Merge branch '3.0-dev' into 3.0

Author: jslobodzian

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -2256,6 +2256,7 @@
                 "kata-packages-uvm",
                 "keda",
                 "keras",
+                "kernel-64k-signed",
                 "kernel-signed",
                 "kernel-uki",
                 "kernel-uki-signed",
@@ -2753,6 +2754,7 @@
                 "kbd",
                 "keepalived",
                 "kernel",
+                "kernel-64k",
                 "kernel-headers",
                 "kernel-mshv",
                 "kernel-rt",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -0,0 +1,111 @@
+%global debug_package %{nil}
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%ifarch aarch64
+%global buildarch aarch64
+%endif
+%define uname_r %{version}-%{release}
+Summary:        Signed Linux Kernel for %{buildarch} systems
+Name:           kernel-64k-signed-%{buildarch}
+Version:        6.6.57.1
+Release:        5%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        kernel-64k-%{version}-%{release}.%{buildarch}.rpm
+Source1:        vmlinuz-%{uname_r}
+Source2:        sha512hmac-openssl.sh
+BuildRequires:  cpio
+BuildRequires:  grub2-rpm-macros
+BuildRequires:  openssl
+BuildRequires:  sed
+%{?grub2_configuration_requires}
+
+%description
+This package contains the Linux kernel package with kernel signed with the production key
+
+%package -n     kernel-64k
+Summary:        Linux Kernel
+Group:          System Environment/Kernel
+Requires:       filesystem
+Requires:       kmod
+Requires(post): coreutils
+Requires(postun): coreutils
+
+%description -n kernel-64k
+The kernel package contains the signed Linux kernel.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+# Recalculate sha512hmac for FIPS
+%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
+cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
+
+%triggerin -n kernel-64k -- initramfs
+mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
+touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+echo "initrd generation of kernel %{uname_r} will be triggered later" >&2
+
+%triggerun -n kernel-64k -- initramfs
+rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+rm -rf /boot/initramfs-%{uname_r}.img
+echo "initrd of kernel %{uname_r} removed" >&2
+
+%postun -n kernel-64k
+%grub2_postun
+
+%post -n kernel-64k
+/sbin/depmod -a %{uname_r}
+%grub2_post
+
+%files -n kernel-64k
+%defattr(-,root,root)
+%license COPYING
+/boot/System.map-%{uname_r}
+/boot/config-%{uname_r}
+/boot/vmlinuz-%{uname_r}
+/boot/.vmlinuz-%{uname_r}.hmac
+%defattr(0644,root,root)
+/lib/modules/%{uname_r}/*
+/lib/modules/%{uname_r}/.vmlinuz.hmac
+%exclude /lib/modules/%{uname_r}/build
+%exclude /lib/modules/%{uname_r}/kernel/drivers/gpu
+%exclude /lib/modules/%{uname_r}/kernel/sound
+%exclude /module_info.ld
+
+%changelog
+* Thu Nov 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.57.1-5
+- Original version for Azure Linux
+- Starting with release 5 to align with kernel release.
+- License verified

SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -)  $1"

SPECS-SIGNED/kernel-64k-signed/sha512hmac-openssl.sh

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.57.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Mon Nov 25 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-5
+- Bump release to match kernel
+
 * Wed Nov 06 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 6.6.57.1-4
 - Bump release to match kernel
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.57.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,9 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Mon Nov 25 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-5
+- Bump release to match kernel
+
 * Wed Nov 06 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 6.6.57.1-4
 - Bump release to match kernel
 

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -0,0 +1,152 @@
+From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001
+From: bala <balakumaran.kannan@microsoft.com>
+Date: Mon, 25 Nov 2024 16:47:53 +0000
+Subject: [PATCH] Vendor patch applied
+
+---
+ .../protobuf/encoding/protojson/decode.go     | 12 ++++
+ .../encoding/protojson/well_known_types.go    | 59 +++++++------------
+ .../protobuf/internal/encoding/json/decode.go |  2 +-
+ 3 files changed, 33 insertions(+), 40 deletions(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+index 5f28148..67fe4e7 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+@@ -11,6 +11,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
++	"google.golang.org/protobuf/encoding/protowire"
+ 	"google.golang.org/protobuf/internal/encoding/json"
+ 	"google.golang.org/protobuf/internal/encoding/messageset"
+ 	"google.golang.org/protobuf/internal/errors"
+@@ -47,6 +48,10 @@ type UnmarshalOptions struct {
+ 		protoregistry.MessageTypeResolver
+ 		protoregistry.ExtensionTypeResolver
+ 	}
++	
++	// RecursionLimit limits how deeply messages may be nested.
++	// If zero, a default limit is applied.
++	RecursionLimit int
+ }
+ 
+ // Unmarshal reads the given []byte and populates the given proto.Message
+@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error {
+ 	if o.Resolver == nil {
+ 		o.Resolver = protoregistry.GlobalTypes
+ 	}
++	if o.RecursionLimit == 0 {
++		o.RecursionLimit = protowire.DefaultRecursionLimit
++	}
+ 
+ 	dec := decoder{json.NewDecoder(b), o}
+ 	if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil {
+@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error {
+ 
+ // unmarshalMessage unmarshals a message into the given protoreflect.Message.
+ func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error {
++	d.opts.RecursionLimit--
++	if d.opts.RecursionLimit < 0 {
++		return errors.New("exceeded max recursion depth")
++	}
+ 	if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil {
+ 		return unmarshal(d, m)
+ 	}
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 6c37d41..4b177c8 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error {
+ 	// Use another decoder to parse the unread bytes for @type field. This
+ 	// avoids advancing a read from current decoder because the current JSON
+ 	// object may contain the fields of the embedded type.
+-	dec := decoder{d.Clone(), UnmarshalOptions{}}
++	dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}}
+ 	tok, err := findTypeURL(dec)
+ 	switch err {
+ 	case errEmptyObject:
+@@ -308,48 +308,29 @@ Loop:
+ // array) in order to advance the read to the next JSON value. It relies on
+ // the decoder returning an error if the types are not in valid sequence.
+ func (d decoder) skipJSONValue() error {
+-	tok, err := d.Read()
+-	if err != nil {
+-		return err
+-	}
+-	// Only need to continue reading for objects and arrays.
+-	switch tok.Kind() {
+-	case json.ObjectOpen:
+-		for {
+-			tok, err := d.Read()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ObjectClose:
+-				return nil
+-			case json.Name:
+-				// Skip object field value.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
+-			}
++	var open int
++	for {
++		tok, err := d.Read()
++		if err != nil {
++			return err
+ 		}
+-
+-	case json.ArrayOpen:
+-		for {
+-			tok, err := d.Peek()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ArrayClose:
+-				d.Read()
+-				return nil
+-			default:
+-				// Skip array item.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
++		switch tok.Kind() {
++		case json.ObjectClose, json.ArrayClose:
++			open--
++		case json.ObjectOpen, json.ArrayOpen:
++			open++
++			if open > d.opts.RecursionLimit {
++				return errors.New("exceeded max recursion depth")
+ 			}
++		case json.EOF:
++			// This can only happen if there's a bug in Decoder.Read.
++			// Avoid an infinite loop if this does happen.
++			return errors.New("unexpected EOF")
++		}
++		if open == 0 {
++			return nil
+ 		}
+ 	}
+-	return nil
+ }
+ 
+ // unmarshalAnyValue unmarshals the given custom-type message from the JSON
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index d043a6e..d2b3ac0 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.39.4
+

SPECS/cf-cli/CVE-2024-24786.patch

@@ -5,7 +5,7 @@ Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA
 Version:        8.7.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -32,6 +32,7 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        cli-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-39325.patch
+Patch1:         CVE-2024-24786.patch
 
 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}
@@ -44,6 +45,7 @@ The official command line client for Cloud Foundry.
 %setup -q -n cli-%{version}
 tar --no-same-owner -xf %{SOURCE1}
 %patch 0 -p1
+%patch 1 -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -65,6 +67,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf
 
 %changelog
+* Mon Nov 25 2024 Bala <balakumaran.kannan@microsoft.com> - 8.7.3-3
+- Fix CVE-2024-24786
+
 * Mon Jul 29 2024 Muhammad Falak <mwani@microsoft.com> - 8.7.3-2
 - Fix CF_BUILD_SHA to have correct build sha in the binary
 - Move Source1 un-taring in prep section