[Low] Patch apparmor for CVE-2023-53154 (#14011)

Author: durgajagadeesh

SPECS/apparmor/CVE-2023-53154.patch

@@ -0,0 +1,30 @@
+From 1dfb03ca74b78ff4a87b48a70b91a5cfc985f9c4 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Thu, 12 Jun 2025 20:49:56 +0000
+Subject: [PATCH] Address CVE-2023-53154
+
+Upstream Patch Reference: https://github.com/DaveGamble/cJSON/commit/3ef4e4e730e5efd381be612df41e1ff3f5bb3c32
+
+---
+ binutils/cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/binutils/cJSON.c b/binutils/cJSON.c
+index e85ac11..45c1c45 100644
+--- a/binutils/cJSON.c
++++ b/binutils/cJSON.c
+@@ -1650,6 +1650,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
++	if (cannot_access_at_index(input_buffer, 1))
++        {
++            goto fail; /* nothing comes after the comma */
++        }
++
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.45.2
+

SPECS/apparmor/apparmor.spec

@@ -1,7 +1,7 @@
 Summary:        AppArmor is an effective and easy-to-use Linux application security system.
 Name:           apparmor
 Version:        3.0.4
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,8 +11,12 @@ Source0:        https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{ver
 Patch1:         apparmor-service-start-fix.patch
 Patch2:         CVE-2023-50471.patch
 Patch3:         CVE-2024-31755.patch
+Patch4:         CVE-2023-53154.patch
+Patch5:         removed_unused_global_variables_fix_test-aa.patch
+
 # CVE-2016-1585 has no upstream fix as of 2020/09/28
 Patch100:       CVE-2016-1585.nopatch
+
 BuildRequires:  apr
 BuildRequires:  apr-util-devel
 BuildRequires:  autoconf
@@ -355,6 +359,10 @@ make DESTDIR=%{buildroot} install
 %exclude %{perl_archlib}/perllocal.pod
 
 %changelog
+* Fri Jun 13 2025 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 3.0.4-5
+- Patch CVE-2023-53154
+- Patch removed_unused_global_variables_fix_test-aa.patch to fix PTest failure
+
 * Thu May 30 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.0.4-4
 - Add patch for CVE-2024-31755
 

SPECS/apparmor/removed_unused_global_variables_fix_test-aa.patch

@@ -0,0 +1,52 @@
+From 91b1b21fe68bdbcb51552cc2dc2e930da139a123 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Thu, 10 Jul 2025 07:22:28 +0000
+Subject: [PATCH] Address ptest error fix
+
+Description: fix the Ptest failure by removing the unused global variables in test-aa
+
+---
+ utils/apparmor/aa.py           | 1 -
+ utils/apparmor/common.py       | 1 -
+ utils/test/test-aa-easyprof.py | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
+index 4ba484d..71754aa 100644
+--- a/utils/apparmor/aa.py
++++ b/utils/apparmor/aa.py
+@@ -1486,7 +1486,6 @@ def set_logfile(filename):
+ def do_logprof_pass(logmark=''):
+     # set up variables for this pass
+ #    transitions = hasher()
+-    global active_profiles
+     global sev_db
+ #    aa = hasher()
+ #     changed = dict()
+diff --git a/utils/apparmor/common.py b/utils/apparmor/common.py
+index bbe2834..b4ae059 100644
+--- a/utils/apparmor/common.py
++++ b/utils/apparmor/common.py
+@@ -69,7 +69,6 @@ def msg(out, output=sys.stdout):
+ 
+ def debug(out):
+     '''Print debug message'''
+-    global DEBUGGING
+     if DEBUGGING:
+         try:
+             print("DEBUG: %s" % (out), file=sys.stderr)
+diff --git a/utils/test/test-aa-easyprof.py b/utils/test/test-aa-easyprof.py
+index d205797..9d8e51c 100755
+--- a/utils/test/test-aa-easyprof.py
++++ b/utils/test/test-aa-easyprof.py
+@@ -108,7 +108,6 @@ class T(unittest.TestCase):
+ 
+     def setUp(self):
+         '''Setup for tests'''
+-        global topdir
+ 
+         self.tmpdir = os.path.realpath(tempfile.mkdtemp(prefix='test-aa-easyprof'))
+ 
+-- 
+2.45.2
+