[AUTO-CHERRYPICK] hvloader: resolve CVEs in edk2's bundled openssl - branch main (#9080)

CBL-Mariner-Bot · arc9693 · web-flow · commit a714e1264de7 · 2024-05-13T19:12:37.000+05:30
Co-authored-by: Archana Choudhary &lt;36061892+arc9693@users.noreply.github.com&gt;
diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec
@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Fri May 10 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-2
+- Update version for consistency with hvloader spec
+
 * Thu Jan 04 2024 Cameron Baird <cameronbaird@microsoft.com> - 1.0.1-1
 - Original version for CBL-Mariner.
 - License verified
diff --git a/SPECS/hvloader/hvloader.signatures.json b/SPECS/hvloader/hvloader.signatures.json
@@ -1,7 +1,7 @@
 {
  "Signatures": {
   "hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba",
-  "edk2-submodules-edk2-stable202211.tar.gz": "81a84900be864fab94935637278ac4db47b06bad1d00c1d1738c294c7caf23c7",
+  "edk2-stable202302-submodules.tar.gz": "6e0c992145070d4f9e907a2baf9441b264927902537e888d20d2749055d52f20",
   "target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8"
 }
-}
+}
diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec
@@ -1,17 +1,18 @@
 %define  debug_package %{nil}
 %define  name_github   HvLoader
-%define  edk2_tag      edk2-stable202211
+%define  edk2_tag      edk2-stable202302
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://github.com/microsoft/HvLoader
 Source0:        https://github.com/microsoft/HvLoader/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:        https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}.tar.gz#/edk2-submodules-%{edk2_tag}.tar.gz
+# Instructions to generate edk2 submodules: https://github.com/tianocore/edk2/tree/edk2-stable202302?tab=readme-ov-file#submodules
+Source1:        https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}.tar.gz#/%{edk2_tag}-submodules.tar.gz
 Source2:        target-x86.txt
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -57,6 +58,11 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed May 08 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-2
+- Update edk2_tag to edk2-stable202302
+- Publish edk2-stable202302-submodules source
+- Address openssl related CVEs (CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304)
+
 * Tue May 02 2023 Cameron Baird <cameronbaird@microsoft.com> - 1.0.1-1
 - Add hvloader.spec
 - License verified

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`	`3`	`"hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba",`
`4`		`- "edk2-submodules-edk2-stable202211.tar.gz": "81a84900be864fab94935637278ac4db47b06bad1d00c1d1738c294c7caf23c7",`
	`4`	`+ "edk2-stable202302-submodules.tar.gz": "6e0c992145070d4f9e907a2baf9441b264927902537e888d20d2749055d52f20",`
`5`	`5`	`"target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8"`
`6`	`6`	`}`
`7`		`-}`
	`7`	`+}`