Skip to content

Commit 27dfefb

Browse files
committed
Merge branch 'main' into 2.0
2 parents 9bb55a6 + f9dd597 commit 27dfefb

57 files changed

Lines changed: 2700 additions & 110 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.pipelines/containerSourceData/scripts/BuildBaseContainers.sh

Lines changed: 44 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ set -e
4949
# -r "" \
5050
# -q "false"
5151

52-
while getopts ":a:c:k:l:o:p:r:q:" OPTIONS; do
52+
while getopts ":a:c:k:l:o:p:r:q:s:t:u:v:" OPTIONS; do
5353
case ${OPTIONS} in
5454
a ) ACR=$OPTARG;;
5555
c ) CONTAINER_TARBALLS_DIR=$OPTARG;;
@@ -59,6 +59,10 @@ while getopts ":a:c:k:l:o:p:r:q:" OPTIONS; do
5959
p ) PUBLISHING_LEVEL=$OPTARG;;
6060
r ) REPO_PREFIX=$OPTARG;;
6161
q ) PUBLISH_TO_ACR=$OPTARG;;
62+
s ) DISTROLESS_BASE_BUILD=$OPTARG;;
63+
t ) DISTROLESS_DEBUG_BUILD=$OPTARG;;
64+
u ) DISTROLESS_MINIMAL_BUILD=$OPTARG;;
65+
v ) BASE_BUILD=$OPTARG;;
6266

6367
\? )
6468
echo "Error - Invalid Option: -$OPTARG" 1>&2
@@ -88,6 +92,10 @@ function print_inputs {
8892
echo "PUBLISHING_LEVEL -> $PUBLISHING_LEVEL"
8993
echo "PUBLISH_TO_ACR -> $PUBLISH_TO_ACR"
9094
echo "OUTPUT_DIR -> $OUTPUT_DIR"
95+
echo "DISTROLESS_BASE_BUILD -> $DISTROLESS_BASE_BUILD"
96+
echo "DISTROLESS_DEBUG_BUILD -> $DISTROLESS_DEBUG_BUILD"
97+
echo "DISTROLESS_MINIMAL_BUILD -> $DISTROLESS_MINIMAL_BUILD"
98+
echo "BASE_BUILD -> $BASE_BUILD"
9199
}
92100

93101
function validate_inputs {
@@ -106,10 +114,16 @@ function validate_inputs {
106114
DISTROLESS_BASE_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-base-[0-9.]*.tar.gz")
107115
DISTROLESS_DEBUG_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-debug-[0-9.]*.tar.gz")
108116
DISTROLESS_MINIMAL_TARBALL=$(find "$CONTAINER_TARBALLS_DIR" -name "distroless-minimal-[0-9.]*.tar.gz")
109-
if [[ (! -f $BASE_TARBALL) || \
110-
(! -f $DISTROLESS_BASE_TARBALL) || \
111-
(! -f $DISTROLESS_DEBUG_TARBALL) || \
112-
(! -f $DISTROLESS_MINIMAL_TARBALL) ]]; then
117+
#give default values
118+
BASE_BUILD=${BASE_BUILD:-true}
119+
DISTROLESS_BASE_BUILD=${DISTROLESS_BASE_BUILD:-true}
120+
DISTROLESS_DEBUG_BUILD=${DISTROLESS_DEBUG_BUILD:-true}
121+
DISTROLESS_MINIMAL_BUILD=${DISTROLESS_MINIMAL_BUILD:-true}
122+
123+
if [[ ($BASE_BUILD =~ [Tt]rue && ! -f $BASE_TARBALL) || \
124+
($DISTROLESS_BASE_BUILD =~ [Tt]rue && ! -f $DISTROLESS_BASE_TARBALL) || \
125+
($DISTROLESS_DEBUG_BUILD =~ [Tt]rue && ! -f $DISTROLESS_DEBUG_TARBALL) || \
126+
($DISTROLESS_MINIMAL_BUILD =~ [Tt]rue && ! -f $DISTROLESS_MINIMAL_TARBALL) ]]; then
113127
echo "Error - Missing some tarball(s) in $CONTAINER_TARBALLS_DIR"
114128
exit 1
115129
fi
@@ -203,6 +217,10 @@ function initialization {
203217
echo "DISTROLESS_DEBUG_IMAGE_NAME -> $DISTROLESS_DEBUG_IMAGE_NAME"
204218
echo "DISTROLESS_DEBUG_NONROOT_IMAGE_NAME -> $DISTROLESS_DEBUG_NONROOT_IMAGE_NAME"
205219
echo "MARINARA_IMAGE_NAME -> $MARINARA_IMAGE_NAME"
220+
echo "DISTROLESS_BASE_BUILD -> $DISTROLESS_BASE_BUILD"
221+
echo "DISTROLESS_DEBUG_BUILD -> $DISTROLESS_DEBUG_BUILD"
222+
echo "DISTROLESS_MINIMAL_BUILD -> $DISTROLESS_MINIMAL_BUILD"
223+
echo "BASE_BUILD -> $BASE_BUILD"
206224

207225
ROOT_FOLDER="$(git rev-parse --show-toplevel)"
208226
EULA_FILE_PATH="$ROOT_FOLDER/.pipelines/container_artifacts/data"
@@ -219,6 +237,12 @@ function docker_build {
219237
local image_full_name=$2
220238
local image_tarball=$3
221239
local dockerfile=$4
240+
local should_build=$5
241+
242+
if [[ $should_build =~ [Ff]alse ]]; then
243+
echo "+++ Skip building image- Fasttrack: $image_full_name"
244+
return
245+
fi
222246

223247
echo "+++ Importing container image: $image_full_name"
224248
local temp_image=${image_full_name}_temp
@@ -256,6 +280,13 @@ function docker_build_custom {
256280
local image_full_name=$2
257281
local final_image_to_use=$3
258282
local dockerfile=$4
283+
local should_build=$5
284+
285+
if [[ $should_build =~ [Ff]alse ]]; then
286+
echo "+++ Skip building image- Fasttrack: $image_full_name"
287+
return
288+
fi
289+
259290

260291
# $WORK_DIR has $RPMS_DIR directory and $LOCAL_REPO_FILE file.
261292
pushd "$WORK_DIR" > /dev/null
@@ -345,15 +376,15 @@ function save_container_image {
345376
function build_images {
346377
echo "+++ Build images"
347378

348-
docker_build $BASE "$BASE_IMAGE_NAME" "$BASE_TARBALL" "Dockerfile-Base-Template"
349-
docker_build $DISTROLESS "$DISTROLESS_BASE_IMAGE_NAME" "$DISTROLESS_BASE_TARBALL" "Dockerfile-Distroless-Template"
350-
docker_build $DISTROLESS "$DISTROLESS_MINIMAL_IMAGE_NAME" "$DISTROLESS_MINIMAL_TARBALL" "Dockerfile-Distroless-Template"
351-
docker_build $DISTROLESS "$DISTROLESS_DEBUG_IMAGE_NAME" "$DISTROLESS_DEBUG_TARBALL" "Dockerfile-Distroless-Template"
379+
docker_build $BASE "$BASE_IMAGE_NAME" "$BASE_TARBALL" "Dockerfile-Base-Template" $BASE_BUILD
380+
docker_build $DISTROLESS "$DISTROLESS_BASE_IMAGE_NAME" "$DISTROLESS_BASE_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_BASE_BUILD
381+
docker_build $DISTROLESS "$DISTROLESS_MINIMAL_IMAGE_NAME" "$DISTROLESS_MINIMAL_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_MINIMAL_BUILD
382+
docker_build $DISTROLESS "$DISTROLESS_DEBUG_IMAGE_NAME" "$DISTROLESS_DEBUG_TARBALL" "Dockerfile-Distroless-Template" $DISTROLESS_DEBUG_BUILD
352383

353-
docker_build_custom $BASE "$BASE_NONROOT_IMAGE_NAME" "" "Dockerfile-Base-Nonroot-Template"
354-
docker_build_custom $DISTROLESS "$DISTROLESS_BASE_NONROOT_IMAGE_NAME" "$DISTROLESS_BASE_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
355-
docker_build_custom $DISTROLESS "$DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME" "$DISTROLESS_MINIMAL_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
356-
docker_build_custom $DISTROLESS "$DISTROLESS_DEBUG_NONROOT_IMAGE_NAME" "$DISTROLESS_DEBUG_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
384+
docker_build_custom $BASE "$BASE_NONROOT_IMAGE_NAME" "" "Dockerfile-Base-Nonroot-Template" $BASE_BUILD
385+
docker_build_custom $DISTROLESS "$DISTROLESS_BASE_NONROOT_IMAGE_NAME" "$DISTROLESS_BASE_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_BASE_BUILD
386+
docker_build_custom $DISTROLESS "$DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME" "$DISTROLESS_MINIMAL_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_MINIMAL_BUILD
387+
docker_build_custom $DISTROLESS "$DISTROLESS_DEBUG_NONROOT_IMAGE_NAME" "$DISTROLESS_DEBUG_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template" $DISTROLESS_DEBUG_BUILD
357388

358389
docker_build_marinara
359390
}

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
%define uname_r %{version}-%{release}
1010
Summary: Signed Linux Kernel for Azure
1111
Name: kernel-azure-signed-%{buildarch}
12-
Version: 5.15.173.1
12+
Version: 5.15.176.3
1313
Release: 1%{?dist}
1414
License: GPLv2
1515
Vendor: Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
153153
%exclude /module_info.ld
154154

155155
%changelog
156+
* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
157+
- Auto-upgrade to 5.15.176.3
158+
156159
* Fri Dec 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.173.1-1
157160
- Auto-upgrade to 5.15.173.1
158161

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
%define uname_r %{version}-%{release}
55
Summary: Signed Linux Kernel for HCI
66
Name: kernel-hci-signed-%{buildarch}
7-
Version: 5.15.173.1
7+
Version: 5.15.176.3
88
Release: 1%{?dist}
99
License: GPLv2
1010
Vendor: Microsoft Corporation
@@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
149149
%exclude /module_info.ld
150150

151151
%changelog
152+
* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
153+
- Auto-upgrade to 5.15.176.3
154+
152155
* Fri Dec 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.173.1-1
153156
- Auto-upgrade to 5.15.173.1
154157

SPECS-SIGNED/kernel-signed/kernel-signed.spec

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
%define uname_r %{version}-%{release}
1010
Summary: Signed Linux Kernel for %{buildarch} systems
1111
Name: kernel-signed-%{buildarch}
12-
Version: 5.15.173.1
13-
Release: 2%{?dist}
12+
Version: 5.15.176.3
13+
Release: 1%{?dist}
1414
License: GPLv2
1515
Vendor: Microsoft Corporation
1616
Distribution: Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
153153
%exclude /module_info.ld
154154

155155
%changelog
156+
* Mon Feb 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.176.3-1
157+
- Auto-upgrade to 5.15.176.3
158+
156159
* Thu Jan 09 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.173.1-2
157160
- Bump release to match kernel
158161

SPECS/avahi/CVE-2024-52616.patch

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
From 6b7bf204cdb5f19798b6237324a3ce797f24359b Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Thu, 13 Feb 2025 04:41:42 +0000
4+
Subject: [PATCH] Fix CVE-2024-52616
5+
Upstream Patch Reference https://github.com/avahi/avahi/pull/659/commits/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7
6+
7+
---
8+
avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++--------
9+
configure.ac | 3 ++-
10+
2 files changed, 30 insertions(+), 9 deletions(-)
11+
12+
diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
13+
index d5e64e5..4cbba6c 100644
14+
--- a/avahi-core/wide-area.c
15+
+++ b/avahi-core/wide-area.c
16+
@@ -40,6 +40,13 @@
17+
#include "addr-util.h"
18+
#include "rr-util.h"
19+
20+
+#ifdef HAVE_SYS_RANDOM_H
21+
+#include <sys/random.h>
22+
+#endif
23+
+#ifndef HAVE_GETRANDOM
24+
+# define getrandom(d, len, flags) (-1)
25+
+#endif
26+
+
27+
#define CACHE_ENTRIES_MAX 500
28+
29+
typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
30+
@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
31+
int fd_ipv4, fd_ipv6;
32+
AvahiWatch *watch_ipv4, *watch_ipv6;
33+
34+
- uint16_t next_id;
35+
-
36+
/* Cache */
37+
AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
38+
AvahiHashmap *cache_by_key;
39+
@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) {
40+
avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
41+
}
42+
43+
+static uint16_t get_random_uint16(void) {
44+
+ uint16_t next_id;
45+
+
46+
+ if (getrandom(&next_id, sizeof(next_id), 0) == -1)
47+
+ next_id = (uint16_t) rand();
48+
+ return next_id;
49+
+}
50+
+
51+
+static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
52+
+ uint16_t next_id;
53+
+
54+
+ next_id = get_random_uint16();
55+
+ while (find_lookup(e, next_id)) {
56+
+ /* This ID is already used, get new. */
57+
+ next_id = get_random_uint16();
58+
+ }
59+
+ return next_id;
60+
+}
61+
+
62+
+
63+
AvahiWideAreaLookup *avahi_wide_area_lookup_new(
64+
AvahiWideAreaLookupEngine *e,
65+
AvahiKey *key,
66+
@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
67+
/* If more than 65K wide area quries are issued simultaneously,
68+
* this will break. This should be limited by some higher level */
69+
70+
- for (;; e->next_id++)
71+
- if (!find_lookup(e, e->next_id))
72+
- break; /* This ID is not yet used. */
73+
-
74+
- l->id = e->next_id++;
75+
+ l->id = avahi_wide_area_next_id(e);
76+
77+
/* We keep the packet around in case we need to repeat our query */
78+
l->packet = avahi_dns_packet_new(0);
79+
@@ -603,7 +624,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
80+
e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
81+
82+
e->n_dns_servers = e->current_dns_server = 0;
83+
- e->next_id = (uint16_t) rand();
84+
85+
/* Initialize cache */
86+
AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
87+
diff --git a/configure.ac b/configure.ac
88+
index 58db8c7..ae297a9 100644
89+
--- a/configure.ac
90+
+++ b/configure.ac
91+
@@ -368,7 +368,8 @@ AC_FUNC_SELECT_ARGTYPES
92+
# whether libc's malloc does too. (Same for realloc.)
93+
#AC_FUNC_MALLOC
94+
#AC_FUNC_REALLOC
95+
-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
96+
+AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
97+
+AC_CHECK_HEADERS([sys/random.h])
98+
99+
AC_FUNC_CHOWN
100+
AC_FUNC_STAT
101+
--
102+
2.45.2
103+

SPECS/avahi/avahi.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
Summary: Local network service discovery
44
Name: avahi
55
Version: 0.8
6-
Release: 3%{?dist}
6+
Release: 4%{?dist}
77
License: LGPLv2+
88
Vendor: Microsoft Corporation
99
Distribution: Mariner
@@ -18,6 +18,7 @@ Patch5: CVE-2023-38471.patch
1818
Patch6: CVE-2023-38472.patch
1919
Patch7: CVE-2023-38473.patch
2020
Patch8: CVE-2023-38469.patch
21+
Patch9: CVE-2024-52616.patch
2122
BuildRequires: automake
2223
BuildRequires: dbus-devel >= 0.90
2324
BuildRequires: dbus-glib-devel >= 0.70
@@ -411,6 +412,9 @@ exit 0
411412
%endif
412413

413414
%changelog
415+
* Thu Feb 13 2024 Kanishk Bansal <kanbansal@microsoft.com> - 0.8-4
416+
- Fix CVE-2024-52616 with an upstream patch
417+
414418
* Mon Dec 02 2024 Kanishk Bansal <kanbansal@microsoft.com> - 0.8-3
415419
- Fix CVE-2023-38473 wih an upstream patch
416420
- Fix CVE-2023-38472 wih an upstream patch

SPECS/binutils/CVE-2025-0840.patch

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
From e8f8cb0a82fe67fcac9ace1efd38b178748a72ca Mon Sep 17 00:00:00 2001
2+
From: Sudipta Pandit <sudpandit@microsoft.com>
3+
Date: Tue, 4 Feb 2025 16:39:33 +0530
4+
Subject: [PATCH] Backport patch for CVE-2025-0840 for binutils
5+
6+
Reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893
7+
---
8+
binutils/objdump.c | 10 ++++++----
9+
1 file changed, 6 insertions(+), 4 deletions(-)
10+
11+
diff --git a/binutils/objdump.c b/binutils/objdump.c
12+
index a7b8303b..98e0271a 100644
13+
--- a/binutils/objdump.c
14+
+++ b/binutils/objdump.c
15+
@@ -109,7 +109,8 @@ static bool disassemble_all; /* -D */
16+
static int disassemble_zeroes; /* --disassemble-zeroes */
17+
static bool formats_info; /* -i */
18+
static int wide_output; /* -w */
19+
-static int insn_width; /* --insn-width */
20+
+#define MAX_INSN_WIDTH 49
21+
+static unsigned long insn_width; /* --insn-width */
22+
static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
23+
static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */
24+
static int dump_debugging; /* --debugging */
25+
@@ -2762,7 +2763,7 @@ disassemble_bytes (struct disassemble_info *inf,
26+
}
27+
else
28+
{
29+
- char buf[50];
30+
+ char buf[MAX_INSN_WIDTH + 1];
31+
unsigned int bpc = 0;
32+
unsigned int pb = 0;
33+
34+
@@ -5297,8 +5298,9 @@ main (int argc, char **argv)
35+
break;
36+
case OPTION_INSN_WIDTH:
37+
insn_width = strtoul (optarg, NULL, 0);
38+
- if (insn_width <= 0)
39+
- fatal (_("error: instruction width must be positive"));
40+
+ if (insn_width - 1 >= MAX_INSN_WIDTH)
41+
+ fatal (_("error: instruction width must be in the range 1 to "
42+
+ XSTRING (MAX_INSN_WIDTH)));
43+
break;
44+
case OPTION_INLINES:
45+
unwind_inlines = true;
46+
--
47+
2.34.1
48+

SPECS/binutils/binutils.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
Summary: Contains a linker, an assembler, and other tools
2222
Name: binutils
2323
Version: 2.37
24-
Release: 10%{?dist}
24+
Release: 11%{?dist}
2525
License: GPLv2+
2626
Vendor: Microsoft Corporation
2727
Distribution: Mariner
@@ -45,6 +45,7 @@ Patch10: CVE-2022-47011.patch
4545
Patch11: CVE-2022-48063.patch
4646
Patch12: CVE-2023-1972.patch
4747
Patch13: CVE-2022-35205.patch
48+
Patch14: CVE-2025-0840.patch
4849
Provides: bundled(libiberty)
4950

5051
# Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -301,6 +302,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
301302
%do_files aarch64-linux-gnu %{build_aarch64}
302303

303304
%changelog
305+
* Tue Feb 04 2025 Sudipta Pandit <sudpandit@microsoft.com> - 2.37-11
306+
- Backport patch to fix CVE-2025-0840
307+
304308
* Thu Nov 14 2024 Thien Trung Vuong <tvuong@microsoft.com> - 2.37-10
305309
- Added patch to fix CVE-2023-1972, CVE-2022-48063, CVE-2022-35205
306310

0 commit comments

Comments
 (0)