -fi - -%post - -PGDATA="/usr/local/pgsql/data" -PGRUN="/run/postgresql" - -if [ ! -d "$PGDATA" ]; then - mkdir -p "$PGDATA" - chown postgres:postgres "$PGDATA" - su -c /usr/bin/initdb -D "$PGDATA" postgres - chown -R postgres:postgres "$PGDATA" -fi - -#chown -R postgres:postgres "$PGDATA" - -if [ ! -d "$PGRUN" ]; then - mkdir -p "$PGRUN" - chown postgres:postgres "$PGRUN" - chmod 700 "$PGRUN" -fi - -%systemd_post %{name}.service - -%preun -#%systemd_preun %{name}.service - -%postun -if [ $1 -eq 0 ] ; then - if getent passwd postgres >/dev/null; then - /sbin/userdel postgres - fi - if getent group %{name} >/dev/null; then - /sbin/groupdel postgres - fi - rm -rf /var/log/%{name} - rm -rf /var/run/%{name} -fi - -%systemd_postun_with_restart %{name}.service %files %defattr(-,root,root) %license COPYRIGHT -%{_unitdir}/%{name}.service - %{_bindir}/initdb %{_bindir}/oid2name %{_bindir}/pg_amcheck @@ -232,12 +175,6 @@ fi %changelog * Mon Aug 12 2024 CBL-Mariner Servicing Account - 16.4-1 - Auto-upgrade to 16.4 - CVE-2024-7348 - -* Wed Aug 07 Andrew Phelps - 16.3-3 -- Add requires for shadow-utils - -* Wed Jul 24 Kavya Sree Kaitepalli - 16.3-2 -- Added systemd service, installation path, %pre %post and %postun required for the service * Mon May 20 2024 Neha Agarwal - 16.3-1 - Upgrade to version 16.3 to fix CVE-2024-4317 diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index bbe2069a604..4b0f03161d2 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: %{azl}.0.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -46,6 +46,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 +- Making 'Release' match with 'ca-certificates' + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 3.0.0-6 - Updating Microsoft trusted root CAs. diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec index 1e059522c99..0c9326f5c12 100644 --- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec +++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: %{azl}.0.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -49,6 +49,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 +- Making 'Release' match with 'ca-certificates' + * Mon Apr 22 2024 CBL-Mariner Servicing Account - 3.0.0-6 - Updating Microsoft trusted root CAs. diff --git a/SPECS/protobuf/protobuf.spec b/SPECS/protobuf/protobuf.spec index 1d05eb2678d..75b1e31b5e8 100644 --- a/SPECS/protobuf/protobuf.spec +++ b/SPECS/protobuf/protobuf.spec @@ -1,7 +1,7 @@ Summary: Google's data interchange format Name: protobuf Version: 25.3 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,7 +12,7 @@ BuildRequires: curl BuildRequires: libstdc++ BuildRequires: cmake BuildRequires: unzip -BuildRequires: abseil-cpp-devel +BuildRequires: abseil-cpp-devel >= 20240116.0-2 %if 0%{?with_check} BuildRequires: gtest-devel BuildRequires: gmock-devel @@ -20,7 +20,7 @@ BuildRequires: gmock-devel Provides: %{name}-compiler = %{version}-%{release} Provides: %{name}-lite = %{version}-%{release} -Requires: abseil-cpp +Requires: abseil-cpp >= 20240116.0-2 %description Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. You can find protobuf's documentation on the Google Developers site. @@ -30,7 +30,7 @@ Summary: Development files for protobuf Group: Development/Libraries Requires: %{name} = %{version}-%{release} Provides: %{name}-lite-devel = %{version}-%{release} -Requires: abseil-cpp-devel +Requires: abseil-cpp-devel >= 20240116.0-2 %description devel The protobuf-devel package contains libraries and header files for @@ -122,6 +122,9 @@ popd %{python3_sitelib}/* %changelog +* Thu Jul 25 2024 Devin Anderson - 25.3-4 +- Bump release to rebuild with latest 'abseil-cpp'. + * Mon Jun 03 2024 Sindhu Karri - 25.3-3 - Enable ptest using system gtest package diff --git a/SPECS/pyOpenSSL/pyOpenSSL.signatures.json b/SPECS/pyOpenSSL/pyOpenSSL.signatures.json index a83edb2f393..69a524499b2 100644 --- a/SPECS/pyOpenSSL/pyOpenSSL.signatures.json +++ b/SPECS/pyOpenSSL/pyOpenSSL.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "pyOpenSSL-23.2.0.tar.gz": "276f931f55a452e7dea69c7173e984eb2a4407ce413c918aa34b55f82f9b8bac" - } + "Signatures": { + "pyopenssl-24.2.1.tar.gz": "4247f0dbe3748d560dcbb2ff3ea01af0f9a1a001ef5f7c4c647956ed8cbf0e95" + } } diff --git a/SPECS/pyOpenSSL/pyOpenSSL.spec b/SPECS/pyOpenSSL/pyOpenSSL.spec index 4480a020109..16c85ec64c9 100644 --- a/SPECS/pyOpenSSL/pyOpenSSL.spec +++ b/SPECS/pyOpenSSL/pyOpenSSL.spec @@ -1,13 +1,15 @@ +%global srcname pyopenssl + Summary: Python wrapper module around the OpenSSL library Name: pyOpenSSL -Version: 23.2.0 +Version: 24.2.1 Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl -Source0: https://files.pythonhosted.org/packages/be/df/75a6525d8988a89aed2393347e9db27a56cb38a3e864314fac223e905aef/%{name}-%{version}.tar.gz +Source0: %{pypi_source %{srcname} %{version}} BuildArch: noarch %description @@ -39,7 +41,7 @@ BuildRequires: python3-six High-level wrapper around a subset of the OpenSSL library. %prep -%autosetup +%autosetup -p1 -n %{srcname}-%{version} %build %py3_build @@ -48,7 +50,7 @@ High-level wrapper around a subset of the OpenSSL library. %py3_install %check -pip3 install pretend flaky pytest +pip3 install pretend pytest-rerunfailures pytest PATH=%{buildroot}%{_bindir}:${PATH} \ LANG=en_US.UTF-8 PYTHONPATH=%{buildroot}%{python3_sitelib} \ pytest @@ -59,6 +61,10 @@ LANG=en_US.UTF-8 PYTHONPATH=%{buildroot}%{python3_sitelib} \ %{python3_sitelib}/* %changelog +* Fri Aug 16 2023 Daniel McIlvaney - 24.2.1-1 +- Selectively take upstream changes from F41 to update to 24.2.1 to support our + version of python-cryptography. + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 23.2.0-1 - Auto-upgrade to 23.2.0 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/python-poetry-core/python-poetry-core.spec b/SPECS/python-poetry-core/python-poetry-core.spec index 45992df79fd..a06e9236b3e 100644 --- a/SPECS/python-poetry-core/python-poetry-core.spec +++ b/SPECS/python-poetry-core/python-poetry-core.spec @@ -7,7 +7,7 @@ projects.} Summary: Poetry PEP 517 Build Backend Name: python-poetry-core Version: 1.9.0 -Release: 3%{?dist} +Release: 4%{?dist} # SPDX License: MIT Vendor: Microsoft Corporation @@ -32,6 +32,10 @@ Summary: %{summary} # Previous versions of poetry included poetry-core in it Conflicts: python%{python3_version}dist(poetry) < 1.1 +Requires: python3-fastjsonschema +Requires: python3-lark +Requires: python3-packaging + %description -n python3-poetry-core %{_description} %prep @@ -56,6 +60,9 @@ rm -r src/poetry/core/_vendor %license LICENSE %changelog +* Tue Aug 06 2024 Devin Anderson - 1.9.0-4 +- Declare missing runtime dependencies. + * Fri Mar 29 2024 Riken Maharjan - 1.9.0-1 - Initial Azure Linux import from Fedora 40 (license: MIT). - License Verified diff --git a/SPECS/python-pytest-mock/fix__test_failure_message.patch b/SPECS/python-pytest-mock/fix__test_failure_message.patch new file mode 100644 index 00000000000..1bc46a92eb9 --- /dev/null +++ b/SPECS/python-pytest-mock/fix__test_failure_message.patch @@ -0,0 +1,68 @@ +From 8480bb6d0500f933be039cfec65e04157e6ecffe Mon Sep 17 00:00:00 2001 +From: Bruno Oliveira +Date: Tue, 19 Dec 2023 08:24:23 -0300 +Subject: [PATCH] Fix tests for Python 3.11 and 3.12 + +Fixes #401. + +Modified by: damcilva@microsoft.com + Include cleanup from: + c596504e062be06475b03122c9c0cc732ae87840 + b8522e73a85441cf4c02c39038a88ac0bab57504 +--- + tests/test_pytest_mock.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/test_pytest_mock.py b/tests/test_pytest_mock.py +index 3ee00da..7acb361 100644 +--- a/tests/test_pytest_mock.py ++++ b/tests/test_pytest_mock.py +@@ -246,9 +246,8 @@ def __test_failure_message(self, mocker: MockerFixture, **kwargs: Any) -> None: + msg = "Expected call: {0}()\nNot called" + expected_message = msg.format(expected_name) + stub = mocker.stub(**kwargs) +- with pytest.raises(AssertionError) as exc_info: ++ with pytest.raises(AssertionError, match=re.escape(expected_message)): + stub.assert_called_with() +- assert str(exc_info.value) == expected_message + + def test_failure_message_with_no_name(self, mocker: MagicMock) -> None: + self.__test_failure_message(mocker) + +From 6da5b0506d6378a8dbe5ae314d5134e6868aeabd Mon Sep 17 00:00:00 2001 +From: danigm +Date: Wed, 20 Dec 2023 16:02:13 +0100 +Subject: [PATCH] Update expected message to match python 3.11.7 (#404) + +https://github.com/python/cpython/issues/111019 + +Fixes #401. +Closes #403. +--- + tests/test_pytest_mock.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tests/test_pytest_mock.py b/tests/test_pytest_mock.py +index c185f2a..01534a4 100644 +--- a/tests/test_pytest_mock.py ++++ b/tests/test_pytest_mock.py +@@ -25,6 +25,8 @@ + + # Python 3.8 changed the output formatting (bpo-35500), which has been ported to mock 3.0 + NEW_FORMATTING = sys.version_info >= (3, 8) ++# Python 3.11.7 changed the output formatting, https://github.com/python/cpython/issues/111019 ++NEWEST_FORMATTING = sys.version_info >= (3, 11, 7) + + if sys.version_info[:2] >= (3, 8): + from unittest.mock import AsyncMock +@@ -240,7 +242,9 @@ def test_repr_with_name(self, mocker: MockerFixture) -> None: + + def __test_failure_message(self, mocker: MockerFixture, **kwargs: Any) -> None: + expected_name = kwargs.get("name") or "mock" +- if NEW_FORMATTING: ++ if NEWEST_FORMATTING: ++ msg = "expected call not found.\nExpected: {0}()\n Actual: not called." ++ elif NEW_FORMATTING: + msg = "expected call not found.\nExpected: {0}()\nActual: not called." + else: + msg = "Expected call: {0}()\nNot called" diff --git a/SPECS/python-pytest-mock/python-pytest-mock.spec b/SPECS/python-pytest-mock/python-pytest-mock.spec index 2b7f2bbb050..8b4e5f476c5 100644 --- a/SPECS/python-pytest-mock/python-pytest-mock.spec +++ b/SPECS/python-pytest-mock/python-pytest-mock.spec @@ -3,7 +3,7 @@ Summary: Thin-wrapper around the mock package for easier use with py.test Name: python-%{pypi_name} Version: 3.12.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,6 +11,7 @@ URL: https://github.com/pytest-dev/pytest-mock/ Source0: https://pypi.io/packages/source/p/pytest-mock/%{pypi_name}-%{version}.tar.gz # Can be removed once this bug is resolved: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006736 Patch0: skip_broken_tests_since_3.6.1.patch +Patch1: fix__test_failure_message.patch BuildArch: noarch @@ -48,12 +49,12 @@ sed -i 's/\r$//' README.rst %py3_install %check -pip3 install atomicwrites>=1.3.0 \ - attrs>=19.1.0 \ - more-itertools>=7.0.0 \ - pluggy>=0.11.0 \ - pytest==7.1.2 \ - pytest-cov>=2.7.1 +pip3 install 'atomicwrites>=1.3.0' \ + 'attrs>=19.1.0' \ + 'more-itertools>=7.0.0' \ + 'pluggy>=0.11.0' \ + 'pytest==7.1.2' \ + 'pytest-cov>=2.7.1' PATH=%{buildroot}%{_bindir}:${PATH} \ PYTHONPATH=%{buildroot}%{python3_sitelib} \ python%{python3_version} -m pytest -v tests \ @@ -67,6 +68,10 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} \ %{python3_sitelib}/%{file_name}-%{version}-py%{python3_version}.egg-info/ %changelog +* Fri Aug 16 2024 Daniel McIlvaney - 3.12.0-2 +- Fix test requirement install command +- Backport fixes for failing unit test + * Tue Jan 23 2024 CBL-Mariner Servicing Account - 3.12.0-1 - Auto-upgrade to 3.12.0 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/python-webob/python-webob.signatures.json b/SPECS/python-webob/python-webob.signatures.json index 6ea2972724b..4594d4f541a 100644 --- a/SPECS/python-webob/python-webob.signatures.json +++ b/SPECS/python-webob/python-webob.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "webob-1.8.7.tar.gz": "2bc9a81fddc02170d7e8de600d843e0d9247110594590056d5a2336740364248" - } + "Signatures": { + "webob-1.8.8.tar.gz": "4864af526db23ddd9a396b0ee1785ffab55185e4d428febd391d4644fe68f23a" + } } diff --git a/SPECS/python-webob/python-webob.spec b/SPECS/python-webob/python-webob.spec index 3a8fb4b0546..859583dbe52 100644 --- a/SPECS/python-webob/python-webob.spec +++ b/SPECS/python-webob/python-webob.spec @@ -1,6 +1,6 @@ Summary: WebOb provides objects for HTTP requests and responses. Name: python-webob -Version: 1.8.7 +Version: 1.8.8 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -46,6 +46,9 @@ rm -f tests/performance_test.py %{python3_sitelib}/* %changelog +* Tue Aug 20 2024 CBL-Mariner Servicing Account - 1.8.8-1 +- Auto-upgrade to 1.8.8 - Fix CVE-2024-42353 + * Mon Feb 07 2022 Thomas Crain - 1.8.7-1 - Upgrade to latest upstream version - Use github source tarball diff --git a/SPECS/python3/CVE-2024-7592.patch b/SPECS/python3/CVE-2024-7592.patch new file mode 100644 index 00000000000..35f5e1fb6e3 --- /dev/null +++ b/SPECS/python3/CVE-2024-7592.patch @@ -0,0 +1,226 @@ +From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 16 Aug 2024 19:13:37 +0300 +Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies + with backslashes + +This fixes CVE-2024-7592. +--- + Lib/http/cookies.py | 34 ++++------------- + Lib/test/test_http_cookies.py | 38 +++++++++++++++++++ + ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 + + 3 files changed, 47 insertions(+), 26 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 351faf428a20cd..11a67e8a2e008b 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,8 +184,12 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") +-_QuotePatt = re.compile(r"[\\].") ++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') ++def _unquote_replace(m): ++ if m[1]: ++ return chr(int(m[1], 8)) ++ else: ++ return m[2] + + def _unquote(str): + # If there aren't any doublequotes, +@@ -205,30 +209,8 @@ def _unquote(str): + # \012 --> \n + # \" --> " + # +- i = 0 +- n = len(str) +- res = [] +- while 0 <= i < n: +- o_match = _OctalPatt.search(str, i) +- q_match = _QuotePatt.search(str, i) +- if not o_match and not q_match: # Neither matched +- res.append(str[i:]) +- break +- # else: +- j = k = -1 +- if o_match: +- j = o_match.start(0) +- if q_match: +- k = q_match.start(0) +- if q_match and (not o_match or k < j): # QuotePatt matched +- res.append(str[i:k]) +- res.append(str[k+1]) +- i = k + 2 +- else: # OctalPatt matched +- res.append(str[i:j]) +- res.append(chr(int(str[j+1:j+4], 8))) +- i = j + 4 +- return _nulljoin(res) ++ ++ return _unquote_re.sub(_unquote_replace, str) + + # The _getdate() routine is used to set the expiration time in the cookie's HTTP + # header. By default, _getdate() returns the current time in the appropriate +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 925c8697f60de6..13b526d49b0856 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -5,6 +5,7 @@ + import doctest + from http import cookies + import pickle ++from test import support + + + class CookieTests(unittest.TestCase): +@@ -58,6 +59,43 @@ def test_basic(self): + for k, v in sorted(case['dict'].items()): + self.assertEqual(C[k].value, v) + ++ def test_unquote(self): ++ cases = [ ++ (r'a="b=\""', 'b="'), ++ (r'a="b=\\"', 'b=\\'), ++ (r'a="b=\="', 'b=\\='), ++ (r'a="b=\n"', 'b=\\n'), ++ (r'a="b=\042"', 'b="'), ++ (r'a="b=\134"', 'b=\\'), ++ (r'a="b=\377"', 'b=\xff'), ++ (r'a="b=\400"', 'b=\\400'), ++ (r'a="b=\42"', 'b=\\42'), ++ (r'a="b=\\042"', 'b=\\042'), ++ (r'a="b=\\134"', 'b=\\134'), ++ (r'a="b=\\\""', 'b=\\"'), ++ (r'a="b=\\\042"', 'b=\\"'), ++ (r'a="b=\134\""', 'b=\\"'), ++ (r'a="b=\134\042"', 'b=\\"'), ++ ] ++ for encoded, decoded in cases: ++ with self.subTest(encoded): ++ C = cookies.SimpleCookie() ++ C.load(encoded) ++ self.assertEqual(C['a'].value, decoded) ++ ++ @support.requires_resource('cpu') ++ def test_unquote_large(self): ++ n = 10**6 ++ for encoded in r'\\', r'\134': ++ with self.subTest(encoded): ++ data = 'a="b=' + encoded*n + ';"' ++ C = cookies.SimpleCookie() ++ C.load(data) ++ value = C['a'].value ++ self.assertEqual(value[:3], 'b=\\') ++ self.assertEqual(value[-2:], '\\;') ++ self.assertEqual(len(value), n + 3) ++ + def test_load(self): + C = cookies.SimpleCookie() + C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') +diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +new file mode 100644 +index 00000000000000..158b938a65a2d4 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +@@ -0,0 +1 @@ ++Fix quadratic complexity in parsing cookies with backslashes. + +From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 16 Aug 2024 19:38:20 +0300 +Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping. + +--- + Lib/http/cookies.py | 2 +- + Lib/test/test_http_cookies.py | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 11a67e8a2e008b..464abeb0fb253a 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,7 +184,7 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') ++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') + def _unquote_replace(m): + if m[1]: + return chr(int(m[1], 8)) +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 13b526d49b0856..8879902a6e2f41 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -63,13 +63,13 @@ def test_unquote(self): + cases = [ + (r'a="b=\""', 'b="'), + (r'a="b=\\"', 'b=\\'), +- (r'a="b=\="', 'b=\\='), +- (r'a="b=\n"', 'b=\\n'), ++ (r'a="b=\="', 'b=='), ++ (r'a="b=\n"', 'b=n'), + (r'a="b=\042"', 'b="'), + (r'a="b=\134"', 'b=\\'), + (r'a="b=\377"', 'b=\xff'), +- (r'a="b=\400"', 'b=\\400'), +- (r'a="b=\42"', 'b=\\42'), ++ (r'a="b=\400"', 'b=400'), ++ (r'a="b=\42"', 'b=42'), + (r'a="b=\\042"', 'b=\\042'), + (r'a="b=\\134"', 'b=\\134'), + (r'a="b=\\\""', 'b=\\"'), + +From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sat, 17 Aug 2024 12:40:11 +0300 +Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object. + +--- + Lib/http/cookies.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 464abeb0fb253a..6b9ed24ad8ec78 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,7 +184,8 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') ++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub ++ + def _unquote_replace(m): + if m[1]: + return chr(int(m[1], 8)) +@@ -209,8 +210,7 @@ def _unquote(str): + # \012 --> \n + # \" --> " + # +- +- return _unquote_re.sub(_unquote_replace, str) ++ return _unquote_sub(_unquote_replace, str) + + # The _getdate() routine is used to set the expiration time in the cookie's HTTP + # header. By default, _getdate() returns the current time in the appropriate + +From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sat, 17 Aug 2024 13:08:20 +0300 +Subject: [PATCH 4/4] Add a reference to the module in NEWS. + +--- + .../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +index 158b938a65a2d4..6a234561fe31a3 100644 +--- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst ++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +@@ -1 +1 @@ +-Fix quadratic complexity in parsing cookies with backslashes. ++Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`. diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index cfe7a2bc02f..818e7f8b413 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -6,7 +6,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.12.3 -Release: 1%{?dist} +Release: 2%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,7 @@ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.t # It has been removed in Python-3.12.0.tar.xz, but as our packages still require it, we will still provide for now. Source1: https://github.com/python/cpython/blob/3.9/Tools/scripts/pathfix.py Patch0: cgi3.patch +Patch1: CVE-2024-7592.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 @@ -238,6 +239,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Wed Aug 21 2024 Brian Fjeldstad - 3.12.3-2 +- Patch CVE-2024-7592 + * Mon Jul 15 2024 Suresh Thelkar - 3.12.3-1 - Upgrade to 3.12.3 to patch CVE-2024-0397, CVE-2023-6597 - Clean up the earlier patches not needed anymore diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec index 0dfae4e6cc8..845d8afad6f 100644 --- a/SPECS/qemu/qemu.spec +++ b/SPECS/qemu/qemu.spec @@ -428,7 +428,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38 Summary: QEMU is a FAST! processor emulator Name: qemu Version: 8.2.0 -Release: 9%{?dist} +Release: 10%{?dist} License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0 URL: http://www.qemu.org/ @@ -640,7 +640,7 @@ BuildRequires: rutabaga-gfx-ffi-devel %endif %if %{user_static} -BuildRequires: glibc-static >= 2.38-6 +BuildRequires: glibc-static >= 2.38-7 BuildRequires: glib2-static zlib-static BuildRequires: pcre2-static %endif @@ -3421,6 +3421,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Wed Aug 21 2024 Chris Co - 8.2.0-10 +- Bump to rebuild with updated glibc + * Wed Jun 19 2024 Sharath Srikanth Chellappa - 8.2.0-9 - Enable vnc related packages/dependencies required for Kubevirt - Removing the have_ui flag to install virtio required components. diff --git a/SPECS/re2/re2.spec b/SPECS/re2/re2.spec index cd04c714bbc..2a55404cebc 100644 --- a/SPECS/re2/re2.spec +++ b/SPECS/re2/re2.spec @@ -4,7 +4,7 @@ Summary: C++ fast alternative to backtracking RE engines Name: re2 Version: %{shortver} -Release: 2%{?dist} +Release: 3%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,7 +13,7 @@ Source0: https://github.com/google/%{name}/archive/refs/tags/%{longver}.t BuildRequires: gcc BuildRequires: make BuildRequires: cmake -BuildRequires: abseil-cpp-devel +BuildRequires: abseil-cpp-devel >= 20240116.0-2 %if 0%{?with_check} BuildRequires: gtest-devel BuildRequires: gmock-devel @@ -83,6 +83,9 @@ rm -fv %{buildroot}%{_libdir}/libre2.a %{_libdir}/cmake/re2/*.cmake %changelog +* Thu Jul 25 2024 Devin Anderson - 20240201-3 +- Bump release to rebuild with latest 'abseil-cpp'. + * Wed Mar 20 2024 Betty Lakes - 20240201-2 - Bumping release to rebuild with latest 'abseil-cpp'. diff --git a/SPECS/ruby/ruby.signatures.json b/SPECS/ruby/ruby.signatures.json index 17beb5d1039..9eb2f74004c 100644 --- a/SPECS/ruby/ruby.signatures.json +++ b/SPECS/ruby/ruby.signatures.json @@ -7,6 +7,6 @@ "rubygems.con": "eb804c6b50eeafdb2172285265bc487a80acaa9846233cd5f1d20a25f1dac2ea", "rubygems.prov": "b79c1f5873dd20d251e100b276a5e584c1fb677f3e1b92534fc09130fabe8ee5", "rubygems.req": "e85681d8fa45d214055f3b26a8c1829b3a4bd67b26a5ef3c1f6426e7eff83ad0", - "ruby-3.3.0.tar.gz": "96518814d9832bece92a85415a819d4893b307db5921ae1f0f751a9a89a56b7d" + "ruby-3.3.3.tar.gz": "83c05b2177ee9c335b631b29b8c077b4770166d02fa527f3a9f6a40d13f3cce2" } } diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 995aca5fe35..e7231cd0fac 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -4,7 +4,7 @@ %global gem_dir %{_datadir}/ruby/gems # Default package version defined separately, because the %%version macro gets overwritten by 'Version' tags of the subpackages. -%global ruby_version 3.3.0 +%global ruby_version 3.3.3 %define ruby_version_majmin %(echo %{ruby_version} | cut -d. -f1-2) %global rubygems_version 3.5.3 @@ -88,7 +88,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: %{ruby_version} -Release: 4%{?dist} +Release: 1%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -407,6 +407,9 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Wed Aug 07 2024 Alejandro Martinez Torres - 3.3.3-1 +- Upgrade ruby to 3.3.3 to resolve CVE-2024-41946 + * Wed May 22 2024 Neha Agarwal - 3.3.0-4 - Bump release to build with new rubygem-rexml to fix CVE-2024-35176 diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index 8c6f11ce0c0..4f301a1ea9d 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -9,7 +9,7 @@ Summary: Rust Programming Language Name: rust Version: 1.75.0 -Release: 9%{?dist} +Release: 10%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -60,7 +60,7 @@ BuildRequires: ninja-build BuildRequires: openssl-devel BuildRequires: python3 %if 0%{?with_check} -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} %endif # rustc uses a C compiler to invoke the linker, and links to glibc in most cases Requires: binutils @@ -172,6 +172,9 @@ rm %{buildroot}%{_bindir}/*.old %{_mandir}/man1/* %changelog +* Wed Aug 21 2024 Chris Co - 1.75.0-10 +- Bump to rebuild with updated glibc + * Fri Aug 09 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 1.75.0-9 - Patch CVE-2024-32884 and CVE-2024-31852 diff --git a/SPECS/selinux-policy/modules_targeted.conf b/SPECS/selinux-policy/modules_targeted.conf index 1479998879a..14684afc762 100644 --- a/SPECS/selinux-policy/modules_targeted.conf +++ b/SPECS/selinux-policy/modules_targeted.conf @@ -11,45 +11,3 @@ selinux = base storage = base terminal = base ubac = base - -bootloader = base -kdump = base -logrotate = base -netutils = base -rpm = base -su = base -sudo = base -usermanage = base - -staff = base -sysadm = base -unprivuser = base - -cron = base -chronyd = base -dbus = base -irqbalance = base -ldap = base - -application = base -authlogin = base -clock = base -fstools = base -init = base -iptables = base -libraries = base -locallogin = base -logging = base -lvm = base -miscfiles = base -modutils = base -mount = base -raid = base -selinuxutil = base -sysnetwork = base -systemd = base -udev = base -unconfined = module -userdomain = base -# required by systemd: -xdg = base \ No newline at end of file diff --git a/SPECS/selinux-policy/selinux-policy.signatures.json b/SPECS/selinux-policy/selinux-policy.signatures.json index dfd4add4bc6..4994b09166b 100644 --- a/SPECS/selinux-policy/selinux-policy.signatures.json +++ b/SPECS/selinux-policy/selinux-policy.signatures.json @@ -3,7 +3,7 @@ "Makefile.devel": "cd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6", "booleans_targeted.conf": "009f880c7179a007569dfdbf40ef64ae41671ad33cc2717eebbdaeb8ab431d12", "macros.selinux-policy": "027f5d27441a7262365c26076dc3b7ab1f1ac62026ae94514020e0607e53a73a", - "modules_targeted.conf": "b8fdff7cf2280bf71fa5841e9d3e5a8add4b30cdcbd21bc4fb2340d53b3bc23f", + "modules_targeted.conf": "161f7075f935afb15402084e5dc6b67da9a6b578631f0f77459b0461176da9e2", "refpolicy-2.20240226.tar.bz2": "7ed41f4f45189b9ee9706da8ac357eccc103651b56daabaddb54c436e8117cf9" } } diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec index 7f7ab1a0f41..1334eaa9fc5 100644 --- a/SPECS/selinux-policy/selinux-policy.spec +++ b/SPECS/selinux-policy/selinux-policy.spec @@ -9,7 +9,7 @@ Summary: SELinux policy Name: selinux-policy Version: %{refpolicy_major}.%{refpolicy_minor} -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -130,7 +130,7 @@ enforced by the kernel when running with SELinux enabled. %{_sharedstatedir}/selinux/%{policy_name}/active/modules_checksum %exclude %{_sharedstatedir}/selinux/%{policy_name}/active/policy.kern %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{policy_name}/active/file_contexts.homedirs -%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/base +%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/* %package modules Summary: SELinux policy modules @@ -138,18 +138,17 @@ Requires: selinux-policy = %{version}-%{release} Requires(pre): selinux-policy = %{version}-%{release} %description modules -Additional SELinux policy modules +Additional SELinux policy modules -- deprecated: all policy modules are now +in selinux-policy. This package will be removed in Azure Linux 4.0. %files modules -%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/* -%exclude %{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/base -%exclude %{_sharedstatedir}/selinux/%{policy_name}/active/modules/disabled %package devel Summary: SELinux policy devel Requires: %{_bindir}/make Requires: checkpolicy >= %{CHECKPOLICYVER} Requires: m4 +Requires: selinux-policy = %{version}-%{release} Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} %description devel @@ -190,18 +189,12 @@ install -m0644 %{_sourcedir}/modules_%{1}.conf policy/modules.conf \ %make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} conf \ install -m0644 %{_sourcedir}/booleans_%{1}.conf policy/booleans.conf -# After all the modules are inserted into the module store, the non-base -# modules are disabled so the selinux-policy package only has the base module. -# The selinux-policy-modules RPM then drops the disable flags using %exclude -# in the %files section so the entire policy is enabled when the -# selinux-policy-modules RPM is installed. %define installCmds() \ %make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} base.pp \ %make_build validate UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} modules \ make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} install \ make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} install-appconfig \ make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} SEMODULE="semodule -p %{buildroot} -X 100 " load \ -semodule -p %{buildroot} -l | grep -v base | xargs semodule -p %{buildroot} -d \ mkdir -p %{buildroot}/%{_sysconfdir}/selinux/%{1}/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.subs \ install -m0644 config/appconfig-%{2}/securetty_types %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/securetty_types \ @@ -314,11 +307,6 @@ fi %postInstall $1 %{policy_name} exit 0 -%post modules -%{_sbindir}/semodule -B -n -s %{policy_name} -[ "${SELINUXTYPE}" == "%{policy_name}" ] && selinuxenabled && load_policy -exit 0 - %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null @@ -337,6 +325,11 @@ exit 0 selinuxenabled && semodule -nB exit 0 %changelog +* Mon Aug 13 2024 Chris PeBenito - 2.20240226-7 +- Change policy composition so the base module only consits of policy modules + that must be in the base. This will allow dowstream users to disable or + override the individual policy modules. + * Thu Jul 18 2024 Chris PeBenito - 2.20240226-6 - Drop rules that are specific to AzureLinux testing systems. - Add fix for systemd-machine-id-setup CAP_DAC_OVERRIDE use. diff --git a/SPECS/supermin/supermin.spec b/SPECS/supermin/supermin.spec index f7de7ce73b6..7f17e9f8235 100644 --- a/SPECS/supermin/supermin.spec +++ b/SPECS/supermin/supermin.spec @@ -21,7 +21,7 @@ Summary: Tool for creating supermin appliances Name: supermin Version: 5.3.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -54,7 +54,7 @@ BuildRequires: systemd-udev %if %{with dietlibc} BuildRequires: dietlibc-devel %else -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} %endif %if 0%{?with_check} @@ -129,6 +129,9 @@ make check || { %{_rpmconfigdir}/supermin-find-requires %changelog +* Wed Aug 21 2024 Chris Co - 5.3.4-2 +- Bump to rebuild with updated glibc + * Tue May 28 2024 Mykhailo Bykhovtsev - 5.3.4-1 - Upgrade to version 5.3.4 to support building using ocaml 5.1.1 - Fixed patch for the test suite diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index c86e2714733..1078dad2bce 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 16%{?dist} +Release: 17%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -122,10 +122,17 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Drop when dracut-060 is available. Patch0001: https://github.com/systemd/systemd/pull/26494.patch - # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 -Patch0490: use-bfq-scheduler.patch +%if 0%{?azl} +# On Azure, it is recommended to use an i/o scheduler that passes the scheduling +# decisions to the underlying Hyper-V hypervisor. In our case, we should use +# the "none" scheduler, which is also ideal for fast random I/O devices like +# NVMe. So we update Fedora's bfq patch to change the udev rule to select "none" +# instead of Fedora's default Budget Fair Queuing (bfq) and rename the patch +# from referencing "bfq" to "none". +Patch0490: use-none-scheduler.patch +%endif # Adjust upstream config to use our shared stack # NOTE: the patch was based on the fedora patch, but renamed to @@ -1202,6 +1209,9 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Fri Aug 23 2024 Chris Co - 255-17 +- Change bfq scheduler patch to select "none" i/o scheduler + * Wed Jul 10 2024 Thien Trung Vuong - 255-16 - Update tag to build systemd-boot exclusively on x86_64 diff --git a/SPECS/systemd/use-bfq-scheduler.patch b/SPECS/systemd/use-none-scheduler.patch similarity index 83% rename from SPECS/systemd/use-bfq-scheduler.patch rename to SPECS/systemd/use-none-scheduler.patch index 6ad5e5d32d8..f8bb44894d9 100644 --- a/SPECS/systemd/use-bfq-scheduler.patch +++ b/SPECS/systemd/use-none-scheduler.patch @@ -3,6 +3,14 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 14 Aug 2019 15:57:42 +0200 Subject: [PATCH] udev: use bfq as the default scheduler +NOTE change for azurelinux: + +This patch from Fedora has been renamed from "bfq" to "none" and adjusted +to set the udev rule's i/o scheduler from "bfq" to "none" which is the +preferred default i/o scheduler in Azure VMs and for NVMe drives. + +Original Fedora commit message below: + As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828. Test results are that bfq seems to behave better and more consistently on typical hardware. The kernel does not have a configuration option to set @@ -25,7 +33,7 @@ index 0000000000..850b64540e + +ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \ + KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \ -+ ATTR{queue/scheduler}="bfq" ++ ATTR{queue/scheduler}="none" diff --git a/rules.d/meson.build b/rules.d/meson.build index 20fca222da..94fee9d7c0 100644 --- a/rules.d/meson.build diff --git a/SPECS/tdnf/tdnf.spec b/SPECS/tdnf/tdnf.spec index bc562af1d37..b16ba2a02a7 100644 --- a/SPECS/tdnf/tdnf.spec +++ b/SPECS/tdnf/tdnf.spec @@ -5,7 +5,7 @@ Summary: dnf equivalent using C libs Name: tdnf Version: 3.5.6 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2.1 AND GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -25,6 +25,10 @@ Patch3: tdnf-printf-fix.patch # Patch to be removed once we upgrade to a version of tdnf which contains the upstream fix # https://github.com/vmware/tdnf/commit/5311b5ed0867a40ceb71b89358d70290bc2d0c51 Patch4: tdnf-sqlite-library.patch + +# Patch in vitual snapshot +Patch5: virtual-repo-snapshot.patch + #Cmake requires binutils BuildRequires: binutils BuildRequires: cmake @@ -215,6 +219,9 @@ fi /%{_lib}/systemd/system/tdnf* %changelog +* Fri Jul 26 2024 Sam Meluch - 3.5.6-2 +- Add tdnf virtual repo snapshots + * Mon Feb 26 2024 Sam Meluch - 3.5.6-1 - Upgrade tdnf to version 3.5.6 for Azure Linux 3.0 - Remove patches which are no longer needed diff --git a/SPECS/tdnf/virtual-repo-snapshot.patch b/SPECS/tdnf/virtual-repo-snapshot.patch new file mode 100644 index 00000000000..368e62f65f1 --- /dev/null +++ b/SPECS/tdnf/virtual-repo-snapshot.patch @@ -0,0 +1,1135 @@ +From bed541b7ceafaf75f67911ef64e231569b8eec84 Mon Sep 17 00:00:00 2001 +From: Sam Meluch +Date: Tue, 30 Apr 2024 13:56:44 -0700 +Subject: [PATCH] Add virtual repo snapshot feature to tdnf + +--- + client/config.c | 5 + + client/prototypes.h | 3 +- + client/repo.c | 50 +- + common/config.h | 1 + + etc/bash_completion.d/tdnf-completion.bash | 2 +- + include/tdnferror.h | 9 + + include/tdnftypes.h | 2 + + solv/defines.h | 29 + + solv/includes.h | 6 +- + solv/prototypes.h | 3 +- + solv/tdnfrepo.c | 783 ++++++++++++++++++++- + tools/cli/lib/help.c | 1 + + tools/cli/lib/parseargs.c | 1 + + 13 files changed, 878 insertions(+), 17 deletions(-) + +diff --git a/client/config.c b/client/config.c +index 8ddcc7a..805fff1 100644 +--- a/client/config.c ++++ b/client/config.c +@@ -85,6 +85,7 @@ TDNFReadConfig( + pConf->nInstallOnlyLimit = 1; + pConf->nCleanRequirementsOnRemove = 0; + pConf->nKeepCache = 0; ++ pConf->pszSnapshotTime = NULL; + pConf->nOpenMax = TDNF_DEFAULT_OPENMAX; + + register_ini(NULL); +@@ -122,6 +123,10 @@ TDNFReadConfig( + { + pConf->nInstallOnlyLimit = atoi(cn->value); + } ++ else if (strcmp(cn->name, TDNF_CONF_KEY_SNAPSHOT_TIME) == 0) ++ { ++ pConf->pszSnapshotTime = cn->value; //assumes your system's time_t is typedef long ++ } + else if (strcmp(cn->name, TDNF_CONF_KEY_CLEAN_REQ_ON_REMOVE) == 0) + { + pConf->nCleanRequirementsOnRemove = isTrue(cn->value); +diff --git a/client/prototypes.h b/client/prototypes.h +index bb7fba1..cb8a8d3 100644 +--- a/client/prototypes.h ++++ b/client/prototypes.h +@@ -586,7 +586,8 @@ uint32_t + TDNFInitRepoFromMetadata( + Repo *pRepo, + const char* pszRepoName, +- PTDNF_REPO_METADATA pRepoMD ++ PTDNF_REPO_METADATA pRepoMD, ++ char * pszSnapshotTime + ); + + uint32_t +diff --git a/client/repo.c b/client/repo.c +index b6073e2..0331796 100644 +--- a/client/repo.c ++++ b/client/repo.c +@@ -36,6 +36,8 @@ TDNFInitRepo( + Pool* pPool = NULL; + int nUseMetaDataCache = 0; + PSOLV_REPO_INFO_INTERNAL pSolvRepoInfo = NULL; ++ PTDNF_CMD_OPT pSetOpt = NULL; ++ char * pszSnapshotTime = NULL; + + if (!pTdnf || !pRepoData || !pSack || !pSack->pPool) + { +@@ -43,6 +45,21 @@ TDNFInitRepo( + BAIL_ON_TDNF_ERROR(dwError); + } + ++ // set local POSIX limit if conf or cmd line opt is present ++ if (pTdnf->pConf != NULL && pTdnf->pConf->pszSnapshotTime!= NULL) ++ { ++ pszSnapshotTime = pTdnf->pConf->pszSnapshotTime; ++ } ++ ++ // take command line over config if both are present ++ for (pSetOpt = pTdnf->pArgs->pSetOpt; pSetOpt; pSetOpt = pSetOpt->pNext) ++ { ++ if(strncmp(pSetOpt->pszOptName, TDNF_CONF_KEY_SNAPSHOT_TIME, strlen(TDNF_CONF_KEY_SNAPSHOT_TIME)) == 0) ++ { ++ pszSnapshotTime = pSetOpt->pszOptValue; ++ } ++ } ++ + pPool = pSack->pPool; + + dwError = TDNFGetCachePath(pTdnf, pRepoData, +@@ -82,20 +99,27 @@ TDNFInitRepo( + pRepo->appdata = pSolvRepoInfo; + + if (pRepoData->nHasMetaData) { +- dwError = SolvCalculateCookieForFile(pRepoMD->pszRepoMD, pSolvRepoInfo->cookie); +- BAIL_ON_TDNF_ERROR(dwError); +- pSolvRepoInfo->nCookieSet = 1; +- +- dwError = SolvUseMetaDataCache(pSack, pSolvRepoInfo, &nUseMetaDataCache); +- BAIL_ON_TDNF_ERROR(dwError); +- +- if (nUseMetaDataCache == 0) { +- dwError = TDNFInitRepoFromMetadata(pRepo, pRepoData->pszId, pRepoMD); ++ if (pszSnapshotTime != NULL) { ++ dwError = TDNFInitRepoFromMetadata(pRepo, pRepoData->pszId, pRepoMD, pszSnapshotTime); + BAIL_ON_TDNF_ERROR(dwError); ++ } else { ++ dwError = SolvCalculateCookieForFile(pRepoMD->pszRepoMD, pSolvRepoInfo->cookie); ++ BAIL_ON_TDNF_ERROR(dwError); ++ pSolvRepoInfo->nCookieSet = 1; + +- dwError = SolvCreateMetaDataCache(pSack, pSolvRepoInfo); ++ dwError = SolvUseMetaDataCache(pSack, pSolvRepoInfo, &nUseMetaDataCache); + BAIL_ON_TDNF_ERROR(dwError); ++ ++ //force load from repo if POSIX time limit is present ++ if (nUseMetaDataCache == 0) { ++ dwError = TDNFInitRepoFromMetadata(pRepo, pRepoData->pszId, pRepoMD, NULL); ++ BAIL_ON_TDNF_ERROR(dwError); ++ ++ dwError = SolvCreateMetaDataCache(pSack, pSolvRepoInfo); ++ BAIL_ON_TDNF_ERROR(dwError); ++ } + } ++ + } else { + dwError = SolvReadRpmsFromDirectory(pRepo, pRepoData->ppszBaseUrls[0]); + BAIL_ON_TDNF_ERROR(dwError); +@@ -135,7 +159,8 @@ uint32_t + TDNFInitRepoFromMetadata( + Repo *pRepo, + const char* pszRepoName, +- PTDNF_REPO_METADATA pRepoMD ++ PTDNF_REPO_METADATA pRepoMD, ++ char * pszSnapshotTime + ) + { + uint32_t dwError = 0; +@@ -152,7 +177,8 @@ TDNFInitRepoFromMetadata( + pRepoMD->pszPrimary, + pRepoMD->pszFileLists, + pRepoMD->pszUpdateInfo, +- pRepoMD->pszOther); ++ pRepoMD->pszOther, ++ pszSnapshotTime); + cleanup: + return dwError; + +diff --git a/common/config.h b/common/config.h +index 222a448..364f7ec 100644 +--- a/common/config.h ++++ b/common/config.h +@@ -19,6 +19,7 @@ + //Conf file key names + #define TDNF_CONF_KEY_GPGCHECK "gpgcheck" + #define TDNF_CONF_KEY_INSTALLONLY_LIMIT "installonly_limit" ++#define TDNF_CONF_KEY_SNAPSHOT_TIME "snapshottime" + #define TDNF_CONF_KEY_CLEAN_REQ_ON_REMOVE "clean_requirements_on_remove" + #define TDNF_CONF_KEY_REPODIR "repodir" // typo, keep for back compatibility + #define TDNF_CONF_KEY_REPOSDIR "reposdir" +diff --git a/etc/bash_completion.d/tdnf-completion.bash b/etc/bash_completion.d/tdnf-completion.bash +index 4e48040..3f310d4 100644 +--- a/etc/bash_completion.d/tdnf-completion.bash ++++ b/etc/bash_completion.d/tdnf-completion.bash +@@ -92,7 +92,7 @@ _tdnf() + { + local c=0 cur __opts __cmds + COMPREPLY=() +- __opts="--assumeno --assumeyes --cacheonly --debugsolver --disableexcludes --disableplugin --disablerepo --downloaddir --downloadonly --enablerepo --enableplugin --exclude --installroot --noautoremove --nogpgcheck --noplugins --quiet --reboot --refresh --releasever --repo --repofrompath --repoid --rpmverbosity --security --sec --setopt --skip --skipconflicts --skipdigest --skipsignature --skipobsoletes --testonly --version --available --duplicates --extras --file --installed --whatdepends --whatrequires --whatenhances --whatobsoletes --whatprovides --whatrecommends --whatrequires --whatsuggests --whatsupplements --depends --enhances --list --obsoletes --provides --recommends --requires --requires --suggests --source --supplements --arch --delete --download --download --gpgcheck --metadata --newest --norepopath --source --urls" ++ __opts="--assumeno --assumeyes --cacheonly --debugsolver --disableexcludes --disableplugin --disablerepo --downloaddir --downloadonly --enablerepo --enableplugin --snapshottime --exclude --installroot --noautoremove --nogpgcheck --noplugins --quiet --reboot --refresh --releasever --repo --repofrompath --repoid --rpmverbosity --security --sec --setopt --skip --skipconflicts --skipdigest --skipsignature --skipobsoletes --testonly --version --available --duplicates --extras --file --installed --whatdepends --whatrequires --whatenhances --whatobsoletes --whatprovides --whatrecommends --whatrequires --whatsuggests --whatsupplements --depends --enhances --list --obsoletes --provides --recommends --requires --requires --suggests --source --supplements --arch --delete --download --download --gpgcheck --metadata --newest --norepopath --source --urls" + __cmds="autoerase autoremove check check-local check-update clean distro-sync downgrade erase help history info install list makecache mark provides whatprovides reinstall remove repolist repoquery reposync search update update-to updateinfo upgrade upgrade-to" + cur="${COMP_WORDS[COMP_CWORD]}" + _tdnf__process_if_prev_is_option && return 0 +diff --git a/include/tdnferror.h b/include/tdnferror.h +index c9349a0..02b8d4c 100644 +--- a/include/tdnferror.h ++++ b/include/tdnferror.h +@@ -187,6 +187,15 @@ extern "C" { + #define ERROR_TDNF_HISTORY_ERROR 1801 + #define ERROR_TDNF_HISTORY_NODB 1802 + ++#define ERROR_TDNF_TIME_FILTER_BASE 1900 ++// filter MEMORY ++#define ERROR_TDNF_TIME_FILTER_MEMORY (ERROR_TDNF_TIME_FILTER_BASE + 1) ++// filter parsing error ++#define ERROR_TDNF_TIME_FILTER_PARSE (ERROR_TDNF_TIME_FILTER_BASE + 2) ++// filter IO error ++#define ERROR_TDNF_TIME_FILTER_IO (ERROR_TDNF_TIME_FILTER_BASE + 3) ++// filter general error ++# define ERROR_TDNF_TIME_FILTER_GENERAL (ERROR_TDNF_TIME_FILTER_BASE + 4) + + #define ERROR_TDNF_PLUGIN_BASE 2000 + +diff --git a/include/tdnftypes.h b/include/tdnftypes.h +index a806010..f371430 100644 +--- a/include/tdnftypes.h ++++ b/include/tdnftypes.h +@@ -9,6 +9,7 @@ + #pragma once + + #include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -257,6 +258,7 @@ typedef struct _TDNF_CONF + int nCheckUpdateCompat; + int nDistroSyncReinstallChanged; + char* pszRepoDir; ++ char* pszSnapshotTime; + char* pszCacheDir; + char* pszPersistDir; + char* pszProxy; +diff --git a/solv/defines.h b/solv/defines.h +index 38f5ab1..ddb3355 100644 +--- a/solv/defines.h ++++ b/solv/defines.h +@@ -18,4 +18,33 @@ + } \ + } while(0) + ++typedef struct { ++ // frequently changed values ++ char * pszElementBuffer; ++ int nBufferLen; ++ int nInPackage; ++ int nPrintPackage; ++ int nTimeFound; ++ ++ // managed values ++ int nBufferMaxLen; ++ int nDepth; ++ int nPrevElement; // enum 0 -> start, 1 -> data, 2 -> end ++ ++ //set and forget on creation ++ time_t nSearchTime; ++ FILE * pbOutfile; ++} TDNFFilterData; ++ ++#define TDNF_MAX_FILTER_INPUT_THRESHOLD 500000000 ++#define TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE 16000 ++ ++#define BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError) \ ++ do { \ ++ if (dwError) \ ++ { \ ++ goto error; \ ++ } \ ++ } while(0) ++ + #endif /* __SOLV_DEFINES_H__ */ +diff --git a/solv/includes.h b/solv/includes.h +index 2ab0c5c..1e39ecb 100644 +--- a/solv/includes.h ++++ b/solv/includes.h +@@ -10,7 +10,6 @@ + #include + #include + #include +-#include + #include + + // libsolv +@@ -44,4 +43,9 @@ + #include "../history/history.h" + #include "prototypes.h" + ++#include ++#include ++#include ++#include ++ + #endif /* __SOLV_INCLUDES_H__ */ +diff --git a/solv/prototypes.h b/solv/prototypes.h +index 2633b5e..6ac68fd 100644 +--- a/solv/prototypes.h ++++ b/solv/prototypes.h +@@ -517,7 +517,8 @@ SolvReadYumRepo( + const char *pszPrimary, + const char *pszFilelists, + const char *pszUpdateinfo, +- const char *pszOther ++ const char *pszOther, ++ const char *pszSnapshotTime + ); + + uint32_t +diff --git a/solv/tdnfrepo.c b/solv/tdnfrepo.c +index c27b907..fec3ba7 100644 +--- a/solv/tdnfrepo.c ++++ b/solv/tdnfrepo.c +@@ -9,6 +9,766 @@ + + #include "includes.h" + ++// #### XML FILTER CODE #### ++ ++/*** ++* Resize the buffer specified by ppszCharBuffer and update pnBufferMaxLen ++* to the length of the newly resized buffer if the nLengthToAdd would overflow ++* the buffer. ++***/ ++uint32_t ++checkAndResizeBuffer(char ** ppszCharBuffer, int * pnBufferMaxLen, int nLengthToAdd) { ++ uint32_t dwError = 0; ++ char * pszTempCharBuffer = NULL; ++ if (ppszCharBuffer == NULL || *ppszCharBuffer == NULL || pnBufferMaxLen == NULL || *pnBufferMaxLen <= 0 || nLengthToAdd < 0) { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // calculate new max length ++ int nTempMaxLen = *pnBufferMaxLen; ++ int nBufferContentLen = strlen(*ppszCharBuffer); ++ while (nBufferContentLen + nLengthToAdd + 1 >= nTempMaxLen) ++ { ++ nTempMaxLen *= 2; ++ } ++ if (nTempMaxLen >= TDNF_MAX_FILTER_INPUT_THRESHOLD) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // only realloc if the size changed ++ if (nTempMaxLen != *pnBufferMaxLen) ++ { ++ pszTempCharBuffer = realloc(*ppszCharBuffer, nTempMaxLen); ++ if (!pszTempCharBuffer) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ //set expanded char buffer ++ *ppszCharBuffer = pszTempCharBuffer; ++ *pnBufferMaxLen = nTempMaxLen; ++ } ++ ++cleanup: ++ return dwError; ++error: ++ pr_err("An error occurred during buffer resizing with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++* allocate a new string in ppszDestStr location with the linted description, ++* all '&', '<', and '>' characters will be replaced with the xml escape ++* character versions of each in line. ++***/ ++uint32_t ++xmlEscapeCharLinter(const char * pszStringToEscape, char ** ppszDestStr) { ++ uint32_t dwError = 0; ++ const char * amp = "&"; ++ const char * gt = ">"; ++ const char * lt = "<"; ++ ++ if (pszStringToEscape == NULL || ppszDestStr == NULL) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // allocate new string for linted string ++ int nStrToLintLen = (strlen(pszStringToEscape) + 1); // add one for null char ++ char * pszLintedStr = malloc(nStrToLintLen * sizeof(char)); ++ if (!pszLintedStr) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ bzero(pszLintedStr, nStrToLintLen * sizeof(char)); ++ int nOffset = 0; ++ int nLintedSize = nStrToLintLen; ++ ++ // Loop through string to lint looking for chars in need of escaping ++ for (int i = 0; i < nStrToLintLen; i++) ++ { ++ char * pszCharToAdd = NULL; ++ int nAddStrlen = 1; ++ // check current char for escape character ++ switch (pszStringToEscape[i]) ++ { ++ case '&': ++ pszCharToAdd = amp; ++ break; ++ case '>': ++ pszCharToAdd = gt; ++ break; ++ case '<': ++ pszCharToAdd = lt; ++ break; ++ } ++ ++ //resize buffer if needed ++ if (pszCharToAdd != NULL) ++ { ++ nAddStrlen = strlen(pszCharToAdd); ++ } ++ dwError = checkAndResizeBuffer(&pszLintedStr, &nLintedSize, nAddStrlen); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // add linted char ++ if (pszCharToAdd == NULL) ++ { ++ pszLintedStr[i + nOffset] = pszStringToEscape[i]; ++ } ++ else ++ { ++ strcat(pszLintedStr, pszCharToAdd); ++ nOffset += nAddStrlen - 1; // minus 1 to account for the original space used by the character ++ } ++ } ++ ++ // set Dest to linted string if all done ++ *ppszDestStr = pszLintedStr; ++ ++cleanup: ++ return dwError; ++error: ++ pr_err("An error occurred during escape character linting with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++* allocate a new buffer to location pszElementBuffer of the size ++* nElementBufferMax or greater (in the case resizing is needed). ++* a formatted start element with the name and attrs specified will be ++* placed in the newly allocated buffer. ++***/ ++uint32_t ++addElementStartToBuffer(char ** pszElementBuffer, int * nElementBufferMax, const char * pszElementName, const char ** ppszAttrs) { ++ uint32_t dwError = 0; ++ ++ if (pszElementBuffer == NULL || nElementBufferMax == NULL || *nElementBufferMax < 0) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // set default buffer max length ++ if (*nElementBufferMax == 0) ++ { ++ *nElementBufferMax = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ } ++ *pszElementBuffer = malloc(*nElementBufferMax * sizeof(char)); ++ ++ char * pszLintedAttrVal = NULL; ++ char * pszTempBuffer = NULL; ++ dwError = checkAndResizeBuffer(pszElementBuffer, nElementBufferMax, strlen(pszElementName) + 2); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ sprintf(*pszElementBuffer, "<%s", pszElementName); ++ for (int i = 0; ppszAttrs[i]; i += 2) ++ { ++ dwError = xmlEscapeCharLinter(ppszAttrs[i+1], &pszLintedAttrVal); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ int nTempBufferLen = strlen(pszLintedAttrVal) + strlen(ppszAttrs[i]) + 5; ++ dwError = checkAndResizeBuffer(pszElementBuffer, nElementBufferMax, nTempBufferLen); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ pszTempBuffer = malloc(sizeof(char) * nTempBufferLen); ++ if (!pszTempBuffer) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ sprintf(pszTempBuffer, " %s=\"%s\"", ppszAttrs[i], pszLintedAttrVal); ++ strcat(*pszElementBuffer, pszTempBuffer); ++ ++ // free temp variables ++ free(pszTempBuffer); ++ pszTempBuffer = NULL; ++ free(pszLintedAttrVal); ++ pszLintedAttrVal = NULL; ++ } ++ strcat(*pszElementBuffer, ">"); ++ ++cleanup: ++ if (pszLintedAttrVal) ++ { ++ free(pszLintedAttrVal); ++ } ++ if (pszTempBuffer) ++ { ++ free(pszTempBuffer); ++ } ++ return dwError; ++error: ++ pr_err("An error occurred during start element generation with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++uint32_t ++addElementEndToBuffer(char ** pszElementBuffer, int * nElementBufferMaxLen, const char * pszElementName) { ++ uint32_t dwError = 0; ++ if (pszElementBuffer == NULL || nElementBufferMaxLen == NULL || *nElementBufferMaxLen < 0) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ if (*nElementBufferMaxLen == 0 ) ++ { ++ *nElementBufferMaxLen = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ } ++ *pszElementBuffer = malloc(*nElementBufferMaxLen * sizeof(char)); ++ ++ dwError = checkAndResizeBuffer(pszElementBuffer, nElementBufferMaxLen, strlen(pszElementName) + 4); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ sprintf(*pszElementBuffer, "", pszElementName); ++ ++cleanup: ++ return dwError; ++error: ++ pr_err("An error occurred during end element generation with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++uint32_t ++printElementStartToFile(FILE * pbOutfile, const char * pszElementName, const char ** ppszAttrs) { ++ uint32_t dwError = 0; ++ if (pbOutfile == NULL) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ int nStartElementBufferLength = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ char * pszStartElement = NULL; ++ ++ dwError = addElementStartToBuffer(&pszStartElement, &nStartElementBufferLength, pszElementName, ppszAttrs); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ fprintf(pbOutfile, "%s", pszStartElement); ++ if (ferror(pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++cleanup: ++ if (pszStartElement) ++ { ++ free(pszStartElement); ++ } ++ return dwError; ++error: ++ pr_err("An error occurred during start element printing with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++uint32_t ++printElementEndToFile(FILE * pbOutfile, const char * pszElementName) { ++ uint32_t dwError = 0; ++ if (pbOutfile == NULL) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ int nEndElementBufferLength = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ char * pszEndElement = NULL; ++ ++ dwError = addElementEndToBuffer(&pszEndElement, &nEndElementBufferLength, pszElementName); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ fprintf(pbOutfile, "%s", pszEndElement); ++ if (ferror(pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++cleanup: ++ if (pszEndElement) ++ { ++ free(pszEndElement); ++ } ++ return dwError; ++error: ++ pr_err("An error occurred during end element printing with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++void ++TDNFFilterStartElement(void *userData, const char * name, const char ** attrs) { ++ uint32_t dwError = 0; ++ char * pszStartElementBuffer = NULL; ++ // load tracking data ++ TDNFFilterData * pTracking = (TDNFFilterData *)userData; ++ int nAddNewLineAfterStart = pTracking->nPrevElement == 0; ++ char szNewLineBuffer[2]; ++ if (nAddNewLineAfterStart) ++ { ++ sprintf(szNewLineBuffer, "\n"); ++ } ++ else ++ { ++ bzero(szNewLineBuffer, sizeof(szNewLineBuffer)); // don't assume memory zero'd ++ } ++ ++ // increment depth ++ pTracking->nDepth += 1; ++ pTracking->nPrevElement = 0; ++ ++ // new package to parse or currently parsing package info ++ if (strcmp(name, "package") == 0 || pTracking->nInPackage) ++ { ++ pTracking->nInPackage = 1; ++ ++ // already found/checked time ++ if (pTracking->nTimeFound && pTracking->nPrintPackage) ++ { ++ fprintf(pTracking->pbOutfile, "%s", szNewLineBuffer); ++ if (ferror(pTracking->pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ dwError = printElementStartToFile(pTracking->pbOutfile, name, attrs); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ } ++ else ++ { // still checking for time ++ if (strcmp(name, "time") == 0) ++ { ++ // time found ++ // validate file POSIX time ++ for (int i = 0; attrs[i]; i += 2) ++ { ++ if (strcmp(attrs[i], "file") == 0) ++ { ++ // file time is the time the package is published to the repo ++ // when this is less than our search time, allow the package to be ++ // printed to the temp repo file, otherwise the current package ++ // can be discarded. ++ errno = 0; ++ char * pszSnapshotTimeEnd = NULL; ++ long nCurrentPackageTime = strtoll(attrs[i+1], pszSnapshotTimeEnd, 10); ++ if (errno || pszSnapshotTimeEnd == attrs[i+1]) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_PARSE; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ pTracking->nPrintPackage = (nCurrentPackageTime <= pTracking->nSearchTime); ++ pTracking->nTimeFound = 1; ++ break; ++ } ++ } ++ if (pTracking->nPrintPackage) ++ { ++ // print buffer when time is found ++ fprintf(pTracking->pbOutfile, "%s", pTracking->pszElementBuffer); ++ if (ferror(pTracking->pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ fprintf(pTracking->pbOutfile, "%s", szNewLineBuffer); ++ if (ferror(pTracking->pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // print time element ++ dwError = printElementStartToFile(pTracking->pbOutfile, name, attrs); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ } ++ } ++ else if (!pTracking->nTimeFound) ++ { ++ // if we haven't found a time yet, the element must be stored ++ // add to file buffer ++ int nStartElementBufferSize = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ pszStartElementBuffer = NULL; ++ ++ dwError = addElementStartToBuffer(&pszStartElementBuffer, &nStartElementBufferSize, name, attrs); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ int nLenToAdd = strlen(pszStartElementBuffer); ++ nLenToAdd += strlen(szNewLineBuffer); // +1 if newLine character present ++ ++ dwError = checkAndResizeBuffer(&pszStartElementBuffer, &nStartElementBufferSize, strlen(szNewLineBuffer)); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ strcat(pszStartElementBuffer, szNewLineBuffer); ++ ++ dwError = checkAndResizeBuffer(&(pTracking->pszElementBuffer), &(pTracking->nBufferMaxLen), nLenToAdd); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ strcat(pTracking->pszElementBuffer, pszStartElementBuffer); ++ } ++ } ++ } ++ else ++ { // not in a package or parsing a new package ++ fprintf(pTracking->pbOutfile, "%s", szNewLineBuffer); ++ if (ferror(pTracking->pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ // output line ++ dwError = printElementStartToFile(pTracking->pbOutfile, name, attrs); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ } ++cleanup: ++ if (pszStartElementBuffer) ++ { ++ free(pszStartElementBuffer); ++ } ++ return; ++error: ++ pr_err("An error occurred during start element parsing with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++void ++TDNFFilterEndElement(void * userData, const char * name) { ++ uint32_t dwError = 0; ++ char * pszElementBuffer = NULL; ++ // load tracking data ++ TDNFFilterData * pTracking = (TDNFFilterData *)userData; ++ ++ // decrement depth ++ pTracking->nDepth -= 1; ++ pTracking->nPrevElement = 2; ++ ++ if (!pTracking->nInPackage || pTracking->nPrintPackage) ++ { ++ // print end element to file ++ dwError = printElementEndToFile(pTracking->pbOutfile, name); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ } ++ else if (pTracking->nInPackage && !pTracking->nTimeFound) ++ { ++ int nEndElementBufferLen = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ pszElementBuffer = NULL; ++ ++ // add end element to buffer ++ dwError = addElementEndToBuffer(&pszElementBuffer, &nEndElementBufferLen, name); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ int nEndElementLen = strlen(pszElementBuffer); ++ ++ dwError = checkAndResizeBuffer(&(pTracking->pszElementBuffer), &(pTracking->nBufferMaxLen), nEndElementLen); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ strcat(pTracking->pszElementBuffer, pszElementBuffer); ++ ++ } // else do nothing ++ ++ if (strcmp(name, "package") == 0) ++ { // on end package, reset tracking function ++ // reset userData ++ pTracking->nBufferLen = 0; ++ bzero(pTracking->pszElementBuffer, pTracking->nBufferMaxLen); ++ pTracking->nInPackage = 0; ++ pTracking->nPrintPackage = 0; ++ pTracking->nTimeFound = 0; ++ } ++cleanup: ++ if (pszElementBuffer) ++ { ++ free(pszElementBuffer); ++ } ++ return; ++error: ++ pr_err("An error occurred during end element parsing with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++void ++TDNFFilterCharDataHandler(void * userData, const char * content, int length) { ++ uint32_t dwError = 0; ++ // load tracking data ++ TDNFFilterData * pTracking = (TDNFFilterData *)userData; ++ pTracking->nPrevElement = 1; ++ ++ char * pszCharData = malloc((length + 1) * sizeof(char)); ++ if (!pszCharData) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ bzero(pszCharData, (length + 1) * sizeof(char)); ++ strncpy(pszCharData, content, length); ++ char * pszLintedCharData = NULL; ++ dwError = xmlEscapeCharLinter(pszCharData, &pszLintedCharData); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ // check params ++ if (!pTracking->nInPackage || pTracking->nPrintPackage) ++ { ++ // print to file ++ fprintf(pTracking->pbOutfile, "%s", pszLintedCharData); ++ if (ferror(pTracking->pbOutfile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ } ++ else if (pTracking->nInPackage && !pTracking->nTimeFound) ++ { ++ // add to buffer ++ dwError = checkAndResizeBuffer(&(pTracking->pszElementBuffer), &(pTracking->nBufferMaxLen), strlen(pszLintedCharData)); ++ if (dwError) ++ { ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ strcat(pTracking->pszElementBuffer, pszLintedCharData); ++ } // else do nothing (skipped package) ++ ++cleanup: ++ if (pszLintedCharData) ++ { ++ free(pszLintedCharData); ++ } ++ if (pszCharData) ++ { ++ free(pszCharData); ++ } ++ return; ++error: ++ pr_err("An error occurred during char data handling with the following code: %u\n", dwError); ++ goto cleanup; ++} ++ ++/*** ++ * ++ ***/ ++char * ++TDNFFilterFile(const char * pszInFilePath, const char * pszSnapshotTime) { ++ // vars ++ uint32_t dwError = 0; ++ TDNFFilterData pData; ++ bzero(&pData, sizeof(TDNFFilterData)); ++ time_t nSnapshotTime; ++ bzero(&nSnapshotTime, sizeof(time_t)); ++ XML_Parser bParser; ++ bzero(&bParser, sizeof(XML_Parser)); ++ FILE * pbInFile = NULL; ++ FILE * pbOutFile = NULL; ++ char pszTimeExtension[100]; ++ char * pszOutFilePath = NULL; ++ ++ // convert snapshot string to time for use by the parser and the temp file name ++ errno = 0; ++ char * pszSnapshotTimeEnd = NULL; ++ nSnapshotTime = strtoll(pszSnapshotTime, &pszSnapshotTimeEnd, 10); ++ if (errno || pszSnapshotTimeEnd == pszSnapshotTime) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_PARSE; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ //create output file ending ++ sprintf(pszTimeExtension, "-%lld.xml", nSnapshotTime); ++ ++ // find total extension length ++ int nInFileExtLen = 4; // len of ".xml" ++ char * pszFileExt = strrchr(pszInFilePath, '.'); ++ if (strcmp(pszFileExt, ".xml") != 0) ++ { ++ nInFileExtLen += strlen(pszFileExt); ++ } ++ ++ // calculate outfile length and allocate ++ int nInFileLen = strlen(pszInFilePath); ++ int nOutFileLen = (nInFileLen - nInFileExtLen) + strlen(pszTimeExtension) + 1; ++ pszOutFilePath = malloc(nOutFileLen * sizeof(char)); ++ if (!pszOutFilePath) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ bzero(pszOutFilePath, nOutFileLen * sizeof(char)); ++ ++ // use infile path + timestamp as new output file ++ strncpy(pszOutFilePath, pszInFilePath, nInFileLen - nInFileExtLen); // remove extension to be added with the name ++ strcat(pszOutFilePath, pszTimeExtension); ++ ++ // init vars, load files ++ pbInFile = solv_xfopen(pszInFilePath, "r"); ++ if (!pbInFile) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ pbOutFile = fopen(pszOutFilePath, "w"); ++ if (!pbOutFile) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ pData.nBufferMaxLen = TDNF_DEFAULT_TIME_FILTER_BUFF_SIZE; ++ pData.pszElementBuffer = (char *)malloc(pData.nBufferMaxLen * sizeof(char)); ++ if (!pData.pszElementBuffer) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ bzero(pData.pszElementBuffer, pData.nBufferMaxLen); ++ pData.pbOutfile = pbOutFile; ++ pData.nSearchTime = nSnapshotTime; ++ pData.nDepth = 0; ++ pData.nBufferLen = 0; ++ pData.nInPackage = 0; ++ pData.nPrintPackage = 0; ++ pData.nTimeFound = 0; ++ ++ //create parser ++ bParser = XML_ParserCreate(NULL); ++ if (!bParser) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_PARSE; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ XML_SetUserData(bParser, &pData); ++ XML_SetElementHandler(bParser, TDNFFilterStartElement, TDNFFilterEndElement); ++ XML_SetCharacterDataHandler(bParser, TDNFFilterCharDataHandler); ++ ++ //parse XML ++ fprintf(pbOutFile, "\n"); ++ if (ferror(pbOutFile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ int nInputEof; ++ do ++ { ++ void * pszXMLParseBuffer = XML_GetBuffer(bParser, BUFSIZ); ++ if (!pszXMLParseBuffer) ++ { ++ fprintf(stderr, "Couldn't allocate memory for buffer\n"); ++ dwError = ERROR_TDNF_TIME_FILTER_MEMORY; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ const size_t len = fread(pszXMLParseBuffer, 1, BUFSIZ - 1, pbInFile); ++ ((char *)pszXMLParseBuffer)[len] = '\0'; ++ if (ferror(pbInFile)) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_IO; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ ++ nInputEof = feof(pbInFile); ++ ++ if (XML_ParseBuffer(bParser, (int)len, nInputEof) == XML_STATUS_ERROR) ++ { ++ fprintf(stderr, ++ "Parse error at line %lu:\n%s\n", ++ XML_GetCurrentLineNumber(bParser), ++ XML_ErrorString(XML_GetErrorCode(bParser))); ++ dwError = ERROR_TDNF_TIME_FILTER_PARSE; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ } while (!nInputEof); ++ ++cleanup: ++ if (pData.pszElementBuffer) { ++ free(pData.pszElementBuffer); ++ } ++ ++ if (bParser) ++ { ++ XML_ParserFree(bParser); ++ } ++ ++ if (pbOutFile) ++ { ++ fclose(pbOutFile); ++ } ++ ++ if (pbInFile) ++ { ++ fclose(pbInFile); ++ } ++ ++ return pszOutFilePath; ++error: ++ pr_err("An error occurred during snapshot filtering with the following code: %u\n", dwError); ++ goto cleanup; ++} ++// #### END XML SNAPSHOT FILTER CODE #### ++ + uint32_t + SolvLoadRepomd( + Repo* pRepo, +@@ -195,10 +955,14 @@ SolvReadYumRepo( + const char *pszPrimary, + const char *pszFilelists, + const char *pszUpdateinfo, +- const char *pszOther ++ const char *pszOther, ++ const char *pszSnapshotTime + ) + { + uint32_t dwError = 0; ++ // new vars for Filter ++ char * tempPrimaryRepoFile = NULL; ++ // end new vars + if(!pRepo || !pszRepoName || !pszRepomd || !pszPrimary) + { + dwError = ERROR_TDNF_INVALID_PARAMETER; +@@ -209,6 +973,18 @@ SolvReadYumRepo( + BAIL_ON_TDNF_LIBSOLV_ERROR(dwError); + + ++ // Run filter if option present ++ if (pszSnapshotTime != NULL){ ++ tempPrimaryRepoFile = TDNFFilterFile(pszPrimary, pszSnapshotTime); ++ if (tempPrimaryRepoFile == NULL) ++ { ++ dwError = ERROR_TDNF_TIME_FILTER_GENERAL; ++ BAIL_ON_TDNF_TIME_FILTER_ERROR(dwError); ++ } ++ pszPrimary = tempPrimaryRepoFile; ++ } ++ // End filter code ++ + dwError = SolvLoadRepomdPrimary(pRepo, pszPrimary); + BAIL_ON_TDNF_LIBSOLV_ERROR(dwError); + +@@ -232,6 +1008,11 @@ SolvReadYumRepo( + + + cleanup: ++ if(tempPrimaryRepoFile != NULL) ++ { ++ remove(tempPrimaryRepoFile); ++ free(tempPrimaryRepoFile); ++ } + + return dwError; + +diff --git a/tools/cli/lib/help.c b/tools/cli/lib/help.c +index bc4cf83..86c34e7 100644 +--- a/tools/cli/lib/help.c ++++ b/tools/cli/lib/help.c +@@ -23,6 +23,7 @@ static const char *help_msg = + " [--downloadonly]\n" + " [--enablerepo=]\n" + " [--enableplugin=]\n" ++ " [--snapshottime=]\n" + " [--exclude [file1,file2,...]]\n" + " [--installroot [path]]\n" + " [--noautoremove]\n" +diff --git a/tools/cli/lib/parseargs.c b/tools/cli/lib/parseargs.c +index 0558611..18c84fc 100644 +--- a/tools/cli/lib/parseargs.c ++++ b/tools/cli/lib/parseargs.c +@@ -70,6 +70,7 @@ static struct option pstOptions[] = + {"skipdigest", no_argument, 0, 0}, //--skipdigest to skip verifying RPM digest + {"skipobsoletes", no_argument, 0, 0}, //--skipobsoletes to skip obsolete problems + {"skipsignature", no_argument, 0, 0}, //--skipsignature to skip verifying RPM signatures ++ {"snapshottime",required_argument, 0, 0}, //--snapshottime + {"source", no_argument, &_opt.nSource, 1}, + {"testonly", no_argument, &_opt.nTestOnly, 1}, + {"verbose", no_argument, &_opt.nVerbose, 1}, //-v --verbose +-- +2.34.1 + diff --git a/SPECS/tini/tini.spec b/SPECS/tini/tini.spec index 376efe87741..14ed7bcdb14 100644 --- a/SPECS/tini/tini.spec +++ b/SPECS/tini/tini.spec @@ -1,7 +1,7 @@ Summary: A tiny but valid init for containers Name: tini Version: 0.19.0 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,7 +13,7 @@ BuildRequires: diffutils BuildRequires: file BuildRequires: gcc BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-6%{?dist} +BuildRequires: glibc-static >= 2.38-7%{?dist} BuildRequires: kernel-headers BuildRequires: make BuildRequires: sed @@ -66,6 +66,9 @@ ln -s %{_bindir}/tini-static %{buildroot}%{_bindir}/docker-init %{_bindir}/docker-init %changelog +* Wed Aug 21 2024 Chris Co - 0.19.0-17 +- Bump to rebuild with updated glibc + * Wed May 22 2024 Suresh Babu Chalamalasetty - 0.19.0-16 - update to build dep latest glibc-static version diff --git a/SPECS/tpm2-tss/tpm2-tss.signatures.json b/SPECS/tpm2-tss/tpm2-tss.signatures.json index f6c5598289b..f763e40bf52 100644 --- a/SPECS/tpm2-tss/tpm2-tss.signatures.json +++ b/SPECS/tpm2-tss/tpm2-tss.signatures.json @@ -1,6 +1,5 @@ { "Signatures": { - "tpm2-tss-4.0.1.tar.gz": "532a70133910b6bd842289915b3f9423c0205c0ea009d65294ca18a74087c950", - "tpm2-tss.sysusers": "14c0854c73c51bbcd6764fdafa29401f8292f5eaa8abac23899209a63fe2ed4c" + "tpm2-tss-4.0.2.tar.gz": "e5f9b6055c29cb8d653ec7576853ff3863aa65dbd9cf4b3638ae8e8e7ce968ea" } } diff --git a/SPECS/tpm2-tss/tpm2-tss.spec b/SPECS/tpm2-tss/tpm2-tss.spec index aa33d01be4f..073ec7cc1e6 100644 --- a/SPECS/tpm2-tss/tpm2-tss.spec +++ b/SPECS/tpm2-tss/tpm2-tss.spec @@ -1,7 +1,7 @@ Summary: OSS implementation of the TCG TPM2 Software Stack (TSS2) Name: tpm2-tss -Version: 4.0.1 -Release: 2%{?dist} +Version: 4.0.2 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -90,6 +90,9 @@ fi %{_mandir}/man7 %changelog +- Fri Aug 09 2024 Sumedh Sharma - 4.0.2-1 +- Bump version to 4.0.2 to resolve CVE-2024-29040 + * Mon Jan 22 2024 Brian Fjeldstad - 4.0.1-2 - Remove circular dependency that systemd-rpm-macros introduced. diff --git a/SPECS/unbound/CVE-2024-43168.patch b/SPECS/unbound/CVE-2024-43168.patch new file mode 100644 index 00000000000..280dbee1d95 --- /dev/null +++ b/SPECS/unbound/CVE-2024-43168.patch @@ -0,0 +1,25 @@ +From 193401e7543a1e561dd634a3eaae932fa462a2b9 Mon Sep 17 00:00:00 2001 +From: zhailiangliang +Date: Wed, 3 Apr 2024 15:40:58 +0800 +Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of + file util/config_file.c + +--- + util/config_file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/util/config_file.c b/util/config_file.c +index 26185da02..e7b2f1959 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -1761,6 +1761,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num) + #endif + if(!mid) { + int port = atoi(str); ++ if(port < 0) { ++ log_err("Prevent out-of-bounds access to array avail"); ++ return 0; ++ } + if(port == 0 && strcmp(str, "0") != 0) { + log_err("cannot parse port number '%s'", str); + return 0; diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec index 3305650b3db..04a848145e2 100644 --- a/SPECS/unbound/unbound.spec +++ b/SPECS/unbound/unbound.spec @@ -1,7 +1,7 @@ Summary: unbound dns server Name: unbound Version: 1.19.1 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: System/Servers URL: https://nlnetlabs.nl/projects/unbound/about/ Source0: https://github.com/NLnetLabs/%{name}/archive/release-%{version}.tar.gz#/%{name}-release-%{version}.tar.gz Source1: %{name}.service +Patch0: CVE-2024-43168.patch BuildRequires: expat-devel BuildRequires: libevent-devel BuildRequires: python3-devel @@ -96,6 +97,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %{_mandir}/* %changelog +* Thu Aug 15 2024 Aadhar Agarwal - 1.19.1-2 +- Add patch to fix CVE-2024-43168 + * Mon Jul 08 2024 CBL-Mariner Servicing Account - 1.19.1-1 - Auto-upgrade to 1.19.1 - CVE-2023-50387 diff --git a/SPECS/vim/CVE-2024-43374.patch b/SPECS/vim/CVE-2024-43374.patch new file mode 100644 index 00000000000..0687ccf6788 --- /dev/null +++ b/SPECS/vim/CVE-2024-43374.patch @@ -0,0 +1,282 @@ +From 0a6e57b09bc8c76691b367a5babfb79b31b770e8 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 15 Aug 2024 22:15:28 +0200 +Subject: [PATCH] patch 9.1.0678: [security]: use-after-free in alist_add() + +Problem: [security]: use-after-free in alist_add() + (SuyueGuo) +Solution: Lock the current window, so that the reference to + the argument list remains valid. + +This fixes CVE-2024-43374 + +Signed-off-by: Christian Brabandt +--- + src/arglist.c | 6 ++++++ + src/buffer.c | 4 ++-- + src/ex_cmds.c | 4 ++-- + src/proto/window.pro | 1 + + src/structs.h | 2 +- + src/terminal.c | 4 ++-- + src/testdir/test_arglist.vim | 23 +++++++++++++++++++++++ + src/version.c | 2 ++ + src/window.c | 29 +++++++++++++++++++---------- + 9 files changed, 58 insertions(+), 17 deletions(-) + +diff --git a/src/arglist.c b/src/arglist.c +index 187e16e8354b1..8825c8e252ccc 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -184,6 +184,8 @@ alist_set( + /* + * Add file "fname" to argument list "al". + * "fname" must have been allocated and "al" must have been checked for room. ++ * ++ * May trigger Buf* autocommands + */ + void + alist_add( +@@ -196,6 +198,7 @@ alist_add( + if (check_arglist_locked() == FAIL) + return; + arglist_locked = TRUE; ++ curwin->w_locked = TRUE; + + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(fname); +@@ -207,6 +210,7 @@ alist_add( + ++al->al_ga.ga_len; + + arglist_locked = FALSE; ++ curwin->w_locked = FALSE; + } + + #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO) +@@ -365,6 +369,7 @@ alist_add_list( + mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]), + (ARGCOUNT - after) * sizeof(aentry_T)); + arglist_locked = TRUE; ++ curwin->w_locked = TRUE; + for (i = 0; i < count; ++i) + { + int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); +@@ -373,6 +378,7 @@ alist_add_list( + ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); + } + arglist_locked = FALSE; ++ curwin->w_locked = FALSE; + ALIST(curwin)->al_ga.ga_len += count; + if (old_argcount > 0 && curwin->w_arg_idx >= after) + curwin->w_arg_idx += count; +diff --git a/src/buffer.c b/src/buffer.c +index 447ce76d49a32..34500e4abc282 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1484,7 +1484,7 @@ do_buffer_ext( + // (unless it's the only window). Repeat this so long as we end up in + // a window with this buffer. + while (buf == curbuf +- && !(curwin->w_closing || curwin->w_buffer->b_locked > 0) ++ && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0) + && (!ONE_WINDOW || first_tabpage->tp_next != NULL)) + { + if (win_close(curwin, FALSE) == FAIL) +@@ -5470,7 +5470,7 @@ ex_buffer_all(exarg_T *eap) + : wp->w_width != Columns) + || (had_tab > 0 && wp != firstwin)) + && !ONE_WINDOW +- && !(wp->w_closing || wp->w_buffer->b_locked > 0) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0) + && !win_unlisted(wp)) + { + if (win_close(wp, FALSE) == FAIL) +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 05778c8fd8b9c..349269a2bb8b6 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -2840,7 +2840,7 @@ do_ecmd( + + // Set the w_closing flag to avoid that autocommands close the + // window. And set b_locked for the same reason. +- the_curwin->w_closing = TRUE; ++ the_curwin->w_locked = TRUE; + ++buf->b_locked; + + if (curbuf == old_curbuf.br_buf) +@@ -2854,7 +2854,7 @@ do_ecmd( + + // Autocommands may have closed the window. + if (win_valid(the_curwin)) +- the_curwin->w_closing = FALSE; ++ the_curwin->w_locked = FALSE; + --buf->b_locked; + + #ifdef FEAT_EVAL +diff --git a/src/proto/window.pro b/src/proto/window.pro +index 26c7040b8a1b4..441070ebfcb8e 100644 +--- a/src/proto/window.pro ++++ b/src/proto/window.pro +@@ -93,3 +93,4 @@ int get_win_number(win_T *wp, win_T *first_win); + int get_tab_number(tabpage_T *tp); + char *check_colorcolumn(win_T *wp); ++int win_locked(win_T *wp); + /* vim: set ft=c : */ +diff --git a/src/structs.h b/src/structs.h +index fe4704a367949..abda3a0c38b4e 100644 +--- a/src/structs.h ++++ b/src/structs.h +@@ -3785,7 +3785,7 @@ struct window_S + synblock_T *w_s; // for :ownsyntax + #endif + +- int w_closing; // window is being closed, don't let ++ int w_locked; // window is being closed, don't let + // autocommands close it too. + + frame_T *w_frame; // frame containing this window +diff --git a/src/terminal.c b/src/terminal.c +index 1fc0ef96881f9..f80196096df49 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -3680,10 +3680,10 @@ term_after_channel_closed(term_T *term) + if (is_aucmd_win(curwin)) + do_set_w_closing = TRUE; + if (do_set_w_closing) +- curwin->w_closing = TRUE; ++ curwin->w_locked = TRUE; + do_bufdel(DOBUF_WIPE, (char_u *)"", 1, fnum, fnum, FALSE); + if (do_set_w_closing) +- curwin->w_closing = FALSE; ++ curwin->w_locked = FALSE; + aucmd_restbuf(&aco); + } + #ifdef FEAT_PROP_POPUP +diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim +index edc8b77429e20..8d81a828b3e03 100644 +--- a/src/testdir/test_arglist.vim ++++ b/src/testdir/test_arglist.vim +@@ -359,6 +359,7 @@ func Test_argv() + call assert_equal('', argv(1, 100)) + call assert_equal([], argv(-1, 100)) + call assert_equal('', argv(10, -1)) ++ %argdelete + endfunc + + " Test for the :argedit command +@@ -744,4 +745,26 @@ func Test_all_command() + %bw! + endfunc + ++" Test for deleting buffer when creating an arglist. This was accessing freed ++" memory ++func Test_crash_arglist_uaf() ++ "%argdelete ++ new one ++ au BufAdd XUAFlocal :bw ++ "call assert_fails(':arglocal XUAFlocal', 'E163:') ++ arglocal XUAFlocal ++ au! BufAdd ++ bw! XUAFlocal ++ ++ au BufAdd XUAFlocal2 :bw ++ new two ++ new three ++ arglocal ++ argadd XUAFlocal2 Xfoobar ++ bw! XUAFlocal2 ++ bw! two ++ ++ au! BufAdd ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/window.c b/src/window.c +index 43a15e0561f2c..b2c90c7d64114 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2511,7 +2511,7 @@ close_windows( + for (wp = firstwin; wp != NULL && !ONE_WINDOW; ) + { + if (wp->w_buffer == buf && (!keep_curwin || wp != curwin) +- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) + { + if (win_close(wp, FALSE) == FAIL) + // If closing the window fails give up, to avoid looping +@@ -2532,7 +2532,7 @@ close_windows( + if (tp != curtab) + FOR_ALL_WINDOWS_IN_TAB(tp, wp) + if (wp->w_buffer == buf +- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) + { + win_close_othertab(wp, FALSE, tp); + +@@ -2654,10 +2654,10 @@ win_close_buffer(win_T *win, int action, int abort_if_last) + bufref_T bufref; + + set_bufref(&bufref, curbuf); +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + close_buffer(win, win->w_buffer, action, abort_if_last, TRUE); + if (win_valid_any_tab(win)) +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + // Make sure curbuf is valid. It can become invalid if 'bufhidden' is + // "wipe". + if (!bufref_valid(&bufref)) +@@ -2705,7 +2705,7 @@ win_close(win_T *win, int free_buf) + if (window_layout_locked(CMD_close)) + return FAIL; + +- if (win->w_closing || (win->w_buffer != NULL ++ if (win_locked(win) || (win->w_buffer != NULL + && win->w_buffer->b_locked > 0)) + return FAIL; // window is already being closed + if (win_unlisted(win)) +@@ -2754,19 +2754,19 @@ win_close(win_T *win, int free_buf) + other_buffer = TRUE; + if (!win_valid(win)) + return FAIL; +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); + if (!win_valid(win)) + return FAIL; +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + if (last_window()) + return FAIL; + } +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + apply_autocmds(EVENT_WINLEAVE, NULL, NULL, FALSE, curbuf); + if (!win_valid(win)) + return FAIL; +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + if (last_window()) + return FAIL; + #ifdef FEAT_EVAL +@@ -3346,7 +3346,7 @@ win_close_othertab(win_T *win, int free_buf, tabpage_T *tp) + + // Get here with win->w_buffer == NULL when win_close() detects the tab + // page changed. +- if (win->w_closing || (win->w_buffer != NULL ++ if (win_locked(win) || (win->w_buffer != NULL + && win->w_buffer->b_locked > 0)) + return; // window is already being closed + +@@ -7808,3 +7808,12 @@ skip: + return NULL; // no error + } + #endif ++ ++/* ++ * Don't let autocommands close the given window ++ */ ++ int ++win_locked(win_T *wp) ++{ ++ return wp->w_locked; ++} diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index cc8eec14a34..726e7876622 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -2,7 +2,7 @@ Summary: Text editor Name: vim Version: 9.0.2190 -Release: 4%{?dist} +Release: 5%{?dist} License: Vim Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Source1: macros.vim Patch0: CVE-2024-41957.patch Patch1: fix_save_unnamed_buffer_correctly.patch Patch2: CVE-2024-41965.patch +Patch3: CVE-2024-43374.patch BuildRequires: ncurses-devel BuildRequires: python3-devel @@ -221,6 +222,9 @@ fi %{_rpmconfigdir}/macros.d/macros.vim %changelog +* Tue Aug 20 2024 Brian Fjeldstad - 9.0.2190-5 +- Add patch to resolve CVE-2024-43374 + * Fri Aug 09 2024 Sumedh Sharma - 9.0.2190-4 - Add patch to resolve CVE-2024-41957 & CVE-2024-41965 diff --git a/cgmanifest.json b/cgmanifest.json index b8370178c2c..81c9e965c4c 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2638,8 +2638,8 @@ "type": "other", "other": { "name": "distribution-gpg-keys", - "version": "1.60", - "downloadUrl": "https://github.com/xsuchy/distribution-gpg-keys/archive/refs/tags/distribution-gpg-keys-1.60-1.tar.gz" + "version": "1.104", + "downloadUrl": "https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/distribution-gpg-keys-1.104-1.tar.gz" } } }, @@ -6500,8 +6500,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "6.6.43.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.43.1.tar.gz" + "version": "6.6.47.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz" } } }, @@ -8101,8 +8101,8 @@ "type": "other", "other": { "name": "kernel", - "version": "6.6.43.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.43.1.tar.gz" + "version": "6.6.47.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz" } } }, @@ -8111,8 +8111,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "6.6.43.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.43.1.tar.gz" + "version": "6.6.47.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz" } } }, @@ -9841,8 +9841,8 @@ "type": "other", "other": { "name": "libldb", - "version": "2.1.4", - "downloadUrl": "https://www.samba.org/ftp/ldb/ldb-2.1.4.tar.gz" + "version": "2.7.2", + "downloadUrl": "https://www.samba.org/ftp/ldb/ldb-2.7.2.tar.gz" } } }, @@ -21513,8 +21513,8 @@ "type": "other", "other": { "name": "pyOpenSSL", - "version": "23.2.0", - "downloadUrl": "https://files.pythonhosted.org/packages/be/df/75a6525d8988a89aed2393347e9db27a56cb38a3e864314fac223e905aef/pyOpenSSL-23.2.0.tar.gz" + "version": "24.2.1", + "downloadUrl": "https://files.pythonhosted.org/packages/source/p/pyopenssl/pyopenssl-24.2.1.tar.gz" } } }, @@ -24843,8 +24843,8 @@ "type": "other", "other": { "name": "python-webob", - "version": "1.8.7", - "downloadUrl": "https://github.com/Pylons/webob/archive/refs/tags/1.8.7.tar.gz" + "version": "1.8.8", + "downloadUrl": "https://github.com/Pylons/webob/archive/refs/tags/1.8.8.tar.gz" } } }, @@ -25754,8 +25754,8 @@ "type": "other", "other": { "name": "ruby", - "version": "3.3.0", - "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.0.tar.gz" + "version": "3.3.3", + "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.3.tar.gz" } } }, @@ -28106,8 +28106,8 @@ "type": "other", "other": { "name": "SymCrypt-OpenSSL", - "version": "1.4.3", - "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.4.3.tar.gz" + "version": "1.5.1", + "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.5.1.tar.gz" } } }, @@ -28626,8 +28626,8 @@ "type": "other", "other": { "name": "tpm2-tss", - "version": "4.0.1", - "downloadUrl": "https://github.com/tpm2-software/tpm2-tss/releases/download/4.0.1/tpm2-tss-4.0.1.tar.gz" + "version": "4.0.2", + "downloadUrl": "https://github.com/tpm2-software/tpm2-tss/releases/download/4.0.2/tpm2-tss-4.0.2.tar.gz" } } }, diff --git a/toolkit/Makefile b/toolkit/Makefile index fa620ec4d1b..fdc37e401df 100644 --- a/toolkit/Makefile +++ b/toolkit/Makefile @@ -143,6 +143,20 @@ PACKAGE_URL_LIST += https://packages.microsoft.com/azurelinux/$(RELEASE_MAJOR_ REPO_LIST ?= SRPM_URL_LIST ?= https://packages.microsoft.com/azurelinux/$(RELEASE_MAJOR_ID)/prod/base/srpms +##help:var:VALIDATE_TOOLCHAIN_GPG={y,n}=Enable or disable GPG validation of the toolchain RPMs. If enabled toolchain RPMs will be validated against the GPG keys in the TOOLCHAIN_GPG_VALIDATION_KEYS variable. On by default when using upstream toolchain RPMs. +# Based on REBUILD_TOOLCHAIN and DAILY_BUILD_ID. If REBUILD_TOOLCHAIN is set to 'y' or DAILY_BUILD_ID is set to any non-empty value, then GPG validation is disabled by default. +ifeq ($(REBUILD_TOOLCHAIN),y) +VALIDATE_TOOLCHAIN_GPG ?= n +else +ifneq ($(DAILY_BUILD_ID),) +VALIDATE_TOOLCHAIN_GPG ?= n +else +VALIDATE_TOOLCHAIN_GPG ?= y +endif +endif + +TOOLCHAIN_GPG_VALIDATION_KEYS ?= $(wildcard $(SPECS_DIR)/azurelinux-repos/MICROSOFT-*-GPG-KEY) $(wildcard $(toolkit_root)/repos/MICROSOFT-*-GPG-KEY) + ######## COMMON MAKEFILE UTILITIES ######## # Misc function defines diff --git a/toolkit/imageconfigs/packagelists/azurevm-packages.json b/toolkit/imageconfigs/packagelists/azurevm-packages.json index ec6f967e005..c9d74a37afa 100644 --- a/toolkit/imageconfigs/packagelists/azurevm-packages.json +++ b/toolkit/imageconfigs/packagelists/azurevm-packages.json @@ -7,7 +7,6 @@ "dracut-hyperv", "grubby", "hyperv-daemons", - "kexec-tools", "netplan", "openssh-server", "python3", diff --git a/toolkit/imageconfigs/packagelists/selinux-full.json b/toolkit/imageconfigs/packagelists/selinux-full.json index 593c0f63a7f..3f2c6487d1a 100644 --- a/toolkit/imageconfigs/packagelists/selinux-full.json +++ b/toolkit/imageconfigs/packagelists/selinux-full.json @@ -1,7 +1,6 @@ { "packages": [ "selinux-policy", - "selinux-policy-modules", "selinux-policy-devel", "policycoreutils-python-utils", "checkpolicy", diff --git a/toolkit/imageconfigs/packagelists/selinux.json b/toolkit/imageconfigs/packagelists/selinux.json index ba93bfb88e2..34ff7c3874b 100644 --- a/toolkit/imageconfigs/packagelists/selinux.json +++ b/toolkit/imageconfigs/packagelists/selinux.json @@ -1,6 +1,5 @@ { "packages": [ - "selinux-policy", - "selinux-policy-modules" + "selinux-policy" ] } diff --git a/toolkit/resources/manifests/package/macros.override b/toolkit/resources/manifests/package/macros.override index 4993e0af619..676ff0a04ba 100644 --- a/toolkit/resources/manifests/package/macros.override +++ b/toolkit/resources/manifests/package/macros.override @@ -14,7 +14,6 @@ # Check hangs %skip_check_glibc 1 -%skip_check_bash 1 %skip_check_gtk_doc 1 %skip_check_tdnf 1 %skip_check_vim 1 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index d442f2bdeab..12e3e8c53b1 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,13 +1,13 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.43.1-7.azl3.noarch.rpm -glibc-2.38-6.azl3.aarch64.rpm -glibc-devel-2.38-6.azl3.aarch64.rpm -glibc-i18n-2.38-6.azl3.aarch64.rpm -glibc-iconv-2.38-6.azl3.aarch64.rpm -glibc-lang-2.38-6.azl3.aarch64.rpm -glibc-locales-all-2.38-6.azl3.aarch64.rpm -glibc-nscd-2.38-6.azl3.aarch64.rpm -glibc-tools-2.38-6.azl3.aarch64.rpm +kernel-headers-6.6.47.1-1.azl3.noarch.rpm +glibc-2.38-7.azl3.aarch64.rpm +glibc-devel-2.38-7.azl3.aarch64.rpm +glibc-i18n-2.38-7.azl3.aarch64.rpm +glibc-iconv-2.38-7.azl3.aarch64.rpm +glibc-lang-2.38-7.azl3.aarch64.rpm +glibc-locales-all-2.38-7.azl3.aarch64.rpm +glibc-nscd-2.38-7.azl3.aarch64.rpm +glibc-tools-2.38-7.azl3.aarch64.rpm zlib-1.3.1-1.azl3.aarch64.rpm zlib-devel-1.3.1-1.azl3.aarch64.rpm file-5.45-1.azl3.aarch64.rpm @@ -41,11 +41,14 @@ ncurses-libs-6.4-2.azl3.aarch64.rpm ncurses-term-6.4-2.azl3.aarch64.rpm readline-8.2-1.azl3.aarch64.rpm readline-devel-8.2-1.azl3.aarch64.rpm -coreutils-9.4-5.azl3.aarch64.rpm -coreutils-lang-9.4-5.azl3.aarch64.rpm -bash-5.2.15-2.azl3.aarch64.rpm -bash-devel-5.2.15-2.azl3.aarch64.rpm -bash-lang-5.2.15-2.azl3.aarch64.rpm +libattr-2.5.2-1.azl3.aarch64.rpm +attr-2.5.2-1.azl3.aarch64.rpm +libacl-2.3.1-2.azl3.aarch64.rpm +coreutils-9.4-6.azl3.aarch64.rpm +coreutils-lang-9.4-6.azl3.aarch64.rpm +bash-5.2.15-3.azl3.aarch64.rpm +bash-devel-5.2.15-3.azl3.aarch64.rpm +bash-lang-5.2.15-3.azl3.aarch64.rpm bzip2-1.0.8-1.azl3.aarch64.rpm bzip2-devel-1.0.8-1.azl3.aarch64.rpm bzip2-libs-1.0.8-1.azl3.aarch64.rpm @@ -63,7 +66,7 @@ findutils-4.9.0-1.azl3.aarch64.rpm findutils-lang-4.9.0-1.azl3.aarch64.rpm gettext-0.22-1.azl3.aarch64.rpm gzip-1.13-1.azl3.aarch64.rpm -make-4.4.1-1.azl3.aarch64.rpm +make-4.4.1-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm libcap-ng-0.8.4-1.azl3.aarch64.rpm libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm @@ -185,7 +188,7 @@ rpm-lang-4.18.2-1.azl3.aarch64.rpm rpm-libs-4.18.2-1.azl3.aarch64.rpm cpio-2.14-1.azl3.aarch64.rpm cpio-lang-2.14-1.azl3.aarch64.rpm -e2fsprogs-libs-1.47.0-1.azl3.aarch64.rpm +e2fsprogs-libs-1.47.0-2.azl3.aarch64.rpm libsolv-0.7.28-1.azl3.aarch64.rpm libsolv-devel-0.7.28-1.azl3.aarch64.rpm libssh2-1.11.0-1.azl3.aarch64.rpm @@ -206,12 +209,12 @@ libltdl-2.4.7-1.azl3.aarch64.rpm libltdl-devel-2.4.7-1.azl3.aarch64.rpm lua-5.4.6-1.azl3.aarch64.rpm lua-libs-5.4.6-1.azl3.aarch64.rpm -azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm -azurelinux-check-macros-3.0-5.azl3.noarch.rpm -tdnf-3.5.6-1.azl3.aarch64.rpm -tdnf-cli-libs-3.5.6-1.azl3.aarch64.rpm -tdnf-devel-3.5.6-1.azl3.aarch64.rpm -tdnf-plugin-repogpgcheck-3.5.6-1.azl3.aarch64.rpm +azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm +azurelinux-check-macros-3.0-6.azl3.noarch.rpm +tdnf-3.5.6-2.azl3.aarch64.rpm +tdnf-cli-libs-3.5.6-2.azl3.aarch64.rpm +tdnf-devel-3.5.6-2.azl3.aarch64.rpm +tdnf-plugin-repogpgcheck-3.5.6-2.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm libgpg-error-1.47-1.azl3.aarch64.rpm @@ -231,15 +234,15 @@ libffi-devel-3.4.4-1.azl3.aarch64.rpm libtasn1-4.19.0-1.azl3.aarch64.rpm p11-kit-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -ca-certificates-shared-3.0.0-6.azl3.noarch.rpm -ca-certificates-tools-3.0.0-6.azl3.noarch.rpm -ca-certificates-base-3.0.0-6.azl3.noarch.rpm -ca-certificates-3.0.0-6.azl3.noarch.rpm +ca-certificates-shared-3.0.0-7.azl3.noarch.rpm +ca-certificates-tools-3.0.0-7.azl3.noarch.rpm +ca-certificates-base-3.0.0-7.azl3.noarch.rpm +ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm unzip-6.0-20.azl3.aarch64.rpm -python3-3.12.3-1.azl3.aarch64.rpm -python3-devel-3.12.3-1.azl3.aarch64.rpm -python3-libs-3.12.3-1.azl3.aarch64.rpm +python3-3.12.3-2.azl3.aarch64.rpm +python3-devel-3.12.3-2.azl3.aarch64.rpm +python3-libs-3.12.3-2.azl3.aarch64.rpm python3-setuptools-69.0.3-2.azl3.noarch.rpm python3-pygments-2.7.4-1.azl3.noarch.rpm which-2.21-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 4697b730aa1..26fc63bbaab 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,13 +1,13 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.43.1-7.azl3.noarch.rpm -glibc-2.38-6.azl3.x86_64.rpm -glibc-devel-2.38-6.azl3.x86_64.rpm -glibc-i18n-2.38-6.azl3.x86_64.rpm -glibc-iconv-2.38-6.azl3.x86_64.rpm -glibc-lang-2.38-6.azl3.x86_64.rpm -glibc-locales-all-2.38-6.azl3.x86_64.rpm -glibc-nscd-2.38-6.azl3.x86_64.rpm -glibc-tools-2.38-6.azl3.x86_64.rpm +kernel-headers-6.6.47.1-1.azl3.noarch.rpm +glibc-2.38-7.azl3.x86_64.rpm +glibc-devel-2.38-7.azl3.x86_64.rpm +glibc-i18n-2.38-7.azl3.x86_64.rpm +glibc-iconv-2.38-7.azl3.x86_64.rpm +glibc-lang-2.38-7.azl3.x86_64.rpm +glibc-locales-all-2.38-7.azl3.x86_64.rpm +glibc-nscd-2.38-7.azl3.x86_64.rpm +glibc-tools-2.38-7.azl3.x86_64.rpm zlib-1.3.1-1.azl3.x86_64.rpm zlib-devel-1.3.1-1.azl3.x86_64.rpm file-5.45-1.azl3.x86_64.rpm @@ -41,11 +41,14 @@ ncurses-libs-6.4-2.azl3.x86_64.rpm ncurses-term-6.4-2.azl3.x86_64.rpm readline-8.2-1.azl3.x86_64.rpm readline-devel-8.2-1.azl3.x86_64.rpm -coreutils-9.4-5.azl3.x86_64.rpm -coreutils-lang-9.4-5.azl3.x86_64.rpm -bash-5.2.15-2.azl3.x86_64.rpm -bash-devel-5.2.15-2.azl3.x86_64.rpm -bash-lang-5.2.15-2.azl3.x86_64.rpm +libattr-2.5.2-1.azl3.x86_64.rpm +attr-2.5.2-1.azl3.x86_64.rpm +libacl-2.3.1-2.azl3.x86_64.rpm +coreutils-9.4-6.azl3.x86_64.rpm +coreutils-lang-9.4-6.azl3.x86_64.rpm +bash-5.2.15-3.azl3.x86_64.rpm +bash-devel-5.2.15-3.azl3.x86_64.rpm +bash-lang-5.2.15-3.azl3.x86_64.rpm bzip2-1.0.8-1.azl3.x86_64.rpm bzip2-devel-1.0.8-1.azl3.x86_64.rpm bzip2-libs-1.0.8-1.azl3.x86_64.rpm @@ -63,7 +66,7 @@ findutils-4.9.0-1.azl3.x86_64.rpm findutils-lang-4.9.0-1.azl3.x86_64.rpm gettext-0.22-1.azl3.x86_64.rpm gzip-1.13-1.azl3.x86_64.rpm -make-4.4.1-1.azl3.x86_64.rpm +make-4.4.1-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm libcap-ng-0.8.4-1.azl3.x86_64.rpm libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm @@ -185,7 +188,7 @@ rpm-lang-4.18.2-1.azl3.x86_64.rpm rpm-libs-4.18.2-1.azl3.x86_64.rpm cpio-2.14-1.azl3.x86_64.rpm cpio-lang-2.14-1.azl3.x86_64.rpm -e2fsprogs-libs-1.47.0-1.azl3.x86_64.rpm +e2fsprogs-libs-1.47.0-2.azl3.x86_64.rpm libsolv-0.7.28-1.azl3.x86_64.rpm libsolv-devel-0.7.28-1.azl3.x86_64.rpm libssh2-1.11.0-1.azl3.x86_64.rpm @@ -206,12 +209,12 @@ libltdl-2.4.7-1.azl3.x86_64.rpm libltdl-devel-2.4.7-1.azl3.x86_64.rpm lua-5.4.6-1.azl3.x86_64.rpm lua-libs-5.4.6-1.azl3.x86_64.rpm -azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm -azurelinux-check-macros-3.0-5.azl3.noarch.rpm -tdnf-3.5.6-1.azl3.x86_64.rpm -tdnf-cli-libs-3.5.6-1.azl3.x86_64.rpm -tdnf-devel-3.5.6-1.azl3.x86_64.rpm -tdnf-plugin-repogpgcheck-3.5.6-1.azl3.x86_64.rpm +azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm +azurelinux-check-macros-3.0-6.azl3.noarch.rpm +tdnf-3.5.6-2.azl3.x86_64.rpm +tdnf-cli-libs-3.5.6-2.azl3.x86_64.rpm +tdnf-devel-3.5.6-2.azl3.x86_64.rpm +tdnf-plugin-repogpgcheck-3.5.6-2.azl3.x86_64.rpm libassuan-2.5.6-1.azl3.x86_64.rpm libassuan-devel-2.5.6-1.azl3.x86_64.rpm libgpg-error-1.47-1.azl3.x86_64.rpm @@ -231,15 +234,15 @@ libffi-devel-3.4.4-1.azl3.x86_64.rpm libtasn1-4.19.0-1.azl3.x86_64.rpm p11-kit-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -ca-certificates-shared-3.0.0-6.azl3.noarch.rpm -ca-certificates-tools-3.0.0-6.azl3.noarch.rpm -ca-certificates-base-3.0.0-6.azl3.noarch.rpm -ca-certificates-3.0.0-6.azl3.noarch.rpm +ca-certificates-shared-3.0.0-7.azl3.noarch.rpm +ca-certificates-tools-3.0.0-7.azl3.noarch.rpm +ca-certificates-base-3.0.0-7.azl3.noarch.rpm +ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.x86_64.rpm unzip-6.0-20.azl3.x86_64.rpm -python3-3.12.3-1.azl3.x86_64.rpm -python3-devel-3.12.3-1.azl3.x86_64.rpm -python3-libs-3.12.3-1.azl3.x86_64.rpm +python3-3.12.3-2.azl3.x86_64.rpm +python3-devel-3.12.3-2.azl3.x86_64.rpm +python3-libs-3.12.3-2.azl3.x86_64.rpm python3-setuptools-69.0.3-2.azl3.noarch.rpm python3-pygments-2.7.4-1.azl3.noarch.rpm which-2.21-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 8849d3afb99..3c2d270fdd0 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -1,11 +1,15 @@ +acl-2.3.1-2.azl3.aarch64.rpm +acl-debuginfo-2.3.1-2.azl3.aarch64.rpm asciidoc-10.2.0-2.azl3.noarch.rpm +attr-2.5.2-1.azl3.aarch64.rpm +attr-debuginfo-2.5.2-1.azl3.aarch64.rpm audit-3.1.2-1.azl3.aarch64.rpm audit-debuginfo-3.1.2-1.azl3.aarch64.rpm audit-devel-3.1.2-1.azl3.aarch64.rpm audit-libs-3.1.2-1.azl3.aarch64.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm -azurelinux-check-macros-3.0-5.azl3.noarch.rpm +azurelinux-check-macros-3.0-6.azl3.noarch.rpm azurelinux-repos-3.0-3.azl3.noarch.rpm azurelinux-repos-debug-3.0-3.azl3.noarch.rpm azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm @@ -19,11 +23,11 @@ azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm azurelinux-repos-preview-3.0-3.azl3.noarch.rpm azurelinux-repos-shared-3.0-3.azl3.noarch.rpm -azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm -bash-5.2.15-2.azl3.aarch64.rpm -bash-debuginfo-5.2.15-2.azl3.aarch64.rpm -bash-devel-5.2.15-2.azl3.aarch64.rpm -bash-lang-5.2.15-2.azl3.aarch64.rpm +azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm +bash-5.2.15-3.azl3.aarch64.rpm +bash-debuginfo-5.2.15-3.azl3.aarch64.rpm +bash-devel-5.2.15-3.azl3.aarch64.rpm +bash-lang-5.2.15-3.azl3.aarch64.rpm binutils-2.41-2.azl3.aarch64.rpm binutils-debuginfo-2.41-2.azl3.aarch64.rpm binutils-devel-2.41-2.azl3.aarch64.rpm @@ -33,11 +37,11 @@ bzip2-1.0.8-1.azl3.aarch64.rpm bzip2-debuginfo-1.0.8-1.azl3.aarch64.rpm bzip2-devel-1.0.8-1.azl3.aarch64.rpm bzip2-libs-1.0.8-1.azl3.aarch64.rpm -ca-certificates-3.0.0-6.azl3.noarch.rpm -ca-certificates-base-3.0.0-6.azl3.noarch.rpm -ca-certificates-legacy-3.0.0-6.azl3.noarch.rpm -ca-certificates-shared-3.0.0-6.azl3.noarch.rpm -ca-certificates-tools-3.0.0-6.azl3.noarch.rpm +ca-certificates-3.0.0-7.azl3.noarch.rpm +ca-certificates-base-3.0.0-7.azl3.noarch.rpm +ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm +ca-certificates-shared-3.0.0-7.azl3.noarch.rpm +ca-certificates-tools-3.0.0-7.azl3.noarch.rpm ccache-4.8.3-1.azl3.aarch64.rpm ccache-debuginfo-4.8.3-1.azl3.aarch64.rpm check-0.15.2-1.azl3.aarch64.rpm @@ -47,9 +51,9 @@ chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm chkconfig-lang-1.25-1.azl3.aarch64.rpm cmake-3.29.6-1.azl3.aarch64.rpm cmake-debuginfo-3.29.6-1.azl3.aarch64.rpm -coreutils-9.4-5.azl3.aarch64.rpm -coreutils-debuginfo-9.4-5.azl3.aarch64.rpm -coreutils-lang-9.4-5.azl3.aarch64.rpm +coreutils-9.4-6.azl3.aarch64.rpm +coreutils-debuginfo-9.4-6.azl3.aarch64.rpm +coreutils-lang-9.4-6.azl3.aarch64.rpm cpio-2.14-1.azl3.aarch64.rpm cpio-debuginfo-2.14-1.azl3.aarch64.rpm cpio-lang-2.14-1.azl3.aarch64.rpm @@ -74,11 +78,11 @@ docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-13.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm dwz-debuginfo-0.14-2.azl3.aarch64.rpm -e2fsprogs-1.47.0-1.azl3.aarch64.rpm -e2fsprogs-debuginfo-1.47.0-1.azl3.aarch64.rpm -e2fsprogs-devel-1.47.0-1.azl3.aarch64.rpm -e2fsprogs-lang-1.47.0-1.azl3.aarch64.rpm -e2fsprogs-libs-1.47.0-1.azl3.aarch64.rpm +e2fsprogs-1.47.0-2.azl3.aarch64.rpm +e2fsprogs-debuginfo-1.47.0-2.azl3.aarch64.rpm +e2fsprogs-devel-1.47.0-2.azl3.aarch64.rpm +e2fsprogs-lang-1.47.0-2.azl3.aarch64.rpm +e2fsprogs-libs-1.47.0-2.azl3.aarch64.rpm elfutils-0.189-3.azl3.aarch64.rpm elfutils-debuginfo-0.189-3.azl3.aarch64.rpm elfutils-default-yama-scope-0.189-3.azl3.noarch.rpm @@ -121,16 +125,16 @@ glib-debuginfo-2.78.1-4.azl3.aarch64.rpm glib-devel-2.78.1-4.azl3.aarch64.rpm glib-doc-2.78.1-4.azl3.noarch.rpm glib-schemas-2.78.1-4.azl3.aarch64.rpm -glibc-2.38-6.azl3.aarch64.rpm -glibc-debuginfo-2.38-6.azl3.aarch64.rpm -glibc-devel-2.38-6.azl3.aarch64.rpm -glibc-i18n-2.38-6.azl3.aarch64.rpm -glibc-iconv-2.38-6.azl3.aarch64.rpm -glibc-lang-2.38-6.azl3.aarch64.rpm -glibc-locales-all-2.38-6.azl3.aarch64.rpm -glibc-nscd-2.38-6.azl3.aarch64.rpm -glibc-static-2.38-6.azl3.aarch64.rpm -glibc-tools-2.38-6.azl3.aarch64.rpm +glibc-2.38-7.azl3.aarch64.rpm +glibc-debuginfo-2.38-7.azl3.aarch64.rpm +glibc-devel-2.38-7.azl3.aarch64.rpm +glibc-i18n-2.38-7.azl3.aarch64.rpm +glibc-iconv-2.38-7.azl3.aarch64.rpm +glibc-lang-2.38-7.azl3.aarch64.rpm +glibc-locales-all-2.38-7.azl3.aarch64.rpm +glibc-nscd-2.38-7.azl3.aarch64.rpm +glibc-static-2.38-7.azl3.aarch64.rpm +glibc-tools-2.38-7.azl3.aarch64.rpm gmp-6.3.0-1.azl3.aarch64.rpm gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm gmp-devel-6.3.0-1.azl3.aarch64.rpm @@ -152,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.43.1-7.azl3.noarch.rpm +kernel-headers-6.6.47.1-1.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm @@ -160,12 +164,16 @@ krb5-1.21.3-1.azl3.aarch64.rpm krb5-debuginfo-1.21.3-1.azl3.aarch64.rpm krb5-devel-1.21.3-1.azl3.aarch64.rpm krb5-lang-1.21.3-1.azl3.aarch64.rpm +libacl-2.3.1-2.azl3.aarch64.rpm +libacl-devel-2.3.1-2.azl3.aarch64.rpm libarchive-3.7.1-2.azl3.aarch64.rpm libarchive-debuginfo-3.7.1-2.azl3.aarch64.rpm libarchive-devel-3.7.1-2.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm +libattr-2.5.2-1.azl3.aarch64.rpm +libattr-devel-2.5.2-1.azl3.aarch64.rpm libbacktrace-static-13.2.0-7.azl3.aarch64.rpm libcap-2.69-1.azl3.aarch64.rpm libcap-debuginfo-2.69-1.azl3.aarch64.rpm @@ -250,8 +258,8 @@ lz4-debuginfo-1.9.4-1.azl3.aarch64.rpm lz4-devel-1.9.4-1.azl3.aarch64.rpm m4-1.4.19-2.azl3.aarch64.rpm m4-debuginfo-1.4.19-2.azl3.aarch64.rpm -make-4.4.1-1.azl3.aarch64.rpm -make-debuginfo-4.4.1-1.azl3.aarch64.rpm +make-4.4.1-2.azl3.aarch64.rpm +make-debuginfo-4.4.1-2.azl3.aarch64.rpm meson-1.3.1-1.azl3.noarch.rpm mpfr-4.2.1-1.azl3.aarch64.rpm mpfr-debuginfo-4.2.1-1.azl3.aarch64.rpm @@ -521,18 +529,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm python-wheel-wheel-0.43.0-1.azl3.noarch.rpm -python3-3.12.3-1.azl3.aarch64.rpm +python3-3.12.3-2.azl3.aarch64.rpm python3-audit-3.1.2-1.azl3.aarch64.rpm python3-cracklib-2.9.11-1.azl3.aarch64.rpm -python3-curses-3.12.3-1.azl3.aarch64.rpm +python3-curses-3.12.3-2.azl3.aarch64.rpm python3-Cython-3.0.5-2.azl3.aarch64.rpm -python3-debuginfo-3.12.3-1.azl3.aarch64.rpm -python3-devel-3.12.3-1.azl3.aarch64.rpm +python3-debuginfo-3.12.3-2.azl3.aarch64.rpm +python3-devel-3.12.3-2.azl3.aarch64.rpm python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm -python3-libs-3.12.3-1.azl3.aarch64.rpm +python3-libs-3.12.3-2.azl3.aarch64.rpm python3-libxml2-2.11.5-1.azl3.aarch64.rpm python3-lxml-4.9.3-1.azl3.aarch64.rpm python3-magic-5.45-1.azl3.noarch.rpm @@ -544,8 +552,8 @@ python3-pygments-2.7.4-1.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.aarch64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-2.azl3.noarch.rpm -python3-test-3.12.3-1.azl3.aarch64.rpm -python3-tools-3.12.3-1.azl3.aarch64.rpm +python3-test-3.12.3-2.azl3.aarch64.rpm +python3-tools-3.12.3-2.azl3.aarch64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm readline-8.2-1.azl3.aarch64.rpm readline-debuginfo-8.2-1.azl3.aarch64.rpm @@ -576,14 +584,14 @@ systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm tar-1.35-1.azl3.aarch64.rpm tar-debuginfo-1.35-1.azl3.aarch64.rpm -tdnf-3.5.6-1.azl3.aarch64.rpm -tdnf-autoupdate-3.5.6-1.azl3.aarch64.rpm -tdnf-cli-libs-3.5.6-1.azl3.aarch64.rpm -tdnf-debuginfo-3.5.6-1.azl3.aarch64.rpm -tdnf-devel-3.5.6-1.azl3.aarch64.rpm -tdnf-plugin-metalink-3.5.6-1.azl3.aarch64.rpm -tdnf-plugin-repogpgcheck-3.5.6-1.azl3.aarch64.rpm -tdnf-python-3.5.6-1.azl3.aarch64.rpm +tdnf-3.5.6-2.azl3.aarch64.rpm +tdnf-autoupdate-3.5.6-2.azl3.aarch64.rpm +tdnf-cli-libs-3.5.6-2.azl3.aarch64.rpm +tdnf-debuginfo-3.5.6-2.azl3.aarch64.rpm +tdnf-devel-3.5.6-2.azl3.aarch64.rpm +tdnf-plugin-metalink-3.5.6-2.azl3.aarch64.rpm +tdnf-plugin-repogpgcheck-3.5.6-2.azl3.aarch64.rpm +tdnf-python-3.5.6-2.azl3.aarch64.rpm texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm unzip-6.0-20.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b979739714e..66c2e792582 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -1,11 +1,15 @@ +acl-2.3.1-2.azl3.x86_64.rpm +acl-debuginfo-2.3.1-2.azl3.x86_64.rpm asciidoc-10.2.0-2.azl3.noarch.rpm +attr-2.5.2-1.azl3.x86_64.rpm +attr-debuginfo-2.5.2-1.azl3.x86_64.rpm audit-3.1.2-1.azl3.x86_64.rpm audit-debuginfo-3.1.2-1.azl3.x86_64.rpm audit-devel-3.1.2-1.azl3.x86_64.rpm audit-libs-3.1.2-1.azl3.x86_64.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm -azurelinux-check-macros-3.0-5.azl3.noarch.rpm +azurelinux-check-macros-3.0-6.azl3.noarch.rpm azurelinux-repos-3.0-3.azl3.noarch.rpm azurelinux-repos-debug-3.0-3.azl3.noarch.rpm azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm @@ -19,11 +23,11 @@ azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm azurelinux-repos-preview-3.0-3.azl3.noarch.rpm azurelinux-repos-shared-3.0-3.azl3.noarch.rpm -azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm -bash-5.2.15-2.azl3.x86_64.rpm -bash-debuginfo-5.2.15-2.azl3.x86_64.rpm -bash-devel-5.2.15-2.azl3.x86_64.rpm -bash-lang-5.2.15-2.azl3.x86_64.rpm +azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm +bash-5.2.15-3.azl3.x86_64.rpm +bash-debuginfo-5.2.15-3.azl3.x86_64.rpm +bash-devel-5.2.15-3.azl3.x86_64.rpm +bash-lang-5.2.15-3.azl3.x86_64.rpm binutils-2.41-2.azl3.x86_64.rpm binutils-aarch64-linux-gnu-2.41-2.azl3.x86_64.rpm binutils-debuginfo-2.41-2.azl3.x86_64.rpm @@ -34,11 +38,11 @@ bzip2-1.0.8-1.azl3.x86_64.rpm bzip2-debuginfo-1.0.8-1.azl3.x86_64.rpm bzip2-devel-1.0.8-1.azl3.x86_64.rpm bzip2-libs-1.0.8-1.azl3.x86_64.rpm -ca-certificates-3.0.0-6.azl3.noarch.rpm -ca-certificates-base-3.0.0-6.azl3.noarch.rpm -ca-certificates-legacy-3.0.0-6.azl3.noarch.rpm -ca-certificates-shared-3.0.0-6.azl3.noarch.rpm -ca-certificates-tools-3.0.0-6.azl3.noarch.rpm +ca-certificates-3.0.0-7.azl3.noarch.rpm +ca-certificates-base-3.0.0-7.azl3.noarch.rpm +ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm +ca-certificates-shared-3.0.0-7.azl3.noarch.rpm +ca-certificates-tools-3.0.0-7.azl3.noarch.rpm ccache-4.8.3-1.azl3.x86_64.rpm ccache-debuginfo-4.8.3-1.azl3.x86_64.rpm check-0.15.2-1.azl3.x86_64.rpm @@ -48,9 +52,9 @@ chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm chkconfig-lang-1.25-1.azl3.x86_64.rpm cmake-3.29.6-1.azl3.x86_64.rpm cmake-debuginfo-3.29.6-1.azl3.x86_64.rpm -coreutils-9.4-5.azl3.x86_64.rpm -coreutils-debuginfo-9.4-5.azl3.x86_64.rpm -coreutils-lang-9.4-5.azl3.x86_64.rpm +coreutils-9.4-6.azl3.x86_64.rpm +coreutils-debuginfo-9.4-6.azl3.x86_64.rpm +coreutils-lang-9.4-6.azl3.x86_64.rpm cpio-2.14-1.azl3.x86_64.rpm cpio-debuginfo-2.14-1.azl3.x86_64.rpm cpio-lang-2.14-1.azl3.x86_64.rpm @@ -77,11 +81,11 @@ docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-13.azl3.noarch.rpm dwz-0.14-2.azl3.x86_64.rpm dwz-debuginfo-0.14-2.azl3.x86_64.rpm -e2fsprogs-1.47.0-1.azl3.x86_64.rpm -e2fsprogs-debuginfo-1.47.0-1.azl3.x86_64.rpm -e2fsprogs-devel-1.47.0-1.azl3.x86_64.rpm -e2fsprogs-lang-1.47.0-1.azl3.x86_64.rpm -e2fsprogs-libs-1.47.0-1.azl3.x86_64.rpm +e2fsprogs-1.47.0-2.azl3.x86_64.rpm +e2fsprogs-debuginfo-1.47.0-2.azl3.x86_64.rpm +e2fsprogs-devel-1.47.0-2.azl3.x86_64.rpm +e2fsprogs-lang-1.47.0-2.azl3.x86_64.rpm +e2fsprogs-libs-1.47.0-2.azl3.x86_64.rpm elfutils-0.189-3.azl3.x86_64.rpm elfutils-debuginfo-0.189-3.azl3.x86_64.rpm elfutils-default-yama-scope-0.189-3.azl3.noarch.rpm @@ -126,16 +130,16 @@ glib-debuginfo-2.78.1-4.azl3.x86_64.rpm glib-devel-2.78.1-4.azl3.x86_64.rpm glib-doc-2.78.1-4.azl3.noarch.rpm glib-schemas-2.78.1-4.azl3.x86_64.rpm -glibc-2.38-6.azl3.x86_64.rpm -glibc-debuginfo-2.38-6.azl3.x86_64.rpm -glibc-devel-2.38-6.azl3.x86_64.rpm -glibc-i18n-2.38-6.azl3.x86_64.rpm -glibc-iconv-2.38-6.azl3.x86_64.rpm -glibc-lang-2.38-6.azl3.x86_64.rpm -glibc-locales-all-2.38-6.azl3.x86_64.rpm -glibc-nscd-2.38-6.azl3.x86_64.rpm -glibc-static-2.38-6.azl3.x86_64.rpm -glibc-tools-2.38-6.azl3.x86_64.rpm +glibc-2.38-7.azl3.x86_64.rpm +glibc-debuginfo-2.38-7.azl3.x86_64.rpm +glibc-devel-2.38-7.azl3.x86_64.rpm +glibc-i18n-2.38-7.azl3.x86_64.rpm +glibc-iconv-2.38-7.azl3.x86_64.rpm +glibc-lang-2.38-7.azl3.x86_64.rpm +glibc-locales-all-2.38-7.azl3.x86_64.rpm +glibc-nscd-2.38-7.azl3.x86_64.rpm +glibc-static-2.38-7.azl3.x86_64.rpm +glibc-tools-2.38-7.azl3.x86_64.rpm gmp-6.3.0-1.azl3.x86_64.rpm gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm gmp-devel-6.3.0-1.azl3.x86_64.rpm @@ -157,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.43.1-7.azl3.noarch.rpm -kernel-headers-6.6.43.1-7.azl3.noarch.rpm +kernel-cross-headers-6.6.47.1-1.azl3.noarch.rpm +kernel-headers-6.6.47.1-1.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm @@ -166,12 +170,16 @@ krb5-1.21.3-1.azl3.x86_64.rpm krb5-debuginfo-1.21.3-1.azl3.x86_64.rpm krb5-devel-1.21.3-1.azl3.x86_64.rpm krb5-lang-1.21.3-1.azl3.x86_64.rpm +libacl-2.3.1-2.azl3.x86_64.rpm +libacl-devel-2.3.1-2.azl3.x86_64.rpm libarchive-3.7.1-2.azl3.x86_64.rpm libarchive-debuginfo-3.7.1-2.azl3.x86_64.rpm libarchive-devel-3.7.1-2.azl3.x86_64.rpm libassuan-2.5.6-1.azl3.x86_64.rpm libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm libassuan-devel-2.5.6-1.azl3.x86_64.rpm +libattr-2.5.2-1.azl3.x86_64.rpm +libattr-devel-2.5.2-1.azl3.x86_64.rpm libbacktrace-static-13.2.0-7.azl3.x86_64.rpm libcap-2.69-1.azl3.x86_64.rpm libcap-debuginfo-2.69-1.azl3.x86_64.rpm @@ -256,8 +264,8 @@ lz4-debuginfo-1.9.4-1.azl3.x86_64.rpm lz4-devel-1.9.4-1.azl3.x86_64.rpm m4-1.4.19-2.azl3.x86_64.rpm m4-debuginfo-1.4.19-2.azl3.x86_64.rpm -make-4.4.1-1.azl3.x86_64.rpm -make-debuginfo-4.4.1-1.azl3.x86_64.rpm +make-4.4.1-2.azl3.x86_64.rpm +make-debuginfo-4.4.1-2.azl3.x86_64.rpm meson-1.3.1-1.azl3.noarch.rpm mpfr-4.2.1-1.azl3.x86_64.rpm mpfr-debuginfo-4.2.1-1.azl3.x86_64.rpm @@ -527,18 +535,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm python-wheel-wheel-0.43.0-1.azl3.noarch.rpm -python3-3.12.3-1.azl3.x86_64.rpm +python3-3.12.3-2.azl3.x86_64.rpm python3-audit-3.1.2-1.azl3.x86_64.rpm python3-cracklib-2.9.11-1.azl3.x86_64.rpm -python3-curses-3.12.3-1.azl3.x86_64.rpm +python3-curses-3.12.3-2.azl3.x86_64.rpm python3-Cython-3.0.5-2.azl3.x86_64.rpm -python3-debuginfo-3.12.3-1.azl3.x86_64.rpm -python3-devel-3.12.3-1.azl3.x86_64.rpm +python3-debuginfo-3.12.3-2.azl3.x86_64.rpm +python3-devel-3.12.3-2.azl3.x86_64.rpm python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm -python3-libs-3.12.3-1.azl3.x86_64.rpm +python3-libs-3.12.3-2.azl3.x86_64.rpm python3-libxml2-2.11.5-1.azl3.x86_64.rpm python3-lxml-4.9.3-1.azl3.x86_64.rpm python3-magic-5.45-1.azl3.noarch.rpm @@ -550,8 +558,8 @@ python3-pygments-2.7.4-1.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.x86_64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-2.azl3.noarch.rpm -python3-test-3.12.3-1.azl3.x86_64.rpm -python3-tools-3.12.3-1.azl3.x86_64.rpm +python3-test-3.12.3-2.azl3.x86_64.rpm +python3-tools-3.12.3-2.azl3.x86_64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm readline-8.2-1.azl3.x86_64.rpm readline-debuginfo-8.2-1.azl3.x86_64.rpm @@ -582,14 +590,14 @@ systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm tar-1.35-1.azl3.x86_64.rpm tar-debuginfo-1.35-1.azl3.x86_64.rpm -tdnf-3.5.6-1.azl3.x86_64.rpm -tdnf-autoupdate-3.5.6-1.azl3.x86_64.rpm -tdnf-cli-libs-3.5.6-1.azl3.x86_64.rpm -tdnf-debuginfo-3.5.6-1.azl3.x86_64.rpm -tdnf-devel-3.5.6-1.azl3.x86_64.rpm -tdnf-plugin-metalink-3.5.6-1.azl3.x86_64.rpm -tdnf-plugin-repogpgcheck-3.5.6-1.azl3.x86_64.rpm -tdnf-python-3.5.6-1.azl3.x86_64.rpm +tdnf-3.5.6-2.azl3.x86_64.rpm +tdnf-autoupdate-3.5.6-2.azl3.x86_64.rpm +tdnf-cli-libs-3.5.6-2.azl3.x86_64.rpm +tdnf-debuginfo-3.5.6-2.azl3.x86_64.rpm +tdnf-devel-3.5.6-2.azl3.x86_64.rpm +tdnf-plugin-metalink-3.5.6-2.azl3.x86_64.rpm +tdnf-plugin-repogpgcheck-3.5.6-2.azl3.x86_64.rpm +tdnf-python-3.5.6-2.azl3.x86_64.rpm texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm unzip-6.0-20.azl3.x86_64.rpm diff --git a/toolkit/scripts/containerized-build/create_container_build.sh b/toolkit/scripts/containerized-build/create_container_build.sh index 7f811fbb669..70c360c5f94 100755 --- a/toolkit/scripts/containerized-build/create_container_build.sh +++ b/toolkit/scripts/containerized-build/create_container_build.sh @@ -234,8 +234,7 @@ sed -i "s~~${topdir}~" $tmp_dir/setup_functions.sh # ============ Build the image ============ dockerfile="${script_dir}/resources/azl.Dockerfile" -# TODO: Remove test mode when image is available for 3.0 -if [[ "${mode}" == "build" || "${mode}" == "test" ]]; then # Configure base image +if [[ "${mode}" == "build" ]]; then # Configure base image echo "Importing chroot into docker..." chroot_file="$BUILD_DIR/worker/worker_chroot.tar.gz" if [[ ! -f "${chroot_file}" ]]; then build_worker_chroot; fi @@ -255,7 +254,7 @@ if [[ "${mode}" == "build" || "${mode}" == "test" ]]; then # Configure base imag docker import "${chroot_file}" $container_img fi else - container_img="mcr.microsoft.com/cbl-mariner/base/core:${version}" + container_img="mcr.microsoft.com/azurelinux/base/core:${version}" fi # ================== Launch Container ================== diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk index 638477af7bf..a25022bd421 100644 --- a/toolkit/scripts/toolchain.mk +++ b/toolkit/scripts/toolchain.mk @@ -66,7 +66,7 @@ clean-toolchain: clean-toolchain-rpms rm -rf $(toolchain_logs_dir) rm -rf $(toolchain_from_repos) rm -rf $(STATUS_FLAGS_DIR)/toolchain_local_temp.flag - rm -rf $(STATUS_FLAGS_DIR)/daily_build_auto_cleanup.flag + rm -rf $(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag rm -f $(SCRIPTS_DIR)/toolchain/container/toolchain-local-wget-list rm -f $(SCRIPTS_DIR)/toolchain/container/texinfo-perl-fix.patch rm -f $(SCRIPTS_DIR)/toolchain/container/Awt_build_headless_only.patch @@ -87,11 +87,13 @@ clean-toolchain-rpms: @for f in $(toolchain_out_rpms); do rm -vf $$f; done rm -rvf $(TOOLCHAIN_RPMS_DIR) -# We need to clear the toolchain if we are using a daily build. The filenames will all be the same, but the actual -# .rpm files may be fundamentally different. -$(STATUS_FLAGS_DIR)/daily_build_auto_cleanup.flag: $(STATUS_FLAGS_DIR)/daily_build_id.flag - @echo "Daily build ID changed, sanitizing toolchain" - rm -rf $(TOOLCHAIN_RPMS_DIR) +# We need to clear the toolchain if we are using a daily build, or we change validation state. The filenames will all be +# the same, but the actual .rpm files may be fundamentally different. +# We leave the directory structure in place since docker based builds using re-usable chroots will have mounted the +# toolchain subdirectories into the chroots. Removing the directories would break the mounts. +$(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag: $(STATUS_FLAGS_DIR)/daily_build_id.flag $(depend_VALIDATE_TOOLCHAIN_GPG) + @echo "Daily build ID or validation mode changed, sanitizing toolchain" + find $(TOOLCHAIN_RPMS_DIR) -type f -name '*.rpm' -exec rm -f {} + touch $@ copy-toolchain-rpms: @@ -277,7 +279,7 @@ $(STATUS_FLAGS_DIR)/toolchain_local_temp.flag: $(selected_toolchain_archive) $(t # The .rpm doesn't exist # The .rpm is older than the archive we are extracting it from # The toolchain configuration has been changed (depend_TOOLCHAIN_ARCHIVE and depend_REBUILD_TOOLCHAIN) -$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/toolchain_local_temp.flag $(STATUS_FLAGS_DIR)/daily_build_auto_cleanup.flag $(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) +$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/toolchain_local_temp.flag $(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag $(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) tempFile=$(toolchain_local_temp)/$(notdir $@) && \ if [ ! -f $@ \ -o $(selected_toolchain_archive) -nt $@ \ @@ -292,7 +294,7 @@ $(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/toolchain_local_tem # No archive was selected, so download from online package server instead. All packages must be available for this step to succeed. else -$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/daily_build_auto_cleanup.flag $(depend_REBUILD_TOOLCHAIN) $(go-downloader) $(SCRIPTS_DIR)/toolchain/download_toolchain_rpm.sh +$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag $(depend_REBUILD_TOOLCHAIN) $(go-downloader) $(SCRIPTS_DIR)/toolchain/download_toolchain_rpm.sh $(TOOLCHAIN_GPG_VALIDATION_KEYS) @log_file="$(toolchain_downloads_logs_dir)/$(notdir $@).log" && \ rm -f "$$log_file" && \ $(SCRIPTS_DIR)/toolchain/download_toolchain_rpm.sh \ @@ -302,7 +304,9 @@ $(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(STATUS_FLAGS_DIR)/daily_build_auto_cl --log-base "$$log_file" \ --url-list "$(PACKAGE_URL_LIST)" \ $(if $(TLS_CERT),--certificate $(TLS_CERT)) \ - $(if $(TLS_KEY),--private-key $(TLS_KEY)) || \ + $(if $(TLS_KEY),--private-key $(TLS_KEY)) \ + $(if $(filter y,$(VALIDATE_TOOLCHAIN_GPG)),--enforce-signatures,) \ + --allowable-gpg-keys "$(TOOLCHAIN_GPG_VALIDATION_KEYS)" || \ { \ echo "No entries in PACKAGE_URL_LIST ($(PACKAGE_URL_LIST)) were able to provide the toolchain package: $(notdir $@)." >> "$$log_file" && \ echo -e "\nERROR: Failed to download toolchain package: "$(notdir $@)"." && \ diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh index 6946773883a..bedd4d8cd21 100755 --- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh +++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh @@ -612,8 +612,15 @@ chroot_and_install_rpms libselinux # PCRE2 needs to be installed (above) for grep to build with perl regexp support build_rpm_in_chroot_no_install grep -# coreutils and findutils require libselinux -# for SELinux support. +# attr requires gettext, libtool +build_rpm_in_chroot_no_install attr + +# acl requires libattr +chroot_and_install_rpms libattr +build_rpm_in_chroot_no_install acl + +# coreutils and findutils require libselinux, libacl, libattr +chroot_and_install_rpms libacl build_rpm_in_chroot_no_install coreutils build_rpm_in_chroot_no_install findutils diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 763111e9a68..e68a4a3eb06 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL) # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired. #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.43.1.tar.gz -O kernel-6.6.43.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz -O kernel-6.6.47.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 425b731269f..58fd65b5c32 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898 gmp-6.3.0.tar. 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab grep-3.11.tar.xz 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13 groff-1.23.0.tar.gz 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057 gzip-1.13.tar.xz -978e302c77d8ffbb7f6e6fafd1bc77c9fc84a7839d1ec3251f1c48d61eaf5c39 kernel-6.6.43.1.tar.gz +05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f kernel-6.6.47.1.tar.gz 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0 libarchive-3.7.1.tar.gz f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb libcap-2.69.tar.xz b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0 libpipeline-1.5.7.tar.gz diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 94bbd2afc4a..8ef9752fb94 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -86,7 +86,7 @@ rm -rf gcc-13.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="6.6.43.1" +KERNEL_VERSION="6.6.47.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-3-${KERNEL_VERSION} diff --git a/toolkit/scripts/toolchain/download_toolchain_rpm.sh b/toolkit/scripts/toolchain/download_toolchain_rpm.sh index d373e2ebf42..71381e3b778 100755 --- a/toolkit/scripts/toolchain/download_toolchain_rpm.sh +++ b/toolkit/scripts/toolchain/download_toolchain_rpm.sh @@ -4,10 +4,17 @@ set -e +# Create a temporary work directory for RPM signature validation +work_dir=$(mktemp -d) +function cleanup() { + rm -rf "$work_dir" +} +trap cleanup EXIT + # Usage print function usage() { echo "Usage: $0 --downloader-tool --rpm-name --dst --log-base " \ - "--url-list [--certificate ] [--private-key ]" + "--url-list [--certificate ] [--private-key ] [--enforce-signatures] [--allowable-gpg-keys ]" echo "-t|--downloader-tool: Path to our go downloader tool" echo "-r|--rpm-name: Name of the RPM to download" @@ -19,7 +26,8 @@ function usage() { echo " until the RPM is successfully downloaded. Full URL will be /" echo "-c|--certificate: Optional path to a certificate file to use for the download" echo "-k|--private-key: Optional path to a private key file to use for the download" - exit 1 + echo "-e|--enforce-signatures: Optional flag to enforce RPM signatures" + echo "-g|--allowable-gpg-keys: Optional space separated list of GPG keys to allow for signature validation" } # Default values @@ -31,6 +39,8 @@ hydrate=false url_list="" cert="" key="" +enforce_signatures=false +allowable_gpg_keys="" while (( "$#")); do case "$1" in @@ -66,34 +76,49 @@ while (( "$#")); do key=$2 shift 2 ;; + -e|--enforce-signatures) + enforce_signatures=true + shift + ;; + -g|--allowable-gpg-keys) + allowable_gpg_keys=$2 + shift 2 + ;; -h|--help) usage + exit 0 ;; *) echo "Unknown argument: $1" usage + exit 1 ;; esac done if [ -z "$downloader_tool" ]; then usage + exit 1 fi if [ -z "$rpm_name" ]; then usage + exit 1 fi if [ -z "$dst_file" ]; then usage + exit 1 fi if [ -z "$log_file" ]; then usage + exit 1 fi if [ -z "$url_list" ]; then usage + exit 1 fi if [ -n "$cert" ]; then @@ -104,6 +129,20 @@ if [ -n "$key" ]; then key="--private-key=$key" fi +if $enforce_signatures; then + if [ -z "$allowable_gpg_keys" ]; then + echo "Must provide allowable GPG keys when enforcing signatures" + usage + exit 1 + fi + for gpg_key in $allowable_gpg_keys; do + if [ ! -f "$gpg_key" ]; then + echo "GPG key file does not exist: $gpg_key" + exit 1 + fi + done +fi + function download() { # Ensure the destination directory exists dst_dir=$(dirname "$dst_file") @@ -129,16 +168,35 @@ function download() { echo "SUCCESS" >> "$log_file" touch "$dst_file" - return + return 0 else echo "Failed to download toolchain RPM: $rpm_name" >> "$attempt_log_file" echo "FAILURE" >> "$log_file" fi done - exit 1 + return 1 +} + +function validate_signatures() { + echo "Validating toolchain RPM: $rpm_name" | tee -a "$log_file" + + for key in $allowable_gpg_keys; do + echo "Adding key ($key) to empty workdir at ($work_dir)" >> "$log_file" + rpmkeys --root "$work_dir" --import "$key" >> "$log_file" + done + + if ! rpmkeys --root "$work_dir" --checksig --verbose "$dst_file" -D "%_pkgverify_level signature" >> "$log_file"; then + echo "Failed to validate toolchain package $rpm_name signature, aborting." | tee -a "$log_file" + return 1 + fi + return 0 } mkdir -p "$(dirname "$log_file")" download + +if $enforce_signatures; then + validate_signatures +fi diff --git a/toolkit/scripts/toolkit.mk b/toolkit/scripts/toolkit.mk index 17692695c28..07647755502 100644 --- a/toolkit/scripts/toolkit.mk +++ b/toolkit/scripts/toolkit.mk @@ -13,7 +13,7 @@ toolkit_component_extra_files = \ $(toolkit_root)/.gitignore mariner_repos_dir = $(PROJECT_ROOT)/SPECS/azurelinux-repos -mariner_repos_files = $(wildcard $(mariner_repos_dir)/*.repo) +mariner_repos_files = $(wildcard $(mariner_repos_dir)/*.repo) $(wildcard $(mariner_repos_dir)/MICROSOFT-*-GPG-KEY) rpms_snapshot_name = rpms_snapshot.json specs_dir_name = $(notdir $(SPECS_DIR)) toolkit_remove_archive = $(OUT_DIR)/toolkit-*.tar* diff --git a/toolkit/scripts/update_manifest.sh b/toolkit/scripts/update_manifest.sh index 5eb98baae80..3022accad24 100755 --- a/toolkit/scripts/update_manifest.sh +++ b/toolkit/scripts/update_manifest.sh @@ -100,7 +100,7 @@ update_manifest() { echo "Manifests are different, updating ${basename}" mv "${BUILD_TEMP_MANIFEST_FILENAME}" "${filepath}" - chown "$CALLING_USER:$CALLING_USER" "${filepath}" + chown "$CALLING_USER:" "${filepath}" else echo "Manifests are the same, not updating ${basename}" fi diff --git a/toolkit/scripts/utils.mk b/toolkit/scripts/utils.mk index 5442a184bfe..f30d581e122 100644 --- a/toolkit/scripts/utils.mk +++ b/toolkit/scripts/utils.mk @@ -55,10 +55,10 @@ endef ######## VARIABLE DEPENDENCY TRACKING ######## # List of variables to watch for changes. -watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE +watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG # Current list: $(depend_PACKAGE_BUILD_LIST) $(depend_PACKAGE_REBUILD_LIST) $(depend_PACKAGE_IGNORE_LIST) $(depend_REPO_LIST) $(depend_CONFIG_FILE) $(depend_STOP_ON_PKG_FAIL) # $(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) $(depend_SRPM_PACK_LIST) $(depend_SPECS_DIR) $(depend_EXTRA_BUILD_LAYERS) $(depend_MAX_CASCADING_REBUILDS) $(depend_RUN_CHECK) $(depend_TEST_RUN_LIST) -# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) +# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) .PHONY: variable_depends_on_phony clean-variable_depends_on_phony setfacl_always_run_phony clean: clean-variable_depends_on_phony diff --git a/toolkit/tools/imagecustomizer/container/build-mic-container.sh b/toolkit/tools/imagecustomizer/container/build-mic-container.sh index 1242415dc3d..52155a00e52 100755 --- a/toolkit/tools/imagecustomizer/container/build-mic-container.sh +++ b/toolkit/tools/imagecustomizer/container/build-mic-container.sh @@ -55,7 +55,7 @@ cp "$runScriptPath" "${stagingBinDir}" touch ${containerStagingFolder}/.mariner-toolkit-ignore-dockerenv -# Download oras +# download oras ORAS_TAR="${buildDir}/oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz" curl -L "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz" \ diff --git a/toolkit/tools/imagecustomizer/container/run-mic-container.sh b/toolkit/tools/imagecustomizer/container/run-mic-container.sh index 0101b215dc8..a6b1e1d845f 100755 --- a/toolkit/tools/imagecustomizer/container/run-mic-container.sh +++ b/toolkit/tools/imagecustomizer/container/run-mic-container.sh @@ -6,7 +6,7 @@ function showUsage() { echo echo "usage:" echo - echo "build-mic-container.sh \\" + echo "run-mic-container.sh \\" echo " -t \\" echo " -i \\" echo " -c \\" diff --git a/toolkit/tools/imagecustomizer/container/test-mic-container.sh b/toolkit/tools/imagecustomizer/container/test-mic-container.sh new file mode 100755 index 00000000000..c017792b8da --- /dev/null +++ b/toolkit/tools/imagecustomizer/container/test-mic-container.sh @@ -0,0 +1,37 @@ +# Test container by running run.sh script inside it. +set -eux +SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")" + +containerTag="$1" + +outputImage="$SCRIPT_DIR/../../out/containertestoutput.vhdx" +outputImageDir="$(dirname "$outputImage")" +inputConfig="$SCRIPT_DIR/../../pkg/imagecustomizerlib/testdata/partitions-config.yaml" +inputConfigDir="$(dirname "$inputConfig")" + +mkdir -p "$outputImageDir" + +# Setup input config within the container. +containerInputConfigDir="/mic/config" +containerInputConfig="$containerInputConfigDir/$(basename "$inputConfig")" + +# Setup build folder within the container. +containerBuildDir="/mic/build" + +# Setup output image within the container. +containerOutputDir="/mic/output" +containerOutputImage="$containerOutputDir/$(basename "$outputImage")" + +# Run run.sh script in docker container. +docker run --rm \ + --privileged=true \ + -v "$inputConfigDir":"$containerInputConfigDir":z \ + -v "$outputImageDir":"$containerOutputDir":z \ + -v /dev:/dev \ + "$containerTag" \ + /usr/local/bin/run.sh \ + "2.0.latest" \ + --config-file "$containerInputConfig" \ + --build-dir "$containerBuildDir" \ + --output-image-format "vhdx" \ + --output-image-file "$containerOutputImage" \ No newline at end of file diff --git a/toolkit/tools/imagecustomizer/docs/container.md b/toolkit/tools/imagecustomizer/docs/container.md index a7fa5bcc9ea..a4b863fbd02 100644 --- a/toolkit/tools/imagecustomizer/docs/container.md +++ b/toolkit/tools/imagecustomizer/docs/container.md @@ -38,6 +38,13 @@ docker run --rm --privileged=true \ --output-image-file /image/customized.raw ``` +Alternatively, you can use the [run.sh](https://github.com/microsoft/azurelinux/blob/3.0-dev/toolkit/tools/imagecustomizer/container/test-mic-container.sh) +script on the container which runs `imagecustomizer` with a base image downloaded from MCR. + +Usage: ``` run.sh $version_tag ``` + +For a complete usage example, refer to [test-mic-container.sh](https://github.com/microsoft/azurelinux/blob/3.0-dev/toolkit/tools/imagecustomizer/container/test-mic-container.sh). + ### Check the Output After the container executes, check the output directory on your host for the diff --git a/toolkit/tools/imagecustomizerapi/config_test.go b/toolkit/tools/imagecustomizerapi/config_test.go index 9ce846edfca..8139e001251 100644 --- a/toolkit/tools/imagecustomizerapi/config_test.go +++ b/toolkit/tools/imagecustomizerapi/config_test.go @@ -15,7 +15,7 @@ func TestConfigIsValid(t *testing.T) { Storage: &Storage{ Disks: []Disk{{ PartitionTableType: "gpt", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "esp", @@ -52,7 +52,7 @@ func TestConfigIsValidLegacy(t *testing.T) { Storage: &Storage{ Disks: []Disk{{ PartitionTableType: "gpt", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "boot", @@ -109,7 +109,7 @@ func TestConfigIsValidMissingBootLoaderReset(t *testing.T) { Storage: &Storage{ Disks: []Disk{{ PartitionTableType: "gpt", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "esp", @@ -260,7 +260,7 @@ func TestConfigIsValidInvalidMountPoint(t *testing.T) { Storage: &Storage{ Disks: []Disk{{ PartitionTableType: "gpt", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "esp", @@ -298,7 +298,7 @@ func TestConfigIsValidKernelCLI(t *testing.T) { Storage: &Storage{ Disks: []Disk{{ PartitionTableType: "gpt", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "esp", diff --git a/toolkit/tools/imagecustomizerapi/disk.go b/toolkit/tools/imagecustomizerapi/disk.go index e761a73c6c5..794c7d69421 100644 --- a/toolkit/tools/imagecustomizerapi/disk.go +++ b/toolkit/tools/imagecustomizerapi/disk.go @@ -6,11 +6,24 @@ package imagecustomizerapi import ( "fmt" "sort" - "strconv" "github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils" ) +const ( + DefaultSectorSize = 512 + + // For SSDs, aligning partition's to 1 MiB is beneficial for performance reasons. + // In addition, the imager's diskutils works in MiB. + DefaultPartitionAlignment = diskutils.MiB + + // The number of sectors (LBA) that the GPT header requires. + GptHeaderSectorNum = 34 + + // The number of sectors (LBA) that the GPT footer requires. + GptFooterSectorNum = 33 +) + type Disk struct { // The type of partition table to use (e.g. mbr, gpt) PartitionTableType PartitionTableType `yaml:"partitionTableType"` @@ -39,6 +52,9 @@ func (d *Disk) IsValid() error { } } + gptHeaderSize := DiskSize(roundUp(GptHeaderSectorNum*DefaultSectorSize, DefaultPartitionAlignment)) + gptFooterSize := DiskSize(roundUp(GptFooterSectorNum*DefaultSectorSize, DefaultPartitionAlignment)) + // Check for overlapping partitions. // First, sort partitions by start index. sortedPartitions := append([]Partition(nil), d.Partitions...) @@ -59,18 +75,19 @@ func (d *Disk) IsValid() error { bEnd, bHasEnd := b.GetEnd() bEndStr := "" if bHasEnd { - bEndStr = strconv.FormatUint(uint64(bEnd), 10) + bEndStr = bEnd.HumanReadable() } - return fmt.Errorf("partition's (%s) range [%d, %d) overlaps partition's (%s) range [%d, %s)", - a.Id, a.Start, aEnd, b.Id, b.Start, bEndStr) + return fmt.Errorf("partition's (%s) range [%s, %s) overlaps partition's (%s) range [%s, %s)", + a.Id, a.Start.HumanReadable(), aEnd.HumanReadable(), b.Id, b.Start.HumanReadable(), bEndStr) } } if len(sortedPartitions) > 0 { // Make sure the first block isn't used. firstPartition := sortedPartitions[0] - if firstPartition.Start < diskutils.MiB { - return fmt.Errorf("first 1 MiB must be reserved for the MBR header (%s)", firstPartition.Id) + if firstPartition.Start < gptHeaderSize { + return fmt.Errorf("invalid partition (%s) start:\nfirst %s of disk is reserved for the GPT header", + firstPartition.Id, gptHeaderSize.HumanReadable()) } // Check that the disk is big enough for the partition layout. @@ -80,15 +97,27 @@ func (d *Disk) IsValid() error { var requiredSize DiskSize if !lastPartitionHasEnd { - requiredSize = lastPartition.Start + diskutils.MiB + requiredSize = lastPartition.Start + DefaultPartitionAlignment } else { requiredSize = lastPartitionEnd } + requiredSize += gptFooterSize + if requiredSize > d.MaxSize { - return fmt.Errorf("disk's partitions need %d bytes but maxSize is only %d bytes", requiredSize, d.MaxSize) + return fmt.Errorf("disk's partitions need %s but maxSize is only %s:\nGPT footer size is %s", + requiredSize.HumanReadable(), d.MaxSize.HumanReadable(), gptFooterSize.HumanReadable()) } } return nil } + +func roundUp(size uint64, alignment uint64) uint64 { + div := size / alignment + mod := size % alignment + if mod == 0 { + return size + } + return (div + 1) * alignment +} diff --git a/toolkit/tools/imagecustomizerapi/disk_test.go b/toolkit/tools/imagecustomizerapi/disk_test.go index 5d29d646107..7757fdd1aa5 100644 --- a/toolkit/tools/imagecustomizerapi/disk_test.go +++ b/toolkit/tools/imagecustomizerapi/disk_test.go @@ -14,7 +14,7 @@ import ( func TestDiskIsValid(t *testing.T) { disk := &Disk{ PartitionTableType: PartitionTableTypeGpt, - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -30,7 +30,7 @@ func TestDiskIsValid(t *testing.T) { func TestDiskIsValidWithEnd(t *testing.T) { disk := &Disk{ PartitionTableType: PartitionTableTypeGpt, - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -47,7 +47,7 @@ func TestDiskIsValidWithEnd(t *testing.T) { func TestDiskIsValidWithSize(t *testing.T) { disk := &Disk{ PartitionTableType: PartitionTableTypeGpt, - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -67,7 +67,7 @@ func TestDiskIsValidWithSize(t *testing.T) { func TestDiskIsValidStartAt0(t *testing.T) { disk := &Disk{ PartitionTableType: PartitionTableTypeGpt, - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -78,13 +78,14 @@ func TestDiskIsValidStartAt0(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "first 1 MiB must be reserved for the MBR header") + assert.ErrorContains(t, err, "invalid partition (a) start") + assert.ErrorContains(t, err, "first 1 MiB of disk is reserved for the GPT header") } func TestDiskIsValidInvalidTableType(t *testing.T) { disk := &Disk{ PartitionTableType: "a", - MaxSize: 2 * diskutils.MiB, + MaxSize: 3 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -95,7 +96,7 @@ func TestDiskIsValidInvalidTableType(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "partitionTableType") + assert.ErrorContains(t, err, "invalid partitionTableType value (a)") } func TestDiskIsValidInvalidPartition(t *testing.T) { @@ -113,7 +114,8 @@ func TestDiskIsValidInvalidPartition(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "invalid partition") + assert.ErrorContains(t, err, "invalid partition at index 0") + assert.ErrorContains(t, err, "partition's (a) size can't be 0 or negative") } func TestDiskIsValidTwoExpanding(t *testing.T) { @@ -134,7 +136,7 @@ func TestDiskIsValidTwoExpanding(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "is not last partition but size is set to \"grow\"") + assert.ErrorContains(t, err, "partition (a) is not last partition but size is set to \"grow\"") } func TestDiskIsValidTwoExpandingGrow(t *testing.T) { @@ -158,7 +160,7 @@ func TestDiskIsValidTwoExpandingGrow(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "is not last partition but size is set to \"grow\"") + assert.ErrorContains(t, err, "partition (a) is not last partition but size is set to \"grow\"") } func TestDiskIsValidOverlaps(t *testing.T) { @@ -181,7 +183,7 @@ func TestDiskIsValidOverlaps(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "overlaps") + assert.ErrorContains(t, err, "partition's (a) range [1 MiB, 3 MiB) overlaps partition's (b) range [2 MiB, 4 MiB)") } func TestDiskIsValidOverlapsExpanding(t *testing.T) { @@ -203,13 +205,13 @@ func TestDiskIsValidOverlapsExpanding(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "overlaps") + assert.ErrorContains(t, err, "partition's (a) range [1 MiB, 3 MiB) overlaps partition's (b) range [2 MiB, )") } func TestDiskIsValidTooSmall(t *testing.T) { disk := &Disk{ PartitionTableType: PartitionTableTypeGpt, - MaxSize: 3 * diskutils.MiB, + MaxSize: 4 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -226,7 +228,8 @@ func TestDiskIsValidTooSmall(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "maxSize") + assert.ErrorContains(t, err, "disk's partitions need 5 MiB but maxSize is only 4 MiB") + assert.ErrorContains(t, err, "GPT footer size is 1 MiB") } func TestDiskIsValidTooSmallExpanding(t *testing.T) { @@ -248,7 +251,8 @@ func TestDiskIsValidTooSmallExpanding(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "maxSize") + assert.ErrorContains(t, err, "disk's partitions need 5 MiB but maxSize is only 3 MiB") + assert.ErrorContains(t, err, "GPT footer size is 1 MiB") } func TestDiskIsValidZeroSize(t *testing.T) { @@ -260,5 +264,5 @@ func TestDiskIsValidZeroSize(t *testing.T) { err := disk.IsValid() assert.Error(t, err) - assert.ErrorContains(t, err, "maxSize") + assert.ErrorContains(t, err, "a disk's maxSize value (0) must be a positive non-zero number") } diff --git a/toolkit/tools/imagecustomizerapi/disksize.go b/toolkit/tools/imagecustomizerapi/disksize.go index f5193e3ce07..0f8d00e9ac7 100644 --- a/toolkit/tools/imagecustomizerapi/disksize.go +++ b/toolkit/tools/imagecustomizerapi/disksize.go @@ -40,6 +40,25 @@ func (s *DiskSize) UnmarshalYAML(value *yaml.Node) error { return nil } +func (s DiskSize) HumanReadable() string { + switch { + case s%diskutils.TiB == 0: + return fmt.Sprintf("%d TiB", s/diskutils.TiB) + + case s%diskutils.GiB == 0: + return fmt.Sprintf("%d GiB", s/diskutils.GiB) + + case s%diskutils.MiB == 0: + return fmt.Sprintf("%d MiB", s/diskutils.MiB) + + case s%diskutils.KiB == 0: + return fmt.Sprintf("%d KiB", s/diskutils.KiB) + + default: + return fmt.Sprintf("%d bytes", s) + } +} + func parseDiskSize(diskSizeString string) (DiskSize, error) { match := diskSizeRegex.FindStringSubmatch(diskSizeString) if match == nil { @@ -72,8 +91,9 @@ func parseDiskSize(diskSizeString string) (DiskSize, error) { } // The imager's diskutils works in MiB. So, restrict disk and partition sizes to multiples of 1 MiB. - if num%diskutils.MiB != 0 { - return 0, fmt.Errorf("(%d) must be a multiple of 1 MiB", num) + if num%DefaultPartitionAlignment != 0 { + return 0, fmt.Errorf("(%s) must be a multiple of %s", diskSizeString, + DiskSize(DefaultPartitionAlignment).HumanReadable()) } return DiskSize(num), nil diff --git a/toolkit/tools/imagecustomizerapi/disksize_test.go b/toolkit/tools/imagecustomizerapi/disksize_test.go index b52376711ff..c65119d73bc 100644 --- a/toolkit/tools/imagecustomizerapi/disksize_test.go +++ b/toolkit/tools/imagecustomizerapi/disksize_test.go @@ -73,3 +73,23 @@ func TestDiskSizeBadFormat(t *testing.T) { err := UnmarshalYaml([]byte("2M2"), &diskSize) assert.ErrorContains(t, err, "has incorrect format") } + +func TestDiskSizeHumanReadableTiB(t *testing.T) { + assert.Equal(t, DiskSize(diskutils.TiB).HumanReadable(), "1 TiB") +} + +func TestDiskSizeHumanReadableGiB(t *testing.T) { + assert.Equal(t, DiskSize(diskutils.GiB).HumanReadable(), "1 GiB") +} + +func TestDiskSizeHumanReadableMiB(t *testing.T) { + assert.Equal(t, DiskSize(diskutils.MiB).HumanReadable(), "1 MiB") +} + +func TestDiskSizeHumanReadableKiB(t *testing.T) { + assert.Equal(t, DiskSize(diskutils.KiB).HumanReadable(), "1 KiB") +} + +func TestDiskSizeHumanReadableBytes(t *testing.T) { + assert.Equal(t, DiskSize(1).HumanReadable(), "1 bytes") +} diff --git a/toolkit/tools/imagecustomizerapi/storage_test.go b/toolkit/tools/imagecustomizerapi/storage_test.go index a4762c403f3..8e9b06f1f9a 100644 --- a/toolkit/tools/imagecustomizerapi/storage_test.go +++ b/toolkit/tools/imagecustomizerapi/storage_test.go @@ -222,7 +222,7 @@ func TestStorageIsValidDuplicatePartitionId(t *testing.T) { Disks: []Disk{ { PartitionTableType: PartitionTableTypeGpt, - MaxSize: 3 * diskutils.MiB, + MaxSize: 4 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -288,7 +288,7 @@ func TestStorageIsValidUniqueLabel(t *testing.T) { Disks: []Disk{ { PartitionTableType: PartitionTableTypeGpt, - MaxSize: 3 * diskutils.MiB, + MaxSize: 4 * diskutils.MiB, Partitions: []Partition{ { Id: "a", @@ -335,7 +335,7 @@ func TestStorageIsValidDuplicateLabel(t *testing.T) { Disks: []Disk{ { PartitionTableType: PartitionTableTypeGpt, - MaxSize: 3 * diskutils.MiB, + MaxSize: 4 * diskutils.MiB, Partitions: []Partition{ { Id: "a", diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index 8f2ac700d3c..c6501833945 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -1722,7 +1722,7 @@ func Chage(installChroot safechroot.ChrootInterface, passwordExpirationInDays in if passwordChanged == "" { // Set to the number of days since epoch - fields[passwordChangedField] = fmt.Sprintf("%d", int64(time.Since(time.Unix(0, 0)).Hours()/24)) + fields[passwordChangedField] = fmt.Sprintf("%d", DaysSinceUnixEpoch()) } passwordAge, err = strconv.ParseInt(fields[passwordChangedField], 10, 64) if err != nil { @@ -1745,17 +1745,19 @@ func Chage(installChroot safechroot.ChrootInterface, passwordExpirationInDays in return fmt.Errorf(`user "%s" not found when trying to change the password expiration date`, username) } +func DaysSinceUnixEpoch() int64 { + return int64(time.Since(time.Unix(0, 0)).Hours() / 24) +} + func ConfigureUserPrimaryGroupMembership(installChroot safechroot.ChrootInterface, username string, primaryGroup string, ) (err error) { - const squashErrors = false - if primaryGroup != "" { err = installChroot.UnsafeRun(func() error { - return shell.ExecuteLive(squashErrors, "usermod", "-g", primaryGroup, username) + return shell.ExecuteLiveWithErr(1, "usermod", "-g", primaryGroup, username) }) if err != nil { - return + return fmt.Errorf("failed to set user's (%s) primary group (%s):\n%w", username, primaryGroup, err) } } @@ -1764,16 +1766,13 @@ func ConfigureUserPrimaryGroupMembership(installChroot safechroot.ChrootInterfac func ConfigureUserSecondaryGroupMembership(installChroot safechroot.ChrootInterface, username string, secondaryGroups []string, ) (err error) { - const squashErrors = false - if len(secondaryGroups) != 0 { allGroups := strings.Join(secondaryGroups, ",") err = installChroot.UnsafeRun(func() error { - return shell.ExecuteLive(squashErrors, "usermod", "-a", "-G", allGroups, username) + return shell.ExecuteLiveWithErr(1, "usermod", "-a", "-G", allGroups, username) }) - if err != nil { - return + return fmt.Errorf("failed to set user's (%s) secondary groups:\n%w", username, err) } } @@ -1782,8 +1781,7 @@ func ConfigureUserSecondaryGroupMembership(installChroot safechroot.ChrootInterf func ConfigureUserStartupCommand(installChroot safechroot.ChrootInterface, username string, startupCommand string) (err error) { const ( - passwdFilePath = "etc/passwd" - sedDelimiter = "|" + sedDelimiter = "|" ) if startupCommand == "" { @@ -1794,7 +1792,7 @@ func ConfigureUserStartupCommand(installChroot safechroot.ChrootInterface, usern findPattern := fmt.Sprintf(`^\(%s.*\):[^:]*$`, username) replacePattern := fmt.Sprintf(`\1:%s`, startupCommand) - filePath := filepath.Join(installChroot.RootDir(), passwdFilePath) + filePath := filepath.Join(installChroot.RootDir(), userutils.PasswdFile) err = sed(findPattern, replacePattern, sedDelimiter, filePath) if err != nil { err = fmt.Errorf("failed to update user's (%s) startup command (%s):\n%w", username, startupCommand, err) @@ -1822,7 +1820,11 @@ func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username st return } - userSSHKeyDir := userutils.UserSSHDirectory(username) + userSSHKeyDir, err := userutils.UserSSHDirectory(installChroot.RootDir(), username) + if err != nil { + return fmt.Errorf("failed to get user's SSH directory:\n%w", err) + } + authorizedKeysFile := filepath.Join(userSSHKeyDir, userutils.SSHAuthorizedKeysFileName) exists, err = file.PathExists(authorizedKeysTempFile) @@ -1893,7 +1895,7 @@ func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username st allSSHKeys = append(allSSHKeys, sshPubKeys...) for _, pubKey := range allSSHKeys { - logger.Log.Infof("Adding ssh key (%s) to user (%s) .ssh/authorized_users", filepath.Base(pubKey), username) + logger.Log.Infof("Adding ssh key (%s) to user (%s)", filepath.Base(pubKey), username) pubKey += "\n" err = file.Append(pubKey, authorizedKeysTempFile) diff --git a/toolkit/tools/internal/rpm/rpm.go b/toolkit/tools/internal/rpm/rpm.go index a4f0d18feff..7b9d30d4f9b 100644 --- a/toolkit/tools/internal/rpm/rpm.go +++ b/toolkit/tools/internal/rpm/rpm.go @@ -64,8 +64,9 @@ const ( const ( installedRPMRegexRPMIndex = 1 - installedRPMRegexArchIndex = 2 - installedRPMRegexExpectedMatches = 3 + installedRPMRegexVersionIndex = 2 + installedRPMRegexArchIndex = 3 + installedRPMRegexExpectedMatches = 4 rpmProgram = "rpm" rpmSpecProgram = "rpmspec" @@ -84,12 +85,12 @@ var ( // Output from 'rpm' prints installed RPMs in a line with the following format: // - // D: ========== +++ [name]-[version]-[release].[distribution] [architecture]-linux [hex_value] + // D: ========== +++ [name]-([epoch]:)[version]-[release].[distribution] [architecture]-linux [hex_value] // // Example: // // D: ========== +++ systemd-devel-239-42.azl3 x86_64-linux 0x0 - installedRPMRegex = regexp.MustCompile(`^D: =+ \+{3} (\S+) (\S+)-linux.*$`) + installedRPMRegex = regexp.MustCompile(`^D: =+ \+{3} (\S+)-([^-]+-[^-]+) (\S+)-linux.*$`) // For most use-cases, the distro name abbreviation and major version are set by the exe package. However, if the // module is used outside of the main Azure Linux build system, the caller can override these values with SetDistroMacros(). @@ -510,9 +511,7 @@ func ResolveCompetingPackages(rootDir string, rpmPaths ...string) (resolvedRPMs splitStdout := strings.Split(stderr, "\n") uniqueResolvedRPMs := map[string]bool{} for _, line := range splitStdout { - matches := installedRPMRegex.FindStringSubmatch(line) - if len(matches) == installedRPMRegexExpectedMatches { - rpmName := fmt.Sprintf("%s.%s", matches[installedRPMRegexRPMIndex], matches[installedRPMRegexArchIndex]) + if match, rpmName := extractCompetingPackageInfoFromLine(line); match { uniqueResolvedRPMs[rpmName] = true } } @@ -521,6 +520,22 @@ func ResolveCompetingPackages(rootDir string, rpmPaths ...string) (resolvedRPMs return } +func extractCompetingPackageInfoFromLine(line string) (match bool, pkgName string) { + matches := installedRPMRegex.FindStringSubmatch(line) + if len(matches) == installedRPMRegexExpectedMatches { + pkgName := matches[installedRPMRegexRPMIndex] + version := matches[installedRPMRegexVersionIndex] + arch := matches[installedRPMRegexArchIndex] + // Names should not contain the epoch, strip everything before the ":"" in the string. "Version": "0:1.2-3", becomes "1.2-3" + if strings.Contains(version, ":") { + version = strings.Split(version, ":")[1] + } + + return true, fmt.Sprintf("%s-%s.%s", pkgName, version, arch) + } + return false, "" +} + // SpecExclusiveArchIsCompatible verifies the "ExclusiveArch" tag is compatible with the current machine's architecture. func SpecExclusiveArchIsCompatible(specfile, sourcedir, arch string, defines map[string]string) (isCompatible bool, err error) { const ( diff --git a/toolkit/tools/internal/rpm/rpm_test.go b/toolkit/tools/internal/rpm/rpm_test.go index 3b67cb1b5d0..72e9a2311de 100644 --- a/toolkit/tools/internal/rpm/rpm_test.go +++ b/toolkit/tools/internal/rpm/rpm_test.go @@ -458,3 +458,39 @@ func TestGetMacroDirWithRpmAvailable(t *testing.T) { assert.NoError(t, err) assert.Equal(t, expectedMacroDir, macroDir) } + +func TestConflictingPackageRegex(t *testing.T) { + tests := []struct { + name string + inputLine string + expectedMatch bool + expectedOutput string + }{ + { + name: "perl with epoch", + inputLine: "D: ========== +++ perl-4:5.34.1-489.cm2 x86_64-linux 0x0", + expectedMatch: true, + expectedOutput: "perl-5.34.1-489.cm2.x86_64", + }, + { + name: "systemd no epoch", + inputLine: "D: ========== +++ systemd-devel-239-42.cm2 x86_64-linux 0x0", + expectedMatch: true, + expectedOutput: "systemd-devel-239-42.cm2.x86_64", + }, + { + name: "non-matching line", + inputLine: "D: ========== tsorting packages (order, #predecessors, #succesors, depth)", + expectedMatch: false, + expectedOutput: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + match, actualOut := extractCompetingPackageInfoFromLine(tt.inputLine) + assert.Equal(t, tt.expectedMatch, match) + assert.Equal(t, tt.expectedOutput, actualOut) + }) + } +} diff --git a/toolkit/tools/internal/userutils/groupfile.go b/toolkit/tools/internal/userutils/groupfile.go new file mode 100644 index 00000000000..8369ce99f0d --- /dev/null +++ b/toolkit/tools/internal/userutils/groupfile.go @@ -0,0 +1,94 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package userutils + +import ( + "fmt" + "path/filepath" + "strconv" + "strings" + + "github.com/microsoft/azurelinux/toolkit/tools/internal/file" + "github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils" +) + +type GroupEntry struct { + Name string + Password string + GID int + UserList []string +} + +func ReadGroupFile(rootDir string) ([]GroupEntry, error) { + lines, err := file.ReadLines(filepath.Join(rootDir, GroupFile)) + if err != nil { + return nil, fmt.Errorf("failed to read %s file:\n%w", GroupFile, err) + } + + entries, err := parseGroupFile(lines) + if err != nil { + return nil, fmt.Errorf("invalid %s file:\n%w", GroupFile, err) + } + + return entries, nil +} + +func parseGroupFile(lines []string) ([]GroupEntry, error) { + entries := []GroupEntry(nil) + for i, line := range lines { + entry, err := parseGroupFileEntry(line) + if err != nil { + return nil, fmt.Errorf("invalid line %d", i) + } + + entries = append(entries, entry) + } + + return entries, nil +} + +func parseGroupFileEntry(line string) (GroupEntry, error) { + const ( + numFields = 4 + ) + + fields := strings.Split(line, ":") + if len(fields) != numFields { + return GroupEntry{}, fmt.Errorf("%d fields instead of %d", len(fields), numFields) + } + + gidStr := fields[2] + gid, err := strconv.Atoi(gidStr) + if err != nil { + return GroupEntry{}, fmt.Errorf("invalid GID:\n%w", err) + } + + usersStr := fields[3] + users := strings.Split(usersStr, ",") + + entry := GroupEntry{ + Name: fields[0], + Password: fields[1], + GID: gid, + UserList: users, + } + return entry, nil +} + +func GetUserGroups(rootDir string, username string) ([]string, error) { + systemGroups, err := ReadGroupFile(rootDir) + if err != nil { + return nil, err + } + + userGroups := []string(nil) + for _, group := range systemGroups { + userInGroup := sliceutils.ContainsValue(group.UserList, username) + if userInGroup { + userGroups = append(userGroups, group.Name) + } + } + + return userGroups, nil +} diff --git a/toolkit/tools/internal/userutils/main_test.go b/toolkit/tools/internal/userutils/main_test.go index b7751ceacc0..f5bf4107f72 100644 --- a/toolkit/tools/internal/userutils/main_test.go +++ b/toolkit/tools/internal/userutils/main_test.go @@ -12,7 +12,8 @@ import ( ) var ( - tmpDir string + testDataDir string + tmpDir string ) func TestMain(m *testing.M) { @@ -25,6 +26,8 @@ func TestMain(m *testing.M) { logger.Log.Panicf("Failed to get working directory, error: %s", err) } + testDataDir = filepath.Join(workingDir, "testdata") + tmpDir = filepath.Join(workingDir, "_tmp") err = os.MkdirAll(tmpDir, os.ModePerm) diff --git a/toolkit/tools/internal/userutils/passwdfile.go b/toolkit/tools/internal/userutils/passwdfile.go new file mode 100644 index 00000000000..c040a59b167 --- /dev/null +++ b/toolkit/tools/internal/userutils/passwdfile.go @@ -0,0 +1,100 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package userutils + +import ( + "fmt" + "path/filepath" + "strconv" + "strings" + + "github.com/microsoft/azurelinux/toolkit/tools/internal/file" + "github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils" +) + +type PasswdEntry struct { + Name string + Uid int + Gid int + Description string + HomeDirectory string + Shell string +} + +func ReadPasswdFile(rootDir string) ([]PasswdEntry, error) { + lines, err := file.ReadLines(filepath.Join(rootDir, PasswdFile)) + if err != nil { + return nil, fmt.Errorf("failed to read %s file:\n%w", PasswdFile, err) + } + + entries, err := parsePasswdFile(lines) + if err != nil { + return nil, fmt.Errorf("invalid %s file:\n%w", PasswdFile, err) + } + + return entries, nil +} + +func parsePasswdFile(lines []string) ([]PasswdEntry, error) { + entries := []PasswdEntry(nil) + for i, line := range lines { + entry, err := parsePasswdFileEntry(line) + if err != nil { + return nil, fmt.Errorf("invalid line %d:\n%w", i, err) + } + + entries = append(entries, entry) + } + + return entries, nil +} + +func parsePasswdFileEntry(line string) (PasswdEntry, error) { + const ( + numFields = 7 + ) + + fields := strings.Split(line, ":") + if len(fields) != numFields { + return PasswdEntry{}, fmt.Errorf("%d fields instead of %d", len(fields), numFields) + } + + uidStr := fields[2] + uid, err := strconv.Atoi(uidStr) + if err != nil { + return PasswdEntry{}, fmt.Errorf("invalid UID (%s):\n%w", uidStr, err) + } + + gidStr := fields[3] + gid, err := strconv.Atoi(gidStr) + if err != nil { + return PasswdEntry{}, fmt.Errorf("invalid GID (%s):\n%w", gidStr, err) + } + + entry := PasswdEntry{ + Name: fields[0], + Uid: uid, + Gid: gid, + Description: fields[4], + HomeDirectory: fields[5], + Shell: fields[6], + } + return entry, nil +} + +func GetPasswdFileEntryForUser(rootDir string, user string) (PasswdEntry, error) { + entries, err := ReadPasswdFile(rootDir) + if err != nil { + return PasswdEntry{}, err + } + + entry, found := sliceutils.FindValueFunc(entries, func(entry PasswdEntry) bool { + return entry.Name == user + }) + if !found { + return PasswdEntry{}, fmt.Errorf("failed to find user (%s) in %s file", user, PasswdFile) + } + + return entry, nil +} diff --git a/toolkit/tools/internal/userutils/passwdfile_test.go b/toolkit/tools/internal/userutils/passwdfile_test.go new file mode 100644 index 00000000000..b41b0fd903c --- /dev/null +++ b/toolkit/tools/internal/userutils/passwdfile_test.go @@ -0,0 +1,50 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package userutils + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestReadPasswdFile(t *testing.T) { + expected := []PasswdEntry{ + { + Name: "root", + Uid: 0, + Gid: 0, + Description: "root", + HomeDirectory: "/root", + Shell: "/bin/bash", + }, + { + Name: "test", + Uid: 1001, + Gid: 100, + Description: "", + HomeDirectory: "/home/1001", + Shell: "/bin/sh", + }, + } + + entries, err := ReadPasswdFile(testDataDir) + assert.NoError(t, err) + assert.Equal(t, expected, entries) +} + +func TestGetPasswdFileEntryForUser(t *testing.T) { + expected := PasswdEntry{ + Name: "test", + Uid: 1001, + Gid: 100, + Description: "", + HomeDirectory: "/home/1001", + Shell: "/bin/sh", + } + + entries, err := GetPasswdFileEntryForUser(testDataDir, "test") + assert.NoError(t, err) + assert.Equal(t, expected, entries) +} diff --git a/toolkit/tools/internal/userutils/shadowfile.go b/toolkit/tools/internal/userutils/shadowfile.go new file mode 100644 index 00000000000..70b4a4e8779 --- /dev/null +++ b/toolkit/tools/internal/userutils/shadowfile.go @@ -0,0 +1,131 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package userutils + +import ( + "fmt" + "path/filepath" + "strconv" + "strings" + + "github.com/microsoft/azurelinux/toolkit/tools/internal/file" + "github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils" +) + +type ShadowEntry struct { + Name string + EncryptedPassword string + LastPasswordChange *int + MinPasswordAge *int + MaxPasswordAge *int + PasswordWarningPeriod *int + PasswordInactivityPeriod *int + AccountExpirationDate *int +} + +func ReadShadowFile(rootDir string) ([]ShadowEntry, error) { + lines, err := file.ReadLines(filepath.Join(rootDir, ShadowFile)) + if err != nil { + return nil, fmt.Errorf("failed to read %s file:\n%w", ShadowFile, err) + } + + entries, err := parseShadowFile(lines) + if err != nil { + return nil, fmt.Errorf("invalid %s file:\n%w", ShadowFile, err) + } + + return entries, nil +} + +func parseShadowFile(lines []string) ([]ShadowEntry, error) { + entries := []ShadowEntry(nil) + for i, line := range lines { + entry, err := parseShadowFileEntry(line) + if err != nil { + return nil, fmt.Errorf("invalid line %d", i) + } + + entries = append(entries, entry) + } + + return entries, nil +} + +func parseShadowFileEntry(line string) (ShadowEntry, error) { + const ( + numFields = 9 + ) + + fields := strings.Split(line, ":") + if len(fields) != numFields { + return ShadowEntry{}, fmt.Errorf("%d fields instead of %d", len(fields), numFields) + } + + lastPasswordChange, err := parseOptionalInt(fields[2]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid date of last password change:\n%w", err) + } + + minPasswordAge, err := parseOptionalInt(fields[3]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid minimum password age:\n%w", err) + } + + maxPasswordAge, err := parseOptionalInt(fields[4]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid maximum password age:\n%w", err) + } + + passwordWarningPeriod, err := parseOptionalInt(fields[5]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid password warning period:\n%w", err) + } + + passwordInactivityPeriod, err := parseOptionalInt(fields[6]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid password inactivity period:\n%w", err) + } + + accountExpirationDate, err := parseOptionalInt(fields[7]) + if err != nil { + return ShadowEntry{}, fmt.Errorf("invalid account expiration date:\n%w", err) + } + + entry := ShadowEntry{ + Name: fields[0], + EncryptedPassword: fields[1], + LastPasswordChange: lastPasswordChange, + MinPasswordAge: minPasswordAge, + MaxPasswordAge: maxPasswordAge, + PasswordWarningPeriod: passwordWarningPeriod, + PasswordInactivityPeriod: passwordInactivityPeriod, + AccountExpirationDate: accountExpirationDate, + } + return entry, nil +} + +func parseOptionalInt(value string) (*int, error) { + if value == "" { + return nil, nil + } + + a, err := strconv.Atoi(value) + return &a, err +} + +func GetShadowFileEntryForUser(rootDir string, user string) (ShadowEntry, error) { + entries, err := ReadShadowFile(rootDir) + if err != nil { + return ShadowEntry{}, err + } + + entry, found := sliceutils.FindValueFunc(entries, func(entry ShadowEntry) bool { + return entry.Name == user + }) + if !found { + return ShadowEntry{}, fmt.Errorf("failed to find user (%s) in %s file", user, ShadowFile) + } + + return entry, nil +} diff --git a/toolkit/tools/internal/userutils/testdata/etc/passwd b/toolkit/tools/internal/userutils/testdata/etc/passwd new file mode 100644 index 00000000000..94708b4c475 --- /dev/null +++ b/toolkit/tools/internal/userutils/testdata/etc/passwd @@ -0,0 +1,2 @@ +root:x:0:0:root:/root:/bin/bash +test:x:1001:100::/home/1001:/bin/sh diff --git a/toolkit/tools/internal/userutils/userutils.go b/toolkit/tools/internal/userutils/userutils.go index 671bbaa5d07..9a92e384a19 100644 --- a/toolkit/tools/internal/userutils/userutils.go +++ b/toolkit/tools/internal/userutils/userutils.go @@ -23,6 +23,8 @@ const ( UserHomeDirPrefix = "/home" ShadowFile = "/etc/shadow" + PasswdFile = "/etc/passwd" + GroupFile = "/etc/group" SSHDirectoryName = ".ssh" SSHAuthorizedKeysFileName = "authorized_keys" ) @@ -92,7 +94,7 @@ func AddUser(username string, homeDir string, primaryGroup string, hashedPasswor } err := installChroot.UnsafeRun(func() error { - return shell.ExecuteLive(false /*squashErrors*/, "useradd", args...) + return shell.ExecuteLiveWithErr(1, "useradd", args...) }) if err != nil { return fmt.Errorf("failed to add user (%s):\n%w", username, err) @@ -147,19 +149,24 @@ func UpdateUserPassword(installRoot, username, hashedPassword string) error { } // UserHomeDirectory returns the home directory for a user. -func UserHomeDirectory(username string) string { - if username == RootUser { - return RootHomeDir - } else { - return filepath.Join(UserHomeDirPrefix, username) +func UserHomeDirectory(installRoot string, username string) (string, error) { + entry, err := GetPasswdFileEntryForUser(installRoot, username) + if err != nil { + return "", err } + + return entry.HomeDirectory, nil } // UserSSHDirectory returns the path of the .ssh directory for a user. -func UserSSHDirectory(username string) string { - homeDir := UserHomeDirectory(username) +func UserSSHDirectory(installRoot string, username string) (string, error) { + homeDir, err := UserHomeDirectory(installRoot, username) + if err != nil { + return "", err + } + userSSHKeyDir := filepath.Join(homeDir, SSHDirectoryName) - return userSSHKeyDir + return userSSHKeyDir, nil } // NameIsValid returns an error if the User name is empty diff --git a/toolkit/tools/internal/userutils/userutils_test.go b/toolkit/tools/internal/userutils/userutils_test.go index 555d3fe08c7..2791733a19c 100644 --- a/toolkit/tools/internal/userutils/userutils_test.go +++ b/toolkit/tools/internal/userutils/userutils_test.go @@ -12,14 +12,11 @@ import ( "github.com/stretchr/testify/assert" ) -func TestUserHomeDirectoryNormalUser(t *testing.T) { - homeDir := UserHomeDirectory("test") - assert.Equal(t, "/home/test", homeDir) -} - -func TestUserHomeDirectoryRoot(t *testing.T) { - homeDir := UserHomeDirectory("root") - assert.Equal(t, "/root", homeDir) +func TestUserSSHDirectory(t *testing.T) { + expected := "/home/1001/.ssh" + actual, err := UserSSHDirectory(testDataDir, "test") + assert.NoError(t, err) + assert.Equal(t, expected, actual) } func TestNameIsValidRoot(t *testing.T) { diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go index bda9b64ccc5..24d298ab073 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go @@ -116,5 +116,10 @@ func doOsCustomizations(buildDir string, baseConfigPath string, config *imagecus } } + err = checkForInstalledKernel(imageChroot) + if err != nil { + return err + } + return nil } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepackages.go b/toolkit/tools/pkg/imagecustomizerlib/customizepackages.go index 038ef47b63d..63466ba5422 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizepackages.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizepackages.go @@ -34,14 +34,20 @@ func addRemoveAndUpdatePackages(buildDir string, baseConfigPath string, config * needRpmsSources := len(config.Packages.Install) > 0 || len(config.Packages.Update) > 0 || config.Packages.UpdateExistingPackages - // Mount RPM sources. var mounts *rpmSourcesMounts if needRpmsSources { + // Mount RPM sources. mounts, err = mountRpmSources(buildDir, imageChroot, rpmsSources, useBaseImageRpmRepos) if err != nil { return err } defer mounts.close() + + // Refresh metadata. + err = refreshTdnfMetadata(imageChroot) + if err != nil { + return err + } } err = removePackages(config.Packages.Remove, imageChroot) @@ -79,6 +85,24 @@ func addRemoveAndUpdatePackages(buildDir string, baseConfigPath string, config * return nil } +func refreshTdnfMetadata(imageChroot *safechroot.Chroot) error { + tdnfArgs := []string{ + "-v", "check-update", "--refresh", "--nogpgcheck", "--assumeyes", + "--setopt", fmt.Sprintf("reposdir=%s", rpmsMountParentDirInChroot), + } + + err := imageChroot.UnsafeRun(func() error { + return shell.NewExecBuilder("tdnf", tdnfArgs...). + LogLevel(logrus.DebugLevel, logrus.DebugLevel). + ErrorStderrLines(1). + Execute() + }) + if err != nil { + return fmt.Errorf("failed to refresh tdnf repo metadata:\n%w", err) + } + return nil +} + func collectPackagesList(baseConfigPath string, packageLists []string, packages []string) ([]string, error) { var err error @@ -103,7 +127,7 @@ func collectPackagesList(baseConfigPath string, packageLists []string, packages func removePackages(allPackagesToRemove []string, imageChroot *safechroot.Chroot) error { logger.Log.Infof("Removing packages: %v", allPackagesToRemove) - tnfRemoveArgs := []string{ + tdnfRemoveArgs := []string{ "-v", "remove", "--assumeyes", "--disablerepo", "*", // Placeholder for package name. "", @@ -112,9 +136,9 @@ func removePackages(allPackagesToRemove []string, imageChroot *safechroot.Chroot // Remove packages. // Do this one at a time, to avoid running out of memory. for _, packageName := range allPackagesToRemove { - tnfRemoveArgs[len(tnfRemoveArgs)-1] = packageName + tdnfRemoveArgs[len(tdnfRemoveArgs)-1] = packageName - err := callTdnf(tnfRemoveArgs, tdnfRemovePrefix, imageChroot) + err := callTdnf(tdnfRemoveArgs, tdnfRemovePrefix, imageChroot) if err != nil { return fmt.Errorf("failed to remove package (%s):\n%w", packageName, err) } @@ -126,12 +150,12 @@ func removePackages(allPackagesToRemove []string, imageChroot *safechroot.Chroot func updateAllPackages(imageChroot *safechroot.Chroot) error { logger.Log.Infof("Updating base image packages") - tnfUpdateArgs := []string{ - "-v", "update", "--nogpgcheck", "--assumeyes", + tdnfUpdateArgs := []string{ + "-v", "update", "--nogpgcheck", "--assumeyes", "--cacheonly", "--setopt", fmt.Sprintf("reposdir=%s", rpmsMountParentDirInChroot), } - err := callTdnf(tnfUpdateArgs, tdnfInstallPrefix, imageChroot) + err := callTdnf(tdnfUpdateArgs, tdnfInstallPrefix, imageChroot) if err != nil { return fmt.Errorf("failed to update packages:\n%w", err) } @@ -143,8 +167,8 @@ func installOrUpdatePackages(action string, allPackagesToAdd []string, imageChro // Create tdnf command args. // Note: When using `--repofromdir`, tdnf will not use any default repos and will only use the last // `--repofromdir` specified. - tnfInstallArgs := []string{ - "-v", action, "--nogpgcheck", "--assumeyes", + tdnfInstallArgs := []string{ + "-v", action, "--nogpgcheck", "--assumeyes", "--cacheonly", "--setopt", fmt.Sprintf("reposdir=%s", rpmsMountParentDirInChroot), // Placeholder for package name. "", @@ -153,9 +177,9 @@ func installOrUpdatePackages(action string, allPackagesToAdd []string, imageChro // Install packages. // Do this one at a time, to avoid running out of memory. for _, packageName := range allPackagesToAdd { - tnfInstallArgs[len(tnfInstallArgs)-1] = packageName + tdnfInstallArgs[len(tdnfInstallArgs)-1] = packageName - err := callTdnf(tnfInstallArgs, tdnfInstallPrefix, imageChroot) + err := callTdnf(tdnfInstallArgs, tdnfInstallPrefix, imageChroot) if err != nil { return fmt.Errorf("failed to %s package (%s):\n%w", action, packageName, err) } @@ -164,7 +188,7 @@ func installOrUpdatePackages(action string, allPackagesToAdd []string, imageChro return nil } -func callTdnf(tnfArgs []string, tdnfMessagePrefix string, imageChroot *safechroot.Chroot) error { +func callTdnf(tdnfArgs []string, tdnfMessagePrefix string, imageChroot *safechroot.Chroot) error { seenTransactionErrorMessage := false stdoutCallback := func(line string) { if !seenTransactionErrorMessage { @@ -183,7 +207,7 @@ func callTdnf(tnfArgs []string, tdnfMessagePrefix string, imageChroot *safechroo } return imageChroot.UnsafeRun(func() error { - return shell.NewExecBuilder("tdnf", tnfArgs...). + return shell.NewExecBuilder("tdnf", tdnfArgs...). StdoutCallback(stdoutCallback). LogLevel(shell.LogDisabledLevel, logrus.DebugLevel). ErrorStderrLines(1). diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go index 49c9dd9abb7..f060cf271c3 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go @@ -4,9 +4,15 @@ package imagecustomizerlib import ( + "fmt" + "os" "path/filepath" + "strings" "testing" + "github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi" + "github.com/microsoft/azurelinux/toolkit/tools/internal/file" + "github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils" "github.com/stretchr/testify/assert" ) @@ -16,31 +22,130 @@ func TestCustomizeImagePackagesAddOfflineDir(t *testing.T) { baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) downloadedRpmsDir := getDownloadedRpmsDir(t, "2.0") - testCustomizeImagePackagesAddHelper(t, testTmpDir, baseImage, false, /*useBaseImageRpmRepos*/ - []string{downloadedRpmsDir}) + buildDir := filepath.Join(testTmpDir, "build") + outImageFilePath := filepath.Join(testTmpDir, "image.raw") + + downloadedRpmsTmpDir := filepath.Join(testTmpDir, "rpms") + + // Create a copy of the RPMs directory, but without the golang package. + err := copyRpms(downloadedRpmsDir, downloadedRpmsTmpDir, []string{"golang-"}) + if !assert.NoError(t, err) { + return + } + + // Install jq package. + config := imagecustomizerapi.Config{ + OS: &imagecustomizerapi.OS{ + Packages: imagecustomizerapi.Packages{ + Install: []string{"jq"}, + }, + }, + } + + err = CustomizeImage(buildDir, testDir, &config, baseImage, []string{downloadedRpmsTmpDir}, outImageFilePath, + "raw", "", false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + if !assert.NoError(t, err) { + return + } + + imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath) + if !assert.NoError(t, err) { + return + } + defer imageConnection.Close() + + // Ensure jq was installed. + ensureFilesExist(t, imageConnection, + "/usr/bin/jq", + ) + + err = imageConnection.CleanClose() + if !assert.NoError(t, err) { + return + } + + // Create a copy of the RPMs directory, but without the jq package. + // This ensures that the package repo metadata is refreshed between runs. + err = os.RemoveAll(downloadedRpmsTmpDir) + if !assert.NoError(t, err) { + return + } + + err = copyRpms(downloadedRpmsDir, downloadedRpmsTmpDir, []string{"jq-"}) + if !assert.NoError(t, err) { + return + } + + // Install jq package. + config = imagecustomizerapi.Config{ + OS: &imagecustomizerapi.OS{ + Packages: imagecustomizerapi.Packages{ + InstallLists: []string{"lists/golang.yaml"}, + }, + }, + } + + err = CustomizeImage(buildDir, testDir, &config, outImageFilePath, []string{downloadedRpmsTmpDir}, outImageFilePath, + "raw", "", false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + if !assert.NoError(t, err) { + return + } + + imageConnection, err = connectToCoreEfiImage(buildDir, outImageFilePath) + if !assert.NoError(t, err) { + return + } + defer imageConnection.Close() + + // Ensure go was installed. + ensureFilesExist(t, imageConnection, + "/usr/bin/jq", + "/usr/bin/go", + ) +} + +func copyRpms(sourceDir string, targetDir string, excludePrefixes []string) error { + sourceFiles, err := os.ReadDir(sourceDir) + if err != nil { + return fmt.Errorf("failed to read source directory (%s):\n%w", sourceDir, err) + } + + for _, sourceFile := range sourceFiles { + if sourceFile.IsDir() { + continue + } + + exclude := sliceutils.ContainsFunc(excludePrefixes, func(prefix string) bool { + return strings.HasPrefix(sourceFile.Name(), prefix) + }) + if exclude { + continue + } + + err := file.Copy(filepath.Join(sourceDir, sourceFile.Name()), filepath.Join(targetDir, sourceFile.Name())) + if err != nil { + return err + } + } + + return nil } func TestCustomizeImagePackagesAddOfflineLocalRepo(t *testing.T) { testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePackagesAddOfflineLocalRepo") baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) - downloadedRpmsRepoFile := getDownloadedRpmsRepoFile(t, "2.0") - testCustomizeImagePackagesAddHelper(t, testTmpDir, baseImage, false, /*useBaseImageRpmRepos*/ - []string{downloadedRpmsRepoFile}) -} + downloadedRpmsRepoFile := getDownloadedRpmsRepoFile(t, "2.0") + rpmSources := []string{downloadedRpmsRepoFile} -func testCustomizeImagePackagesAddHelper(t *testing.T, testTmpDir string, baseImage string, useBaseImageRpmRepos bool, - rpmSources []string, -) { buildDir := filepath.Join(testTmpDir, "build") - outImageFilePath := filepath.Join(testTmpDir, "image.raw") configFile := filepath.Join(testDir, "packages-add-config.yaml") // Customize image. err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, rpmSources, outImageFilePath, "raw", "", - useBaseImageRpmRepos, false /*enableShrinkFilesystems*/) + false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) if !assert.NoError(t, err) { return } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go index f7cae86b3ba..2e3387d4c7a 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go @@ -79,7 +79,7 @@ func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, baseImage defaultPartitionName = "" } - partitions, err := diskutils.GetDiskPartitions(imageConnection.Loopback().DevicePath()) + partitions, err := getDiskPartitionsMap(imageConnection.Loopback().DevicePath()) if assert.NoError(t, err, "read partition table") { assert.Equal(t, defaultPartitionName, partitions[1].PartLabel) assert.Equal(t, defaultPartitionName, partitions[2].PartLabel) @@ -94,7 +94,7 @@ func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, baseImage _, err = os.Stat(filepath.Join(imageConnection.Chroot().RootDir(), "/var/log")) assert.NoError(t, err, "check for /var/log") - partitions, err = diskutils.GetDiskPartitions(imageConnection.Loopback().DevicePath()) + partitions, err = getDiskPartitionsMap(imageConnection.Loopback().DevicePath()) assert.NoError(t, err, "get disk partitions") // Check that the fstab entries are correct. @@ -139,7 +139,7 @@ func testCustomizeImagePartitionsToLegacy(t *testing.T, testName string, baseIma } defer imageConnection.Close() - partitions, err := diskutils.GetDiskPartitions(imageConnection.Loopback().DevicePath()) + partitions, err := getDiskPartitionsMap(imageConnection.Loopback().DevicePath()) assert.NoError(t, err, "get disk partitions") // Check that the fstab entries are correct. @@ -204,7 +204,7 @@ func TestCustomizeImageNewUUIDs(t *testing.T) { } defer baseImageLoopback.Close() - baseImagePartitions, err := diskutils.GetDiskPartitions(baseImageLoopback.DevicePath()) + baseImagePartitions, err := getDiskPartitionsMap(baseImageLoopback.DevicePath()) if !assert.NoError(t, err, "get base image partitions") { return } @@ -229,24 +229,24 @@ func TestCustomizeImageNewUUIDs(t *testing.T) { } defer imageConnection.Close() - newImagePartitions, err := diskutils.GetDiskPartitions(imageConnection.Loopback().DevicePath()) + newImagePartitions, err := getDiskPartitionsMap(imageConnection.Loopback().DevicePath()) if !assert.NoError(t, err, "get customized image partitions") { return } // Ensure the partition UUIDs have been changed. if assert.Equal(t, len(baseImagePartitions), len(newImagePartitions)) { - for i := range baseImagePartitions { - baseImagePartition := baseImagePartitions[i] - newImagePartition := newImagePartitions[i] + for partitionNum := range baseImagePartitions { + baseImagePartition := baseImagePartitions[partitionNum] + newImagePartition := newImagePartitions[partitionNum] if baseImagePartition.Type != "part" { continue } - assert.Equalf(t, baseImagePartition.FileSystemType, newImagePartition.FileSystemType, "[%d] filesystem type didn't change", i) - assert.NotEqualf(t, baseImagePartition.PartUuid, newImagePartition.PartUuid, "[%d] partition UUID did change", i) - assert.NotEqual(t, baseImagePartition.Uuid, newImagePartition.Uuid, "[%d] filesystem UUID did change", i) + assert.Equalf(t, baseImagePartition.FileSystemType, newImagePartition.FileSystemType, "[%d] filesystem type didn't change", partitionNum) + assert.NotEqualf(t, baseImagePartition.PartUuid, newImagePartition.PartUuid, "[%d] partition UUID did change", partitionNum) + assert.NotEqual(t, baseImagePartition.Uuid, newImagePartition.Uuid, "[%d] filesystem UUID did change", partitionNum) } } @@ -258,7 +258,7 @@ func TestCustomizeImageNewUUIDs(t *testing.T) { } func verifyFstabEntries(t *testing.T, imageConnection *ImageConnection, mountPoints []mountPoint, - partitions []diskutils.PartitionInfo, + partitions map[int]diskutils.PartitionInfo, ) { fstabPath := filepath.Join(imageConnection.Chroot().RootDir(), "/etc/fstab") fstabEntries, err := diskutils.ReadFstabFile(fstabPath) @@ -318,3 +318,26 @@ func verifyBootGrubCfg(t *testing.T, imageConnection *ImageConnection, extraComm assert.Regexp(t, fmt.Sprintf("linux.* %s ", regexp.QuoteMeta(extraCommandLineArgs)), grubCfgContents) } } + +func getDiskPartitionsMap(devicePath string) (map[int]diskutils.PartitionInfo, error) { + partitions, err := diskutils.GetDiskPartitions(devicePath) + if err != nil { + return nil, err + } + + partitionsMap := make(map[int]diskutils.PartitionInfo) + for _, partition := range partitions { + if partition.Type != "part" { + continue + } + + num, err := getPartitionNum(partition.Path) + if err != nil { + return nil, err + } + + partitionsMap[num] = partition + } + + return partitionsMap, nil +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeusers.go b/toolkit/tools/pkg/imagecustomizerlib/customizeusers.go index de7c6105eba..9f40066585e 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeusers.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeusers.go @@ -28,9 +28,17 @@ func AddOrUpdateUsers(users []imagecustomizerapi.User, baseConfigPath string, im } func addOrUpdateUser(user imagecustomizerapi.User, baseConfigPath string, imageChroot safechroot.ChrootInterface) error { - var err error + // Check if the user already exists. + userExists, err := userutils.UserExists(user.Name, imageChroot) + if err != nil { + return err + } - logger.Log.Infof("Adding/updating user (%s)", user.Name) + if userExists { + logger.Log.Infof("Updating user (%s)", user.Name) + } else { + logger.Log.Infof("Adding user (%s)", user.Name) + } hashedPassword := "" if user.Password != nil { @@ -63,12 +71,6 @@ func addOrUpdateUser(user imagecustomizerapi.User, baseConfigPath string, imageC } } - // Check if the user already exists. - userExists, err := userutils.UserExists(user.Name, imageChroot) - if err != nil { - return err - } - if userExists { if user.UID != nil { return fmt.Errorf("cannot set UID (%d) on a user (%s) that already exists", *user.UID, user.Name) diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go new file mode 100644 index 00000000000..b3607dfd330 --- /dev/null +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go @@ -0,0 +1,234 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package imagecustomizerlib + +import ( + "path/filepath" + "regexp" + "strings" + "testing" + + "github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi" + "github.com/microsoft/azurelinux/toolkit/tools/imagegen/installutils" + "github.com/microsoft/azurelinux/toolkit/tools/internal/file" + "github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils" + "github.com/microsoft/azurelinux/toolkit/tools/internal/shell" + "github.com/microsoft/azurelinux/toolkit/tools/internal/userutils" + "github.com/sirupsen/logrus" + "github.com/stretchr/testify/assert" +) + +var ( + // Parses the password field in the /etc/shadow file, extracting the rounds count and the salt. + shadowPasswordRegexp = regexp.MustCompile(`^\$([a-zA-Z0-9]*)\$((rounds=[0-9]+\$)?[a-zA-Z0-9./]*)\$[a-zA-Z0-9./]*$`) +) + +func TestCustomizeImageUsers(t *testing.T) { + baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) + + testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers") + buildDir := filepath.Join(testTmpDir, "build") + outImageFilePath := filepath.Join(testTmpDir, "image.raw") + + rootSshPublicKey := "fake-root-public-key" + + test2Uid := 10042 + test2SshPublicKey := "fake-test-public-key" + test2SshPublicKeyPath := "files/a.txt" + test2PlainText := "cat" + test2HomeDirectory := "/home/10042" + test2StartupCommand := "/sbin/nologin" + test2PasswordExpiresDays := int64(10) + + config := imagecustomizerapi.Config{ + OS: &imagecustomizerapi.OS{ + Users: []imagecustomizerapi.User{ + { + Name: "root", + SSHPublicKeys: []string{ + rootSshPublicKey, + }, + }, + { + Name: "test1", + }, + { + Name: "test2", + UID: &test2Uid, + Password: &imagecustomizerapi.Password{ + Type: "plain-text", + Value: test2PlainText, + }, + PasswordExpiresDays: &test2PasswordExpiresDays, + SSHPublicKeys: []string{ + test2SshPublicKey, + }, + SSHPublicKeyPaths: []string{ + test2SshPublicKeyPath, + }, + SecondaryGroups: []string{ + "sudo", + }, + StartupCommand: test2StartupCommand, + HomeDirectory: test2HomeDirectory, + }, + }, + }, + } + + // Customize image. + err := CustomizeImage(buildDir, testDir, &config, baseImage, nil, outImageFilePath, "raw", "", + false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + if !assert.NoError(t, err) { + return + } + + imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath) + if !assert.NoError(t, err) { + return + } + defer imageConnection.Close() + + // Verify root user. + verifySshAuthorizedKeys(t, imageConnection.Chroot().RootDir(), "/root", []string{rootSshPublicKey}) + + rootPasswdEntry, err := userutils.GetPasswdFileEntryForUser(imageConnection.Chroot().RootDir(), "root") + if assert.NoError(t, err) { + assert.Equal(t, 0, rootPasswdEntry.Uid) + assert.Equal(t, 0, rootPasswdEntry.Gid) + assert.Equal(t, "/root", rootPasswdEntry.HomeDirectory) + assert.Equal(t, "/bin/bash", rootPasswdEntry.Shell) + } + + rootUserGroups, err := userutils.GetUserGroups(imageConnection.Chroot().RootDir(), "root") + if assert.NoError(t, err) { + assert.ElementsMatch(t, rootUserGroups, []string{}) + } + + // Verify test1 user. + test1PasswdEntry, err := userutils.GetPasswdFileEntryForUser(imageConnection.Chroot().RootDir(), "test1") + if assert.NoError(t, err) { + assert.Equal(t, "/home/test1", test1PasswdEntry.HomeDirectory) + assert.Equal(t, "/bin/bash", test1PasswdEntry.Shell) + } + + test1UserGroups, err := userutils.GetUserGroups(imageConnection.Chroot().RootDir(), "test1") + if assert.NoError(t, err) { + assert.ElementsMatch(t, test1UserGroups, []string{}) + } + + // Verify test2 user. + verifySshAuthorizedKeys(t, imageConnection.Chroot().RootDir(), test2HomeDirectory, + []string{test2SshPublicKey, "abcdefg"}) + + test2PasswdEntry, err := userutils.GetPasswdFileEntryForUser(imageConnection.Chroot().RootDir(), "test2") + if assert.NoError(t, err) { + assert.Equal(t, test2Uid, test2PasswdEntry.Uid) + assert.Equal(t, test2HomeDirectory, test2PasswdEntry.HomeDirectory) + assert.Equal(t, test2StartupCommand, test2PasswdEntry.Shell) + } + + test2ShadowEntry, err := userutils.GetShadowFileEntryForUser(imageConnection.Chroot().RootDir(), "test2") + if assert.NoError(t, err) { + verifyPassword(t, test2ShadowEntry.EncryptedPassword, test2PlainText) + + currentDay := installutils.DaysSinceUnixEpoch() + assert.Equal(t, currentDay+test2PasswordExpiresDays, int64(*test2ShadowEntry.AccountExpirationDate)) + } + + test2UserGroups, err := userutils.GetUserGroups(imageConnection.Chroot().RootDir(), "test2") + if assert.NoError(t, err) { + assert.ElementsMatch(t, test2UserGroups, []string{"sudo"}) + } +} + +func TestCustomizeImageUsersExitingUserHomeDir(t *testing.T) { + baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) + + testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers") + buildDir := filepath.Join(testTmpDir, "build") + outImageFilePath := filepath.Join(testTmpDir, "image.raw") + + config := imagecustomizerapi.Config{ + OS: &imagecustomizerapi.OS{ + Users: []imagecustomizerapi.User{ + { + Name: "root", + HomeDirectory: "/home/root", + }, + }, + }, + } + + // Customize image. + err := CustomizeImage(buildDir, testDir, &config, baseImage, nil, outImageFilePath, "raw", "", + false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + assert.ErrorContains(t, err, "cannot set home directory (/home/root) on a user (root) that already exists") +} + +func TestCustomizeImageUsersExitingUserUid(t *testing.T) { + baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) + + testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers") + buildDir := filepath.Join(testTmpDir, "build") + outImageFilePath := filepath.Join(testTmpDir, "image.raw") + + config := imagecustomizerapi.Config{ + OS: &imagecustomizerapi.OS{ + Users: []imagecustomizerapi.User{ + { + Name: "root", + UID: ptrutils.PtrTo(1), + }, + }, + }, + } + + // Customize image. + err := CustomizeImage(buildDir, testDir, &config, baseImage, nil, outImageFilePath, "raw", "", + false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + assert.ErrorContains(t, err, "cannot set UID (1) on a user (root) that already exists") +} + +func verifySshAuthorizedKeys(t *testing.T, rootDir string, homeDirectory string, sshPublicKeys []string) bool { + authorizedKeysPath := filepath.Join(rootDir, homeDirectory, userutils.SSHDirectoryName, + userutils.SSHAuthorizedKeysFileName) + authorizedKeys, err := file.ReadLines(authorizedKeysPath) + if !assert.NoError(t, err) { + return false + } + + success := true + for _, sshPublicKey := range sshPublicKeys { + success = assert.Contains(t, authorizedKeys, sshPublicKey) && success + } + + return success +} + +func verifyPassword(t *testing.T, encryptedPassword string, plainTextPassword string) bool { + match := shadowPasswordRegexp.FindStringSubmatch(encryptedPassword) + if !assert.NotNilf(t, match, "parse shadow password field (%s)", encryptedPassword) { + return false + } + + id := match[1] + + // 'openssl passwd' allows the number of rounds to be added to the start of the salt arg. + roundsAndSalt := match[2] + + if !assert.Equal(t, "6", id) { + return false + } + + reencryptedPassword, _, err := shell.NewExecBuilder("openssl", "passwd", "-6", "-salt", roundsAndSalt, "-stdin"). + Stdin(plainTextPassword). + LogLevel(shell.LogDisabledLevel, logrus.DebugLevel). + ExecuteCaptureOuput() + if !assert.NoError(t, err) { + return false + } + + return assert.Equal(t, encryptedPassword, strings.TrimSpace(reencryptedPassword)) +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go index 228b5ee4f9d..a8e8abbe142 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go @@ -25,6 +25,11 @@ func enableVerityPartition(buildDir string, verity *imagecustomizerapi.Verity, i logger.Log.Infof("Enable verity") + err = validateVerityDependencies(imageChroot) + if err != nil { + return false, fmt.Errorf("failed to validate package dependencies for verity:\n%w", err) + } + // Integrate systemd veritysetup dracut module into initramfs img. systemdVerityDracutModule := "systemd-veritysetup" dmVerityDracutDriver := "dm-verity" @@ -247,3 +252,17 @@ func systemdFormatCorruptionOption(corruptionOption imagecustomizerapi.Corruptio return "", fmt.Errorf("invalid corruptionOption provided (%s)", string(corruptionOption)) } } + +func validateVerityDependencies(imageChroot *safechroot.Chroot) error { + requiredRpms := []string{"lvm2"} + + // Iterate over each required package and check if it's installed. + for _, pkg := range requiredRpms { + logger.Log.Debugf("Checking if package (%s) is installed", pkg) + if !isPackageInstalled(imageChroot, pkg) { + return fmt.Errorf("package (%s) is not installed:\nthe following packages must be installed to use Verity: %v", pkg, requiredRpms) + } + } + + return nil +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go index 623f3b403c5..96f463e29cf 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go +++ b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go @@ -44,17 +44,20 @@ func extractPartitions(imageLoopDevice string, outDir string, basename string, p var partitionMetadataOutput []outputPartitionMetadata // Extract partitions to files - for partitionNum := range diskPartitions { - partition := diskPartitions[partitionNum] + for _, partition := range diskPartitions { if partition.Type != "part" { continue } + partitionNum, err := getPartitionNum(partition.Path) + if err != nil { + return err + } + partitionFilename := basename + "_" + strconv.Itoa(partitionNum) rawFilename := partitionFilename + ".raw" - partitionLoopDevice := partition.Path - partitionFilepath, err := copyBlockDeviceToFile(outDir, partitionLoopDevice, rawFilename) + partitionFilepath, err := copyBlockDeviceToFile(outDir, partition.Path, rawFilename) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck.go b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck.go new file mode 100644 index 00000000000..eb0fa14fced --- /dev/null +++ b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck.go @@ -0,0 +1,38 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package imagecustomizerlib + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot" +) + +// Check if the user accidentally uninstalled the kernel package without installing a substitute package. +func checkForInstalledKernel(imageChroot *safechroot.Chroot) error { + kernelModulesDir := filepath.Join(imageChroot.RootDir(), "/lib/modules") + + kernels, err := os.ReadDir(kernelModulesDir) + if err != nil { + return fmt.Errorf("failed to read installed kernels list:\n%w", err) + } + + for _, kernel := range kernels { + // There is a bug in Azure Linux 2.0, where uninstalling the kernel package doesn't remove the directory + // /lib/modules/. Instead the directory is just emptied. So, ensure the directory isn't empty. + files, err := os.ReadDir(filepath.Join(kernelModulesDir, kernel.Name())) + if err != nil { + return fmt.Errorf("failed to read installed kernel (%s) module directory:\n%w", kernel.Name(), err) + } + + if len(files) > 0 { + // Found at least 1 kernel. + return nil + } + } + + return fmt.Errorf("no installed kernel found") +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go new file mode 100644 index 00000000000..c350243af28 --- /dev/null +++ b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go @@ -0,0 +1,25 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package imagecustomizerlib + +import ( + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestCustomizeImageMissingKernel(t *testing.T) { + baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi) + + testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageMissingKernel") + buildDir := filepath.Join(testTmpDir, "build") + configFile := filepath.Join(testDir, "no-kernel-config.yaml") + outImageFilePath := filepath.Join(testTmpDir, "image.raw") + + // Customize image. + err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "", + false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/) + assert.ErrorContains(t, err, "no installed kernel found") +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go index 43fcea80d0f..e7332d54ef8 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go @@ -8,6 +8,7 @@ import ( "os" "path/filepath" "regexp" + "strconv" "strings" "github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi" @@ -22,6 +23,9 @@ import ( var ( bootPartitionRegex = regexp.MustCompile(`(?m)^search -n -u ([a-zA-Z0-9\-]+) -s$`) + + // Extract the partition number from the loopback partition path. + partitionNumberRegex = regexp.MustCompile(`^/dev/loop\d+p(\d+)$`) ) func findPartitions(buildDir string, diskDevice string) ([]*safechroot.MountPoint, error) { @@ -427,3 +431,21 @@ func getNonSpecialChrootMountPoints(imageChroot *safechroot.Chroot) []*safechroo }, ) } + +// Extract the partition number from the partition path. +// Ideally, we would use `lsblk --output PARTN` instead of this. But that is only available in util-linux v2.39+. +func getPartitionNum(partitionLoopDevice string) (int, error) { + match := partitionNumberRegex.FindStringSubmatch(partitionLoopDevice) + if match == nil { + return 0, fmt.Errorf("failed to find partition number in partition dev path (%s)", partitionLoopDevice) + } + + numStr := match[1] + + num, err := strconv.Atoi(numStr) + if match == nil { + return 0, fmt.Errorf("failed to parse partition number (%s):\n%w", numStr, err) + } + + return num, nil +} diff --git a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go index 05b9e201e49..fb272a977ec 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go +++ b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go @@ -12,6 +12,17 @@ import ( "github.com/microsoft/azurelinux/toolkit/tools/internal/shell" ) +var ( + // Parsing output of: fdisk --list + // + // Example: + // Device Start End Sectors Size Type + // /dev/vda1 2048 18431 16384 8M EFI System + // /dev/vda2 18432 8386559 8368128 4G Linux filesystem + fdiskPartitionsTableHeaderRegexp = regexp.MustCompile(`(?m)^Device[\t ]+Start[\t ]+`) + fdiskPartitionsTableEntryRegexp = regexp.MustCompile(`^([0-9A-Za-z-_/]+)[\t ]+(\d+)[\t ]+`) +) + func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomizerapi.IdentifiedPartition) error { logger.Log.Infof("Shrinking filesystems") @@ -22,14 +33,12 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Get the start sectors of all partitions - matchStarts, err := getStartSectors(imageLoopDevice, len(diskPartitions)-1) - // Number of partitions is len(diskPartitions)-1 as diskPartitions[0] refers to the loop device for the image itself + startSectors, err := getStartSectors(imageLoopDevice, len(diskPartitions)-1) if err != nil { - return err + return fmt.Errorf("failed to get partitions start sectors:\n%w", err) } - for partitionNum := 0; partitionNum < len(diskPartitions); partitionNum++ { - diskPartition := diskPartitions[partitionNum] + for _, diskPartition := range diskPartitions { if diskPartition.Type != "part" { continue } @@ -57,8 +66,18 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi logger.Log.Infof("Shrinking partition (%s)", partitionLoopDevice) + startSector, foundStartSector := startSectors[partitionLoopDevice] + if !foundStartSector { + return fmt.Errorf("failed to find start sector for partition (%s)", partitionLoopDevice) + } + + partitionNumber, err := getPartitionNum(partitionLoopDevice) + if err != nil { + return err + } + // Check the file system with e2fsck - err := shell.ExecuteLive(true /*squashErrors*/, "sudo", "e2fsck", "-fy", partitionLoopDevice) + err = shell.ExecuteLive(true /*squashErrors*/, "sudo", "e2fsck", "-fy", partitionLoopDevice) if err != nil { return fmt.Errorf("failed to check %s with e2fsck:\n%w", partitionLoopDevice, err) } @@ -70,7 +89,7 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Find the new partition end value - end, err := getNewPartitionEndInSectors(stdout, stderr, matchStarts[partitionNum-1][1], imageLoopDevice) + end, err := getNewPartitionEndInSectors(stdout, stderr, startSector, imageLoopDevice) if err != nil { return fmt.Errorf("failed to calculate new partition end:\n%w", err) } @@ -82,7 +101,8 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Resize the partition with parted resizepart - _, stderr, err = shell.ExecuteWithStdin("yes" /*stdin*/, "sudo", "parted", "---pretend-input-tty", imageLoopDevice, "resizepart", strconv.Itoa(partitionNum), end) + _, stderr, err = shell.ExecuteWithStdin("yes" /*stdin*/, "sudo", "parted", "---pretend-input-tty", + imageLoopDevice, "resizepart", strconv.Itoa(partitionNumber), end) if err != nil { return fmt.Errorf("failed to resizepart %s with parted:\n%v", partitionLoopDevice, stderr) } @@ -97,23 +117,47 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi } // Get the start sectors of all partitions. -func getStartSectors(imageLoopDevice string, partitionCount int) (matchStarts [][]string, err error) { - stdout, stderr, err := shell.Execute("sudo", "fdisk", "-l", imageLoopDevice) +// Ideally, we would use 'lsblk --output START' here. But that is only available in util-linux v2.38+. +func getStartSectors(imageLoopDevice string, partitionCount int) (partitionStarts map[string]int, err error) { + stdout, stderr, err := shell.Execute("sudo", "fdisk", "--list", imageLoopDevice) if err != nil { return nil, fmt.Errorf("fdisk failed to list partitions:\n%v", stderr) } - // Example line from fdisk -l output: "/dev/loop41p2 18432 103064 84633 41.3M Linux filesystem" - reStarts, err := regexp.Compile(`(?m:^` + imageLoopDevice + `p\d+ *(\d+).*?)`) - if err != nil { - return nil, fmt.Errorf("failed to compile regex:\n%w", err) + headerIndex := fdiskPartitionsTableHeaderRegexp.FindStringIndex(stdout) + if headerIndex == nil { + return nil, fmt.Errorf("failed to find partition table header in fdisk output") + } + + partitionTable := stdout[headerIndex[0]:] + partitionTableLines := strings.Split(partitionTable, "\n") + + // Remove header row and final empty line. + partitionTableLines = partitionTableLines[1 : len(partitionTableLines)-1] + + partitionStarts = make(map[string]int) + for _, line := range partitionTableLines { + entry := fdiskPartitionsTableEntryRegexp.FindStringSubmatch(line) + if entry == nil { + return nil, fmt.Errorf("failed to parse fdisk partition table line (%s)", line) + } + + path := entry[1] + startStr := entry[2] + + start, err := strconv.Atoi(startStr) + if err != nil { + return nil, fmt.Errorf("failed to convert start sector (%s) to int:\n%w", startStr, err) + } + + partitionStarts[path] = start } - matchStarts = reStarts.FindAllStringSubmatch(stdout, -1) - if len(matchStarts) < partitionCount { + + if len(partitionStarts) < partitionCount { return nil, fmt.Errorf("could not find all partition starts") } - return matchStarts, nil + return partitionStarts, nil } // Get the filesystem size in sectors. @@ -178,7 +222,7 @@ func getFilesystemSizeInSectors(resize2fsStdout string, resize2fsStderr string, // Get the new partition end in sectors. // Returns an empty string if the resize was a no-op. -func getNewPartitionEndInSectors(resize2fsStdout string, resize2fsStderr string, startSector string, +func getNewPartitionEndInSectors(resize2fsStdout string, resize2fsStderr string, startSector int, imageLoopDevice string, ) (endInSectors string, err error) { filesystemSizeInSectors, err := getFilesystemSizeInSectors(resize2fsStdout, resize2fsStderr, imageLoopDevice) @@ -191,13 +235,8 @@ func getNewPartitionEndInSectors(resize2fsStdout string, resize2fsStderr string, return "", nil } - // Convert start sector string to int - start, err := strconv.Atoi(startSector) - if err != nil { - return "", fmt.Errorf("failed to convert start sector to int:\n%w", err) - } // Calculate the new end - end := start + filesystemSizeInSectors + end := startSector + filesystemSizeInSectors // Convert to a string with sectors unit appended endInSectors = strconv.Itoa(end) + "s" return endInSectors, nil diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/no-kernel-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/no-kernel-config.yaml new file mode 100644 index 00000000000..86b3ad40654 --- /dev/null +++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/no-kernel-config.yaml @@ -0,0 +1,4 @@ +os: + packages: + remove: + - kernel