microsoft
diff --git a/‎.pipelines/containerSourceData/scripts/BuildBaseContainers.sh‎
Lines changed: 44 additions & 13 deletions b/‎.pipelines/containerSourceData/scripts/BuildBaseContainers.sh‎
Lines changed: 44 additions & 13 deletions
diff --git a/‎SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec‎
Lines changed: 4 additions & 1 deletion b/‎SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec‎
Lines changed: 4 additions & 1 deletion b/‎SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎SPECS-SIGNED/kernel-signed/kernel-signed.spec‎
Lines changed: 5 additions & 2 deletions b/‎SPECS-SIGNED/kernel-signed/kernel-signed.spec‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎SPECS/avahi/CVE-2024-52616.patch‎
Lines changed: 103 additions & 0 deletions b/‎SPECS/avahi/CVE-2024-52616.patch‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎SPECS/avahi/avahi.spec‎
Lines changed: 5 additions & 1 deletion b/‎SPECS/avahi/avahi.spec‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎SPECS/binutils/CVE-2025-0840.patch‎
Lines changed: 48 additions & 0 deletions b/‎SPECS/binutils/CVE-2025-0840.patch‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎SPECS/binutils/binutils.spec‎
Lines changed: 5 additions & 1 deletion b/‎SPECS/binutils/binutils.spec‎
Lines changed: 5 additions & 1 deletion
@@ -49,7 +49,7 @@ set -e
 #    -r "" \
 #    -q "false"
 
-while getopts ":a:c:k:l:o:p:r:q:" OPTIONS; do
+while getopts ":a:c:k:l:o:p:r:q:s:t:u:v:" OPTIONS; do
     case ${OPTIONS} in
     a ) ACR=$OPTARG;;
     c ) CONTAINER_TARBALLS_DIR=$OPTARG;;
@@ -59,6 +59,10 @@ while getopts ":a:c:k:l:o:p:r:q:" OPTIONS; do
     p ) PUBLISHING_LEVEL=$OPTARG;;
     r ) REPO_PREFIX=$OPTARG;;
     q ) PUBLISH_TO_ACR=$OPTARG;;
+    s ) DISTROLESS_BASE_BUILD=$OPTARG;;
+    t ) DISTROLESS_DEBUG_BUILD=$OPTARG;; 
+    u ) DISTROLESS_MINIMAL_BUILD=$OPTARG;;
+    v ) BASE_BUILD=$OPTARG;;
 
     \? )
         echo "Error - Invalid Option: -$OPTARG" 1>&2
@@ -88,6 +92,10 @@ function print_inputs {
     echo "PUBLISHING_LEVEL              -> $PUBLISHING_LEVEL"
     echo "PUBLISH_TO_ACR                -> $PUBLISH_TO_ACR"
     echo "OUTPUT_DIR                    -> $OUTPUT_DIR"
+    echo "DISTROLESS_BASE_BUILD         -> $DISTROLESS_BASE_BUILD"
+    echo "DISTROLESS_DEBUG_BUILD        -> $DISTROLESS_DEBUG_BUILD"
+    echo "DISTROLESS_MINIMAL_BUILD      -> $DISTROLESS_MINIMAL_BUILD"
+    echo "BASE_BUILD                    -> $BASE_BUILD"
 }
 
 function validate_inputs {
@@ -106,10 +114,16 @@ function validate_inputs {
     DISTROLESS_BASE_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-base-[0-9.]*.tar.gz")
     DISTROLESS_DEBUG_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-debug-[0-9.]*.tar.gz")
     DISTROLESS_MINIMAL_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-minimal-[0-9.]*.tar.gz")
-    if [[ (! -f $BASE_TARBALL)  || \
-        (! -f $DISTROLESS_BASE_TARBALL) || \
-        (! -f $DISTROLESS_DEBUG_TARBALL) || \
-        (! -f $DISTROLESS_MINIMAL_TARBALL) ]]; then
+    #give default values
+    BASE_BUILD=${BASE_BUILD:-true}
+    DISTROLESS_BASE_BUILD=${DISTROLESS_BASE_BUILD:-true}
+    DISTROLESS_DEBUG_BUILD=${DISTROLESS_DEBUG_BUILD:-true}
+    DISTROLESS_MINIMAL_BUILD=${DISTROLESS_MINIMAL_BUILD:-true}
+
+    if [[ ($BASE_BUILD =~ [Tt]rue && ! -f $BASE_TARBALL) || \
+      ($DISTROLESS_BASE_BUILD =~ [Tt]rue  && ! -f $DISTROLESS_BASE_TARBALL) || \
+      ($DISTROLESS_DEBUG_BUILD =~ [Tt]rue && ! -f $DISTROLESS_DEBUG_TARBALL) || \
+      ($DISTROLESS_MINIMAL_BUILD =~ [Tt]rue && ! -f $DISTROLESS_MINIMAL_TARBALL) ]]; then
         echo "Error - Missing some tarball(s) in $CONTAINER_TARBALLS_DIR"
         exit 1
     fi
@@ -203,6 +217,10 @@ function initialization {
     echo "DISTROLESS_DEBUG_IMAGE_NAME           -> $DISTROLESS_DEBUG_IMAGE_NAME"
     echo "DISTROLESS_DEBUG_NONROOT_IMAGE_NAME   -> $DISTROLESS_DEBUG_NONROOT_IMAGE_NAME"
     echo "MARINARA_IMAGE_NAME                   -> $MARINARA_IMAGE_NAME"
+    echo "DISTROLESS_BASE_BUILD                 -> $DISTROLESS_BASE_BUILD"
+    echo "DISTROLESS_DEBUG_BUILD                -> $DISTROLESS_DEBUG_BUILD"
+    echo "DISTROLESS_MINIMAL_BUILD              -> $DISTROLESS_MINIMAL_BUILD"
+    echo "BASE_BUILD                            -> $BASE_BUILD"
 
     ROOT_FOLDER="$(git rev-parse --show-toplevel)"
     EULA_FILE_PATH="$ROOT_FOLDER/.pipelines/container_artifacts/data"
@@ -219,6 +237,12 @@ function docker_build {
     local image_full_name=$2
     local image_tarball=$3
     local dockerfile=$4
+    local should_build=$5
+
+    if [[ $should_build =~ [Ff]alse ]]; then
+        echo "+++ Skip building image- Fasttrack: $image_full_name"
+        return
+    fi
 
     echo "+++ Importing container image: $image_full_name"
     local temp_image=${image_full_name}_temp
@@ -256,6 +280,13 @@ function docker_build_custom {
     local image_full_name=$2
     local final_image_to_use=$3
     local dockerfile=$4
+    local should_build=$5
+
+    if [[ $should_build =~ [Ff]alse ]]; then
+        echo "+++ Skip building image- Fasttrack: $image_full_name"
+        return
+    fi
+
 
     # $WORK_DIR has $RPMS_DIR directory and $LOCAL_REPO_FILE file.
     pushd "$WORK_DIR" > /dev/null
@@ -345,15 +376,15 @@ function save_container_image {
 function build_images {
     echo "+++ Build images"
 
-    docker_build $BASE "$BASE_IMAGE_NAME" "$BASE_TARBALL" "Dockerfile-Base-Template"
-    docker_build $DISTROLESS "$DISTROLESS_BASE_IMAGE_NAME" "$DISTROLESS_BASE_TARBALL" "Dockerfile-Distroless-Template"
-    docker_build $DISTROLESS "$DISTROLESS_MINIMAL_IMAGE_NAME" "$DISTROLESS_MINIMAL_TARBALL" "Dockerfile-Distroless-Template"
-    docker_build $DISTROLESS "$DISTROLESS_DEBUG_IMAGE_NAME" "$DISTROLESS_DEBUG_TARBALL" "Dockerfile-Distroless-Template"
+    docker_build $BASE "$BASE_IMAGE_NAME" "$BASE_TARBALL" "Dockerfile-Base-Template" $BASE_BUILD
+    docker_build $DISTROLESS "$DISTROLESS_BASE_IMAGE_NAME" "$DISTROLESS_BASE_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_BASE_BUILD
+    docker_build $DISTROLESS "$DISTROLESS_MINIMAL_IMAGE_NAME" "$DISTROLESS_MINIMAL_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_MINIMAL_BUILD
+    docker_build $DISTROLESS "$DISTROLESS_DEBUG_IMAGE_NAME" "$DISTROLESS_DEBUG_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_DEBUG_BUILD
 
-    docker_build_custom $BASE "$BASE_NONROOT_IMAGE_NAME" "" "Dockerfile-Base-Nonroot-Template"
-    docker_build_custom $DISTROLESS "$DISTROLESS_BASE_NONROOT_IMAGE_NAME" "$DISTROLESS_BASE_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
-    docker_build_custom $DISTROLESS "$DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME" "$DISTROLESS_MINIMAL_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
-    docker_build_custom $DISTROLESS "$DISTROLESS_DEBUG_NONROOT_IMAGE_NAME" "$DISTROLESS_DEBUG_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
+    docker_build_custom $BASE "$BASE_NONROOT_IMAGE_NAME" "" "Dockerfile-Base-Nonroot-Template" $BASE_BUILD
+    docker_build_custom $DISTROLESS "$DISTROLESS_BASE_NONROOT_IMAGE_NAME" "$DISTROLESS_BASE_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_BASE_BUILD
+    docker_build_custom $DISTROLESS "$DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME" "$DISTROLESS_MINIMAL_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_MINIMAL_BUILD
+    docker_build_custom $DISTROLESS "$DISTROLESS_DEBUG_NONROOT_IMAGE_NAME" "$DISTROLESS_DEBUG_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_DEBUG_BUILD
 
     docker_build_marinara
 }
 
@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.173.1
+Version:        5.15.176.3
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
+- Auto-upgrade to 5.15.176.3
+
 * Fri Dec 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.173.1-1
 - Auto-upgrade to 5.15.173.1
 
 
@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.173.1
+Version:        5.15.176.3
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
+- Auto-upgrade to 5.15.176.3
+
 * Fri Dec 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.173.1-1
 - Auto-upgrade to 5.15.173.1
 
 
@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.173.1
-Release:        2%{?dist}
+Version:        5.15.176.3
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
+- Auto-upgrade to 5.15.176.3
+
 * Thu Jan 09 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.173.1-2
 - Bump release to match kernel
 
 
@@ -0,0 +1,103 @@
+From 6b7bf204cdb5f19798b6237324a3ce797f24359b Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Thu, 13 Feb 2025 04:41:42 +0000
+Subject: [PATCH] Fix CVE-2024-52616 
+Upstream Patch Reference https://github.com/avahi/avahi/pull/659/commits/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7
+
+---
+ avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++--------
+ configure.ac           |  3 ++-
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index d5e64e5..4cbba6c 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -40,6 +40,13 @@
+ #include "addr-util.h"
+ #include "rr-util.h"
+ 
++#ifdef HAVE_SYS_RANDOM_H
++#include <sys/random.h>
++#endif
++#ifndef HAVE_GETRANDOM
++#  define getrandom(d, len, flags) (-1)
++#endif
++
+ #define CACHE_ENTRIES_MAX 500
+ 
+ typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
+@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
+     int fd_ipv4, fd_ipv6;
+     AvahiWatch *watch_ipv4, *watch_ipv6;
+ 
+-    uint16_t next_id;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) {
+     avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
+ }
+ 
++static uint16_t get_random_uint16(void) {
++    uint16_t next_id;
++
++    if (getrandom(&next_id, sizeof(next_id), 0) == -1)
++        next_id = (uint16_t) rand();
++    return next_id;
++}
++
++static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
++    uint16_t next_id;
++
++    next_id = get_random_uint16();
++    while (find_lookup(e, next_id)) {
++        /* This ID is already used, get new. */
++        next_id = get_random_uint16();
++    }
++    return next_id;
++}
++
++
+ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     AvahiWideAreaLookupEngine *e,
+     AvahiKey *key,
+@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     /* If more than 65K wide area quries are issued simultaneously,
+      * this will break. This should be limited by some higher level */
+ 
+-    for (;; e->next_id++)
+-        if (!find_lookup(e, e->next_id))
+-            break; /* This ID is not yet used. */
+-
+-    l->id = e->next_id++;
++    l->id = avahi_wide_area_next_id(e);
+ 
+     /* We keep the packet around in case we need to repeat our query */
+     l->packet = avahi_dns_packet_new(0);
+@@ -603,7 +624,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+         e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+ 
+     e->n_dns_servers = e->current_dns_server = 0;
+-    e->next_id = (uint16_t) rand();
+ 
+     /* Initialize cache */
+     AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
+diff --git a/configure.ac b/configure.ac
+index 58db8c7..ae297a9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -368,7 +368,8 @@ AC_FUNC_SELECT_ARGTYPES
+ # whether libc's malloc does too. (Same for realloc.)
+ #AC_FUNC_MALLOC
+ #AC_FUNC_REALLOC
+-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
++AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
++AC_CHECK_HEADERS([sys/random.h])
+ 
+ AC_FUNC_CHOWN
+ AC_FUNC_STAT
+-- 
+2.45.2
+
@@ -3,7 +3,7 @@
 Summary:        Local network service discovery
 Name:           avahi
 Version:        0.8
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -18,6 +18,7 @@ Patch5:         CVE-2023-38471.patch
 Patch6:         CVE-2023-38472.patch
 Patch7:         CVE-2023-38473.patch
 Patch8:         CVE-2023-38469.patch
+Patch9:         CVE-2024-52616.patch
 BuildRequires:  automake
 BuildRequires:  dbus-devel >= 0.90
 BuildRequires:  dbus-glib-devel >= 0.70
@@ -411,6 +412,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 13 2024 Kanishk Bansal <kanbansal@microsoft.com> - 0.8-4
+- Fix CVE-2024-52616 with an upstream patch
+
 * Mon Dec 02 2024 Kanishk Bansal <kanbansal@microsoft.com> - 0.8-3
 - Fix CVE-2023-38473 wih an upstream patch
 - Fix CVE-2023-38472 wih an upstream patch
 
@@ -0,0 +1,48 @@
+From e8f8cb0a82fe67fcac9ace1efd38b178748a72ca Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Tue, 4 Feb 2025 16:39:33 +0530
+Subject: [PATCH] Backport patch for CVE-2025-0840 for binutils
+
+Reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index a7b8303b..98e0271a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -109,7 +109,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ static int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;			/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -2762,7 +2763,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
++	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -5297,8 +5298,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
++	  if (insn_width - 1 >= MAX_INSN_WIDTH)
++	    fatal (_("error: instruction width must be in the range 1 to "
++		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;
+-- 
+2.34.1
+
@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -45,6 +45,7 @@ Patch10:        CVE-2022-47011.patch
 Patch11:         CVE-2022-48063.patch
 Patch12:         CVE-2023-1972.patch
 Patch13:         CVE-2022-35205.patch
+Patch14:         CVE-2025-0840.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -301,6 +302,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Tue Feb 04 2025 Sudipta Pandit <sudpandit@microsoft.com> - 2.37-11
+- Backport patch to fix CVE-2025-0840
+
 * Thu Nov 14 2024 Thien Trung Vuong <tvuong@microsoft.com> - 2.37-10
 - Added patch to fix CVE-2023-1972, CVE-2022-48063, CVE-2022-35205