Merge branch 'main' into 2.0

Author: jslobodzian

SPECS/binutils/CVE-2022-35205.patch

@@ -0,0 +1,18 @@
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 79bd2eeed42..409fd895688 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -9782,7 +9782,12 @@ display_debug_names (struct dwarf_section *section, void *file)
+       printf (_("Out of %lu items there are %zu bucket clashes"
+ 		" (longest of %zu entries).\n"),
+ 	      (unsigned long) name_count, hash_clash_count, longest_clash);
+-      assert (name_count == buckets_filled + hash_clash_count);
++      
++	  if (name_count != buckets_filled + hash_clash_count)
++	    warn (_("The name_count (%lu) is not the same as the used bucket_count (%lu) + the hash clash count (%lu)"),
++		  (unsigned long) name_count,
++		  (unsigned long) buckets_filled,
++		  (unsigned long) hash_clash_count);
+ 
+       struct abbrev_lookup_entry
+       {

SPECS/binutils/CVE-2022-48063.patch

@@ -0,0 +1,15 @@
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index a7b8303b992..1e2e83959bf 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3630,7 +3630,9 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+   section->size = bfd_section_size (sec);
+   /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
+   alloced = amt = section->size + 1;
+-  if (alloced != amt || alloced == 0)
++  if (alloced != amt
++      || alloced == 0
++      || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
+     {
+       section->start = NULL;
+       free_debug_section (debug);

SPECS/binutils/CVE-2023-1972.patch

@@ -0,0 +1,23 @@
+diff --git a/bfd/elf.c b/bfd/elf.c
+index eddc6304e1c..05bb9c99d5f 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -8925,6 +8925,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+ 	  bfd_set_error (bfd_error_file_too_big);
+ 	  goto error_return_verdef;
+ 	}
++
++      if (amt == 0)
++	goto error_return_verdef;
+       elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+       if (elf_tdata (abfd)->verdef == NULL)
+ 	goto error_return_verdef;
+@@ -9028,6 +9031,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+ 	  bfd_set_error (bfd_error_file_too_big);
+ 	  goto error_return;
+ 	}
++      if (amt == 0)
++	goto error_return;
+       elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+       if (elf_tdata (abfd)->verdef == NULL)
+ 	goto error_return;

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,6 +42,9 @@ Patch7:         CVE-2022-47007.patch
 Patch8:         CVE-2022-47008.patch
 Patch9:         CVE-2022-47010.patch
 Patch10:        CVE-2022-47011.patch
+Patch11:         CVE-2022-48063.patch
+Patch12:         CVE-2023-1972.patch
+Patch13:         CVE-2022-35205.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -298,6 +301,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Thu Nov 14 2024 Thien Trung Vuong <tvuong@microsoft.com> - 2.37-10
+- Added patch to fix CVE-2023-1972, CVE-2022-48063, CVE-2022-35205
+
 * Mon Nov 04 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 2.37-9
 - Address CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-47011.
 

SPECS/unzip/CVE-2022-0529.patch

@@ -0,0 +1,183 @@
+From 246a2f17066dff57d4a5253de258374a7e99154a Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Mon, 25 Nov 2024 10:50:21 +0530
+Subject: [PATCH] Fix CVE-2022-0529 and CVE-2022-0530
+Reference: https://git.launchpad.net/ubuntu/+source/unzip/commit/?h=applied/ubuntu/devel&id=d5d5037f4ca1b40578015085b77ae322d1406f56
+---
+ fileio.c  | 34 +++++++++++++++++++++++++---------
+ process.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 68 insertions(+), 21 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index eb2a115..285f7fe 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -171,8 +171,10 @@ static ZCONST char Far ReadError[] = "error:  zipfile read error\n";
+ static ZCONST char Far FilenameTooLongTrunc[] =
+   "warning:  filename too long--truncating.\n";
+ #ifdef UNICODE_SUPPORT
++   static ZCONST char Far UFilenameCorrupt[] =
++     "error: Unicode filename corrupt.\n";
+    static ZCONST char Far UFilenameTooLongTrunc[] =
+-     "warning:  Converted unicode filename too long--truncating.\n";
++     "warning:  Converted Unicode filename too long--truncating.\n";
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+@@ -2355,16 +2357,30 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
++
++                  /* 2022-07-22 SMS, et al.  CVE-2022-0530
++                   * Detect conversion failure, emit message.
++                   * Continue with unconverted name.
++                   */
++                  if (fn == NULL)
++                  {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
+-                    error = PK_WARN;
++                     LoadFarString(UFilenameCorrupt)));
++                    error = PK_ERR;
++                  }
++                  else
++                  {
++                    /* make sure filename is short enough */
++                    if (strlen(fn) >= FILNAMSIZ) {
++                      fn[FILNAMSIZ - 1] = '\0';
++                      Info(slide, 0x401, ((char *)slide,
++                        LoadFarString(UFilenameTooLongTrunc)));
++                      error = PK_WARN;
++                    }
++                    /* replace filename with converted UTF-8 */
++                    strcpy(G.filename, fn);
++                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+diff --git a/process.c b/process.c
+index 4e06a35..09d54f7 100644
+--- a/process.c
++++ b/process.c
+@@ -222,6 +222,8 @@ static ZCONST char Far ZipfileCommTrunc1[] =
+      "\nwarning:  Unicode Path version > 1\n";
+    static ZCONST char Far UnicodeMismatchError[] =
+      "\nwarning:  Unicode Path checksum invalid\n";
++   static ZCONST char Far UFilenameTooLongTrunc[] =
++     "warning:  filename too long (P1) -- truncating.\n";
+ #endif
+ 
+ 
+@@ -1902,7 +1904,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+ 
+-    2014-12-05 SMS.
++    2014-12-05 SMS.  (oCERT.org report.)  CVE-2014-8141.
+     Added checks to ensure that enough data are available before calling
+     makeint64() or makelong().  Replaced various sizeof() values with
+     simple ("4" or "8") constants.  (The Zip64 structures do not depend
+@@ -1937,8 +1939,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ 
+         if (eb_id == EF_PKSZ64)
+         {
+-          int offset = EB_HEADSIZE;
+-
++	  unsigned offset = EB_HEADSIZE;
+           if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+           {
+             if (offset+ 8 > ef_len)
+@@ -2036,7 +2037,7 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+         }
+         if (eb_id == EF_UNIPATH) {
+ 
+-          int offset = EB_HEADSIZE;
++          unsigned offset = EB_HEADSIZE;
+           ush ULen = eb_len - 5;
+           ulg chksum = CRCVAL_INITIAL;
+ 
+@@ -2492,16 +2493,17 @@ char *wide_to_local_string(wide_string, escape_all)
+   int state_dependent;
+   int wsize = 0;
+   int max_bytes = MB_CUR_MAX;
+-  char buf[9];
++  char buf[ MB_CUR_MAX+ 1];             /* ("+1" not really needed?) */
+   char *buffer = NULL;
+   char *local_string = NULL;
++  size_t buffer_size;                   /* CVE-2022-0529 */
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+-
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++  buffer_size = wsize * max_bytes + 1;          /* Reused below. */
++  if ((buffer = (char *)malloc( buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2539,8 +2541,28 @@ char *wide_to_local_string(wide_string, escape_all)
+     } else {
+       /* no MB for this wide */
+         /* use escape for wide character */
+-        char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
++        size_t buffer_len;
++        size_t escape_string_len;
++        char *escape_string;
++        int err_msg = 0;
++
++        escape_string = wide_to_escape_string(wide_string[i]);
++        buffer_len = strlen( buffer);
++        escape_string_len = strlen( escape_string);
++
++        /* Append escape string, as space allows. */
++        /* 2022-07-18 SMS, et al.  CVE-2022-0529 */
++        if (escape_string_len > buffer_size- buffer_len- 1)
++        {
++            escape_string_len = buffer_size- buffer_len- 1;
++            if (err_msg == 0)
++            {
++                err_msg = 1;
++                Info(slide, 0x401, ((char *)slide,
++                 LoadFarString( UFilenameTooLongTrunc)));
++            }
++        }
++        strncat( buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
+@@ -2592,9 +2614,18 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   ZCONST char *utf8_string;
+   int escape_all;
+ {
+-  zwchar *wide = utf8_to_wide_string(utf8_string);
+-  char *loc = wide_to_local_string(wide, escape_all);
+-  free(wide);
++  zwchar *wide;
++  char *loc = NULL;
++
++  wide = utf8_to_wide_string( utf8_string);
++
++  /* 2022-07-25 SMS, et al.  CVE-2022-0530 */
++  if (wide != NULL)
++  {
++    loc = wide_to_local_string( wide, escape_all);
++    free( wide);
++  }
++
+   return loc;
+ }
+ 
+-- 
+2.34.1
+

SPECS/unzip/unzip.spec

@@ -1,7 +1,7 @@
 Summary:        Unzip-6.0
 Name:           unzip
 Version:        6.0
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -23,6 +23,7 @@ Patch11:        unzip-zipbomb-part3.patch
 Patch12:        unzip-zipbomb-manpage.patch
 Patch13:        CVE-2015-7697.patch
 Patch14:        CVE-2018-1000035.patch
+Patch15:	CVE-2022-0529.patch
 
 %description
 The UnZip package contains ZIP extraction utilities. These are useful
@@ -57,6 +58,9 @@ ln -sf unzip %{buildroot}%{_bindir}/zipinfo
 %{_bindir}/*
 
 %changelog
+* Mon Nov 25 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 6.0.21
+- Fix CVE-2022-0529 and CVE-2022-0530
+
 * Thu Oct 06 2022 Olivia Crain <oliviacrain@microsoft.com> - 6.0-20
 - Compile with large file support, zip64 support
 - Remove i*86 configuration- Mariner doesn't build for those architectures

toolkit/docs/building/prerequisites-mariner.md

@@ -30,6 +30,7 @@ sudo tdnf -y install \
     rpm \
     rpm-build \
     sudo \
+    systemd \
     tar \
     wget \
     xfsprogs

toolkit/docs/building/prerequisites-ubuntu.md

@@ -22,6 +22,7 @@ sudo apt -y install \
     parted \
     pigz \
     openssl \
+    systemd \
     qemu-utils \
     rpm \
     tar \

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm
 file-devel-5.40-3.cm2.aarch64.rpm
 file-libs-5.40-3.cm2.aarch64.rpm
-binutils-2.37-9.cm2.aarch64.rpm
-binutils-devel-2.37-9.cm2.aarch64.rpm
+binutils-2.37-10.cm2.aarch64.rpm
+binutils-devel-2.37-10.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
 mpfr-4.1.0-2.cm2.aarch64.rpm
@@ -236,7 +236,7 @@ ca-certificates-tools-2.0.0-18.cm2.noarch.rpm
 ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
-unzip-6.0-20.cm2.aarch64.rpm
+unzip-6.0-21.cm2.aarch64.rpm
 python3-3.9.19-7.cm2.aarch64.rpm
 python3-devel-3.9.19-7.cm2.aarch64.rpm
 python3-libs-3.9.19-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm
 file-devel-5.40-3.cm2.x86_64.rpm
 file-libs-5.40-3.cm2.x86_64.rpm
-binutils-2.37-9.cm2.x86_64.rpm
-binutils-devel-2.37-9.cm2.x86_64.rpm
+binutils-2.37-10.cm2.x86_64.rpm
+binutils-devel-2.37-10.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
 mpfr-4.1.0-2.cm2.x86_64.rpm
@@ -236,7 +236,7 @@ ca-certificates-tools-2.0.0-18.cm2.noarch.rpm
 ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
-unzip-6.0-20.cm2.x86_64.rpm
+unzip-6.0-21.cm2.x86_64.rpm
 python3-3.9.19-7.cm2.x86_64.rpm
 python3-devel-3.9.19-7.cm2.x86_64.rpm
 python3-libs-3.9.19-7.cm2.x86_64.rpm