Merge branch 'main' into 2.0

Author: jslobodzian

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        5.15.148.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Feb 14 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.148.2-2
+- Bump release to match kernel
+
 * Thu Feb 08 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.148.2-1
 - Auto-upgrade to 5.15.148.2
 

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -25,11 +25,10 @@ Source0:        %{name}-%{version}.tar.gz
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 
-# patches for vendored code >= 1000
 # If upstream ever upgrades client_goland to 1.11.1, we can get rid of this patch.
-Patch1000:      CVE-2022-21698.patch
-Patch1001:      CVE-2023-44487.patch
-Patch1002:      CVE-2021-44716.patch
+Patch0:         CVE-2022-21698.patch
+Patch1:         CVE-2023-44487.patch
+Patch2:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.13
 %if %{with_check}

SPECS/cf-cli/cf-cli.spec

@@ -27,10 +27,8 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        cli-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:      CVE-2023-44487.patch
-Patch1001:      CVE-2021-44716.patch
+Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}

SPECS/cloud-init/ci-Pin-pytest-8.0.0.patch

@@ -0,0 +1,41 @@
+From 7c96c9cd9318e816ce4564b58a2c98271363c447 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Mon, 29 Jan 2024 12:03:36 -0700
+Subject: [PATCH] ci: Pin pytest<8.0.0. (#4816)
+
+The latest pytest release broke some tests in non-obvious ways. Pin
+the version for now so that CI passes.
+---
+ integration-requirements.txt | 2 +-
+ test-requirements.txt        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/integration-requirements.txt b/integration-requirements.txt
+index dc17759a..208a0c6a 100644
+--- a/integration-requirements.txt
++++ b/integration-requirements.txt
+@@ -7,7 +7,7 @@ pycloudlib>=5.10.0,<1!6
+ # test/unittests/conftest.py to be loaded by our integration-tests tox env
+ # resulting in an unmet dependency issue:
+ # https://github.com/pytest-dev/pytest/issues/11104
+-pytest!=7.3.2
++pytest!=7.3.2,<8.0.0
+ 
+ packaging
+ passlib
+diff --git a/test-requirements.txt b/test-requirements.txt
+index 46a98b4c..3d2480fd 100644
+--- a/test-requirements.txt
++++ b/test-requirements.txt
+@@ -4,7 +4,7 @@
+ # test/unittests/conftest.py to be loaded by our integration-tests tox env
+ # resulting in an unmet dependency issue:
+ # https://github.com/pytest-dev/pytest/issues/11104
+-pytest!=7.3.2
++pytest!=7.3.2,<8.0.0
+ 
+ pytest-cov
+ pytest-mock
+-- 
+2.33.8
+

SPECS/cloud-init/cloud-init.spec

@@ -1,7 +1,7 @@
 Summary:        Cloud instance init scripts
 Name:           cloud-init
 Version:        23.4.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://launchpad.net/cloud-init
 Source0:        https://launchpad.net/cloud-init/trunk/%{version}/+download/%{name}-%{version}.tar.gz
 Source1:        10-azure-kvp.cfg
 Patch0:         Retain-exit-code-in-cloud-init-status-for-recoverabl.patch
+Patch1:         ci-Pin-pytest-8.0.0.patch
 %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
 BuildRequires:  automake
 BuildRequires:  dbus
@@ -145,6 +146,9 @@ make check %{?_smp_mflags}
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
+* Fri Feb 09 2024 Chris Co <chrco@microsoft.com> - 23.4.1-3
+- Add patch to pin pytest to <8.0.0 so cloud-init tests run correctly
+
 * Fri Jan 19 2024 Chris Co <chrco@microsoft.com> - 23.4.1-2
 - Add patch to retain exit code for recoverable errors
 

SPECS/cri-tools/CVE-2024-21626.patch

@@ -0,0 +1,93 @@
+diff -urN b/cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go a/cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+--- cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go	2023-08-11 06:45:27.000000000 -0700
++++ cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go	2024-02-13 15:41:56.671537200 -0800
+@@ -7,6 +7,7 @@
+ 	"fmt"
+ 	"os"
+ 	"strconv"
++	_ "unsafe" // for go:linkname
+ 
+ 	"golang.org/x/sys/unix"
+ )
+@@ -23,9 +24,11 @@
+ 	return nil
+ }
+ 
+-// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
+-// the process (except for those below the given fd value).
+-func CloseExecFrom(minFd int) error {
++type fdFunc func(fd int)
++
++// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
++// the current process.
++func fdRangeFrom(minFd int, fn fdFunc) error {
+ 	fdDir, err := os.Open("/proc/self/fd")
+ 	if err != nil {
+ 		return err
+@@ -50,15 +53,60 @@
+ 		if fd < minFd {
+ 			continue
+ 		}
+-		// Intentionally ignore errors from unix.CloseOnExec -- the cases where
+-		// this might fail are basically file descriptors that have already
+-		// been closed (including and especially the one that was created when
+-		// os.ReadDir did the "opendir" syscall).
+-		unix.CloseOnExec(fd)
++		// Ignore the file descriptor we used for readdir, as it will be closed
++		// when we return.
++		if uintptr(fd) == fdDir.Fd() {
++			continue
++		}
++		// Run the closure.
++		fn(fd)
+ 	}
+ 	return nil
+ }
+ 
++// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or
++// equal to minFd in the current process.
++func CloseExecFrom(minFd int) error {
++	return fdRangeFrom(minFd, unix.CloseOnExec)
++}
++
++//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor
++
++// In order to make sure we do not close the internal epoll descriptors the Go
++// runtime uses, we need to ensure that we skip descriptors that match
++// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing,
++// unfortunately there's no other way to be sure we're only keeping the file
++// descriptors the Go runtime needs. Hopefully nothing blows up doing this...
++func runtime_IsPollDescriptor(fd uintptr) bool //nolint:revive
++
++// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the
++// current process, except for those critical to Go's runtime (such as the
++// netpoll management descriptors).
++//
++// NOTE: That this function is incredibly dangerous to use in most Go code, as
++// closing file descriptors from underneath *os.File handles can lead to very
++// bad behaviour (the closed file descriptor can be re-used and then any
++// *os.File operations would apply to the wrong file). This function is only
++// intended to be called from the last stage of runc init.
++func UnsafeCloseFrom(minFd int) error {
++	// We must not close some file descriptors.
++	return fdRangeFrom(minFd, func(fd int) {
++		if runtime_IsPollDescriptor(uintptr(fd)) {
++			// These are the Go runtimes internal netpoll file descriptors.
++			// These file descriptors are operated on deep in the Go scheduler,
++			// and closing those files from underneath Go can result in panics.
++			// There is no issue with keeping them because they are not
++			// executable and are not useful to an attacker anyway. Also we
++			// don't have any choice.
++			return
++		}
++		// There's nothing we can do about errors from close(2), and the
++		// only likely error to be seen is EBADF which indicates the fd was
++		// already closed (in which case, we got what we wanted).
++		_ = unix.Close(fd)
++	})
++}
++
+ // NewSockPair returns a new unix socket pair
+ func NewSockPair(name string) (parent *os.File, child *os.File, err error) {
+ 	fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
+Binary files b/v1.28.0.tar.gz and a/v1.28.0.tar.gz differ

SPECS/cri-tools/cri-tools.spec

@@ -7,13 +7,14 @@
 Summary:        CRI tools
 Name:           cri-tools
 Version:        1.28.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://github.com/kubernetes-sigs/cri-tools
 Source0:        https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-21626.patch
 BuildRequires:  glib-devel
 BuildRequires:  glibc-devel
 BuildRequires:  golang
@@ -44,9 +45,12 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest"
 %{_bindir}/critest
 
 %changelog
-* Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-4
+* Thu Feb 15 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-5
 - Bump release to rebuild with go 1.21.6
 
+* Wed Feb 14 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.28.0-4
+- Patch runc for CVE-2024-21626
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-3
 - Bump release to rebuild with go 1.20.9
 

SPECS/csi-driver-lvm/csi-driver-lvm.spec

@@ -20,8 +20,7 @@ Source0:        https://github.com/metal-stack/%{name}/archive/refs/tags/v%{vers
 #           -cf %%{name}-%%{version}-govendor.tar.gz vendor
 Source1:        %{name}-%{version}-govendor.tar.gz
 
-# patches for vendored code >= 1000
-Patch1000:      CVE-2021-44716.patch
+Patch0:         CVE-2021-44716.patch
 
 BuildRequires:  golang
 Requires:       %{name}-csi-lvmplugin-provisioner

SPECS/git-lfs/git-lfs.spec

@@ -28,10 +28,8 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:     CVE-2023-44487.patch
-Patch1001:     CVE-2021-44716.patch
+Patch0:        CVE-2023-44487.patch
+Patch1:        CVE-2021-44716.patch
 
 BuildRequires: golang
 BuildRequires: which

SPECS/jx/jx.spec

@@ -27,10 +27,8 @@ Source0:        https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:      CVE-2023-44487.patch
-Patch1001:      CVE-2021-44716.patch
+Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.17.1
 %global debug_package %{nil}