[AUTO-CHERRYPICK] Fix crash for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434 [High] - branch main (#13536)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 4249a35d4198 · 2025-04-24T18:21:22.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/crash/crash.signatures.json b/SPECS/crash/crash.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
   "crash-8.0.1.tar.gz": "233208b1433a49e1d5a063fa88e6fc9772b99fbb7b30ae79a2115d1b8f0dfc52",
-  "gdb-10.2.tar.gz": "b33ad58d687487a821ec8d878daab0f716be60d0936f2e3ac5cf08419ce70350"
+  "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2"
  }
 }
diff --git a/SPECS/crash/crash.spec b/SPECS/crash/crash.spec
@@ -1,14 +1,16 @@
+%global gdb_version 10.2
 Name:          crash
 Version:       8.0.1
-Release:       3%{?dist}
+Release:       4%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
 URL:           https://github.com/crash-utility/crash
 Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
-Source1:       https://ftp.gnu.org/gnu/gdb/gdb-10.2.tar.gz
+# '-3' version of the tarball contains fix for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434 which cannot be applied as a .patch because source1 is only untar'ed during crash make
+Source1:       gdb-%{gdb_version}-3.tar.gz
 # lzo patch sourced from https://src.fedoraproject.org/rpms/crash/blob/rawhide/f/lzo_snappy_zstd.patch
 Patch0:        lzo_snappy_zstd.patch
 License:       GPLv3+
@@ -36,7 +38,8 @@ This package contains libraries and header files need for development.
 
 %prep
 %autosetup -n %{name}-%{version}
-cp %{SOURCE1} .
+# make expect the gdb tarball to be named with its version only, gdb-[version].tar.gz, e.g.: gdb-10.2.tar.gz
+cp %{SOURCE1} ./gdb-%{gdb_version}.tar.gz
 
 %build
 make RPMPKG=%{version}-%{release}
@@ -55,14 +58,17 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %license COPYING3
 %{_bindir}/crash
 %{_mandir}/man8/crash.8.gz
-%doc COPYING3 README
+%doc README
 
 %files devel
 %defattr(-,root,root)
 %dir %{_includedir}/crash
 %{_includedir}/crash/*.h
 
 %changelog
+* Mon Apr 21 2025 Kanishk Bansal <kanbansal@microsoft.com> - 8.0.1-4
+- Update gdb-10.2-3.tar.gz to address CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434
+
 * Mon Oct 09 2023 Chris Co <chrco@microsoft.com> - 8.0.1-3
 - Add patch from Fedora to enable lzo, snappy, zstd compression support
 - Remove unused crash printk fix patch

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`	`3`	`"crash-8.0.1.tar.gz": "233208b1433a49e1d5a063fa88e6fc9772b99fbb7b30ae79a2115d1b8f0dfc52",`
`4`		`- "gdb-10.2.tar.gz": "b33ad58d687487a821ec8d878daab0f716be60d0936f2e3ac5cf08419ce70350"`
	`4`	`+ "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2"`
`5`	`5`	`}`
`6`	`6`	`}`