Skip to content

Commit

Permalink
Merge branch 'master' into gems
Browse files Browse the repository at this point in the history
  • Loading branch information
alex501212 authored Sep 3, 2024
2 parents 0c881ff + a1da62b commit 6a0a342
Show file tree
Hide file tree
Showing 15 changed files with 402 additions and 23 deletions.
18 changes: 9 additions & 9 deletions configs/components/_base-rubygem.rb
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,13 @@
# If a gem needs more command line options to install set the :gem_install_options
# in its component file rubygem-<compoment>, before the instance_eval of this file.
gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym]
if gem_install_options.nil?
pkg.install do
"#{settings[:gem_install]} #{name}-#{version}.gem"
end
else
pkg.install do
"#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
end
remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym]
pkg.install do
steps = []
steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions
steps << if gem_install_options.nil?
"#{settings[:gem_install]} #{name}-#{version}.gem"
else
"#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
end
end

2 changes: 2 additions & 0 deletions configs/components/curl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
elsif platform.is_windows?
pkg.build_requires "runtime-#{settings[:runtime_project]}"
pkg.environment "PATH", "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)"
pkg.environment "NM" , "/usr/bin/nm" if platform.name =~ /windowsfips-2016/
pkg.environment "CYGWIN", settings[:cygwin]
elsif platform.is_aix? && platform.name != 'aix-7.1-ppc'
pkg.environment "PKG_CONFIG_PATH", "/opt/puppetlabs/puppet/lib/pkgconfig"
Expand All @@ -47,6 +48,7 @@
pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch'
pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
end

configure_options = []
Expand Down
2 changes: 1 addition & 1 deletion configs/components/openssl-1.0.2.rb
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@
'no-ssl3',
]

configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-2012r2/
configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-/

# Individual projects may provide their own openssl configure flags:
project_flags = settings[:openssl_extra_configure_flags] || []
Expand Down
19 changes: 18 additions & 1 deletion configs/components/ruby-2.7.8.rb
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@
pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch"

pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch"
pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch"

if platform.is_cross_compiled?
unless platform.is_macos?
pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch"
Expand Down Expand Up @@ -141,7 +144,8 @@
'windows-2012r2-x64',
'windows-2012r2-x86',
'windows-2019-x64',
'windowsfips-2012r2-x64'
'windowsfips-2012r2-x64',
'windowsfips-2016-x64'
]

unless without_dtrace.include? platform.name
Expand Down Expand Up @@ -170,6 +174,19 @@
]
end

if(platform.name =~ /windowsfips-2016/)
# We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
# the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
# We patch rbconfig.rb to remove the '\r' character.
# This patch has to run after the build step since rbconfig.rb is generated during the build step.
# This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
# 'ruby_version' field in the future so that this patch can be removed - PA-6902.
pkg.add_source("#{base}/rbconfig_win.patch")
pkg.build do
["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
end
end

#########
# INSTALL
#########
Expand Down
16 changes: 15 additions & 1 deletion configs/components/ruby-3.2.5.rb
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,8 @@
'windows-2012r2-x64',
'windows-2012r2-x86',
'windows-2019-x64',
'windowsfips-2012r2-x64'
'windowsfips-2012r2-x64',
'windowsfips-2016-x64'
]

unless without_dtrace.include? platform.name
Expand Down Expand Up @@ -195,6 +196,19 @@
]
end

if(platform.name =~ /windowsfips-2016/)
# We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
# the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
# We patch rbconfig.rb to remove the '\r' character.
# This patch has to run after the build step since rbconfig.rb is generated during the build step.
# This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
# 'ruby_version' field in the future so that this patch can be removed - PA-6902.
pkg.add_source("#{base}/rbconfig_win.patch")
pkg.build do
["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
end
end

#########
# INSTALL
#########
Expand Down
8 changes: 5 additions & 3 deletions configs/components/rubygem-rexml.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
component 'rubygem-rexml' do |pkg, settings, platform|
pkg.version '3.3.5'
pkg.md5sum 'cdd5c83f1d7230a7d44406f69e9f3d2d'
pkg.version '3.3.6'
pkg.md5sum 'be54ad1a5f661ebf9824bf6ca36e50eb'

settings["#{pkg.get_name}_remove_older_versions".to_sym] = true

# If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml
# ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets
Expand All @@ -9,6 +11,6 @@
if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3
settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies"
end

instance_eval File.read('configs/components/_base-rubygem.rb')
end
54 changes: 54 additions & 0 deletions configs/platforms/windowsfips-2016-x64.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
platform "windowsfips-2016-x64" do |plat|
plat.vmpooler_template 'win-2016-fips-x86_64'

plat.servicetype 'windows'
visual_studio_version = '2017'
visual_studio_sdk_version = 'win8.1'

# We need to ensure we install chocolatey prior to adding any nuget repos. Otherwise, everything will fall over
plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/generic/buildsources/windows/chocolatey/install-chocolatey-1.4.0.ps1"
plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe feature enable -n useFipsCompliantChecksums"

plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/api/nuget/nuget"

# C:\tools is likely added by mingw, however because we also want to use that
# dir for vsdevcmd.bat we create it for safety
plat.provision_with "mkdir -p C:/tools"
# We don't want to install any packages from the chocolatey repo by accident
plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe sources remove -name chocolatey"

packages = [
"cmake",
"pl-gdbm-#{self._platform.architecture}",
"pl-iconv-#{self._platform.architecture}",
"pl-libffi-#{self._platform.architecture}",
"pl-pdcurses-#{self._platform.architecture}",
"pl-toolchain-#{self._platform.architecture}",
"pl-zlib-#{self._platform.architecture}",
"mingw-w64 -version 5.2.0 -debug",
]

packages.each do |name|
plat.provision_with("C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress #{name}")
end
# We use cache-location in the following install because msvc has several long paths
# if we do not update the cache location choco will fail because paths get too long
plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe install msvc.#{visual_studio_version}-#{visual_studio_sdk_version}.sdk.en-us -y --cache-location=\"C:\\msvc\" --no-progress"
# The following creates a batch file that will execute the vsdevcmd batch file located within visual studio.
# We create the following batch file under C:\tools\vsdevcmd.bat so we can avoid using both the %ProgramFiles(x86)%
# evironment var, as well as any spaces in the path when executing things with cygwin. This makes command execution
# through cygwin much easier.
#
# Note that the unruly \'s in the following string escape the following sequence to literal chars: "\" and then \""
plat.provision_with "touch C:/tools/vsdevcmd.bat && echo \"\\\"%ProgramFiles(x86)%\\Microsoft Visual Studio\\#{visual_studio_version}\\BuildTools\\Common7\\Tools\\vsdevcmd\\\"\" >> C:/tools/vsdevcmd.bat"

plat.install_build_dependencies_with "C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress"

plat.make "/usr/bin/make"
plat.patch "TMP=/var/tmp /usr/bin/patch.exe --binary"

plat.platform_triple "x86_64-w64-mingw32"

plat.package_type "archive"
plat.output_dir "windows"
end
8 changes: 7 additions & 1 deletion configs/projects/_shared-agent-components.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
elsif platform.name =~ /^redhatfips-.*/
proj.component "openssl-1.1.1-fips"
else
proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-2012r2/ && proj.openssl_version =~ /1.0.2/
proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-/ && proj.openssl_version =~ /1.0.2/
proj.component "openssl-#{proj.openssl_version}"
end

Expand Down Expand Up @@ -62,6 +62,12 @@
proj.component 'rubygem-fast_gettext'
proj.component 'rubygem-ffi'

# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version
# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908.
# So, we add it here to update to a higher version
# free from the CVEs.
proj.component 'rubygem-rexml'

if platform.is_windows? || platform.is_solaris? || platform.is_aix?
proj.component 'rubygem-minitar'
end
Expand Down
5 changes: 3 additions & 2 deletions configs/projects/_shared-agent-settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@
end

proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ")
proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ")

# For AIX, we use the triple to install a better rbconfig
if platform.is_aix?
Expand All @@ -147,7 +148,7 @@
proj.setting(:openssl_version, '3.0')
elsif platform.name =~ /^redhatfips-/
proj.setting(:openssl_version, '1.1.1-fips')
elsif platform.name =~ /^windowsfips-2012r2/
elsif platform.name =~ /^windowsfips-/
proj.setting(:openssl_version, '1.0.2')
else
proj.setting(:openssl_version, '1.1.1')
Expand All @@ -168,7 +169,7 @@
proj.setting(:cflags, "#{proj.cppflags}")

ldflags = "-L#{proj.tools_root}/lib -L#{proj.gcc_root}/lib -L#{proj.libdir} -Wl,--nxcompat"
if platform.name !~ /windowsfips-2012r2/ || name != 'agent-runtime-7.x'
if platform.name !~ /windowsfips-/ || name != 'agent-runtime-7.x'
ldflags += ' -Wl,--dynamicbase'
end
proj.setting(:ldflags, ldflags)
Expand Down
5 changes: 0 additions & 5 deletions configs/projects/agent-runtime-7.x.rb
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,6 @@
proj.component 'rubygem-thor'
proj.component 'rubygem-scanf'

# We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version
# of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version
# free from the CVEs.
proj.component 'rubygem-rexml'

if platform.is_linux?
proj.component "virt-what"
proj.component "dmidecode" unless platform.architecture =~ /ppc64/
Expand Down
93 changes: 93 additions & 0 deletions resources/patches/curl/CVE-2024-7264.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
index 39e4fb33b..7e2e3d724 100644
--- a/lib/vtls/x509asn1.c
+++ b/lib/vtls/x509asn1.c
@@ -566,28 +566,40 @@ static const char *GTime2str(const char *beg, const char *end)
tzp = fracp;
fracl = 0;
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
- fracp++;
- do
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
tzp++;
- while(tzp < end && *tzp >= '0' && *tzp <= '9');
- /* Strip leading zeroes in fractional seconds. */
- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
- ;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+ while(fracl && fracp[fracl - 1] == '0')
+ fracl--;
}

/* Process timezone. */
- if(tzp >= end)
- ; /* Nothing to do. */
+ if(tzp >= end) {
+ sep = " ";
+ tzp = "GMT";
+ tzl = 3;
+ }
+ else if((*tzp == '+') || (*tzp == '-')) {
+ sep = " UTC";
+ tzl = end - tzp;
+ } /* Nothing to do. */
else if(*tzp == 'Z') {
tzp = " GMT";
end = tzp + 4;
}
else {
sep = " ";
- tzp++;
+ tzl = end - tzp;
}

- tzl = end - tzp;
return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
beg, beg + 4, beg + 6,
beg + 8, beg + 10, sec1, sec2,
@@ -595,6 +607,15 @@ static const char *GTime2str(const char *beg, const char *end)
sep, (int)tzl, tzp);
}

+#ifdef UNITTESTS
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end)
+{
+ return GTime2str(store, beg, end);
+}
+#endif
+
/*
* Convert an ASN.1 UTC time to a printable string.
* Return the dynamically allocated string, or NULL if an error occurs.
diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h
index 5496de40e..93925718c 100644
--- a/lib/vtls/x509asn1.h
+++ b/lib/vtls/x509asn1.h
@@ -76,6 +76,17 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
+
+#ifdef UNITTESTS
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end);
+#endif
+#endif
+
#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
* or USE_SECTRANSP */
#endif /* HEADER_CURL_X509ASN1_H */
Loading

0 comments on commit 6a0a342

Please sign in to comment.