From 4dd3ddf0b05c636c0c2b39d73f428eb9bf6f1309 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:40:38 -0400 Subject: [PATCH 1/3] [AUTO-CHERRYPICK] Upgrade mysql to 8.0.40 - branch main (#10809) Co-authored-by: Sudipta Pandit --- SPECS/mysql/CVE-2023-46218.patch | 50 ------------------------------- SPECS/mysql/mysql.signatures.json | 8 ++--- SPECS/mysql/mysql.spec | 12 ++++++-- cgmanifest.json | 4 +-- 4 files changed, 16 insertions(+), 58 deletions(-) delete mode 100644 SPECS/mysql/CVE-2023-46218.patch diff --git a/SPECS/mysql/CVE-2023-46218.patch b/SPECS/mysql/CVE-2023-46218.patch deleted file mode 100644 index 6f95626e15b..00000000000 --- a/SPECS/mysql/CVE-2023-46218.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f35969c8cacf16cac88f79cbb0ab0ffd6e5e037f Mon Sep 17 00:00:00 2001 -From: Suresh Thelkar -Date: Wed, 20 Dec 2023 12:51:01 +0530 -Subject: [PATCH] Patch for CVE-2023-46218 - -Upstream patch details are given below -https://github.com/curl/curl/commit/2b0994c29a721c91c57 ---- - extra/curl/curl-8.4.0/lib/cookie.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/extra/curl/curl-8.4.0/lib/cookie.c b/extra/curl/curl-8.4.0/lib/cookie.c -index af01203a..57b2ad9a 100644 ---- a/extra/curl/curl-8.4.0/lib/cookie.c -+++ b/extra/curl/curl-8.4.0/lib/cookie.c -@@ -1029,15 +1029,23 @@ Curl_cookie_add(struct Curl_easy *data, - * dereference it. - */ - if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { -- const psl_ctx_t *psl = Curl_psl_use(data); -- int acceptable; -- -- if(psl) { -- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); -- Curl_psl_release(data); -+ bool acceptable = FALSE; -+ char lcase[256]; -+ char lcookie[256]; -+ size_t dlen = strlen(domain); -+ size_t clen = strlen(co->domain); -+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { -+ const psl_ctx_t *psl = Curl_psl_use(data); -+ if(psl) { -+ /* the PSL check requires lowercase domain name and pattern */ -+ Curl_strntolower(lcase, domain, dlen + 1); -+ Curl_strntolower(lcookie, co->domain, clen + 1); -+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); -+ Curl_psl_release(data); -+ } -+ else -+ acceptable = !bad_domain(domain, strlen(domain)); - } -- else -- acceptable = !bad_domain(domain, strlen(domain)); - - if(!acceptable) { - infof(data, "cookie '%s' dropped, domain '%s' must not " --- -2.38.1 - diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json index 668e600d9a9..24c1c331453 100644 --- a/SPECS/mysql/mysql.signatures.json +++ b/SPECS/mysql/mysql.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d" - } -} + "Signatures": { + "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9" + } +} \ No newline at end of file diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 38c7e63cf01..87aa659125f 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,6 +1,6 @@ Summary: MySQL. Name: mysql -Version: 8.0.36 +Version: 8.0.40 Release: 1%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation @@ -9,7 +9,6 @@ Group: Applications/Databases URL: https://www.mysql.com Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz Patch0: CVE-2012-5627.nopatch -Patch1: CVE-2023-46218.patch BuildRequires: cmake BuildRequires: libtirpc-devel BuildRequires: openssl-devel @@ -98,6 +97,15 @@ fi %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Fri Oct 18 2024 Sudipta Pandit - 8.0.40-1 +- Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, + CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134, + CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237, + CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198, + CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096, + CVE-2024-21171, CVE-2024-21165, CVE-2023-46219 +- Remove patch for CVE-2023-46218 (fixed in 8.0.37) + * Tue Jun 18 2024 Archana Choudhary - 8.0.36-1 - Upgrade to 8.0.36 to fix 10 CVEs diff --git a/cgmanifest.json b/cgmanifest.json index bf1ef35ac50..945105423c7 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13813,8 +13813,8 @@ "type": "other", "other": { "name": "mysql", - "version": "8.0.36", - "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz" + "version": "8.0.40", + "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz" } } }, From 4401d89fad15d52076bec86ab50f60f34eb1507d Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:41:25 -0400 Subject: [PATCH 2/3] [AUTO-CHERRYPICK] Added Patch CVE-2022-25255 for qt5-qtbase - branch main (#10835) Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> --- SPECS/qt5-qtbase/CVE-2022-25255.patch | 71 +++++++++++++++++++++++++++ SPECS/qt5-qtbase/qt5-qtbase.spec | 8 ++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 SPECS/qt5-qtbase/CVE-2022-25255.patch diff --git a/SPECS/qt5-qtbase/CVE-2022-25255.patch b/SPECS/qt5-qtbase/CVE-2022-25255.patch new file mode 100644 index 00000000000..0aebb8feab2 --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2022-25255.patch @@ -0,0 +1,71 @@ +From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001 +From: Mykhailo Bykhovtsev +Date: Wed, 23 Oct 2024 16:13:23 -0700 +Subject: [PATCH] patch CVE-2022-25255 +Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff + +--- + src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp +index 7a2daa2a..29b771a1 100644 +--- a/src/corelib/io/qprocess_unix.cpp ++++ b/src/corelib/io/qprocess_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2016 Intel Corporation. ++** Copyright (C) 2022 Intel Corporation. + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess() + // Add the program name to the argument list. + argv[0] = nullptr; + if (!program.contains(QLatin1Char('/'))) { ++ // findExecutable() returns its argument if it's an absolute path, ++ // otherwise it searches $PATH; returns empty if not found (we handle ++ // that case much later) + const QString &exeFilePath = QStandardPaths::findExecutable(program); +- if (!exeFilePath.isEmpty()) { +- const QByteArray &tmp = QFile::encodeName(exeFilePath); +- argv[0] = ::strdup(tmp.constData()); +- } +- } +- if (!argv[0]) ++ const QByteArray &tmp = QFile::encodeName(exeFilePath); ++ argv[0] = ::strdup(tmp.constData()); ++ } else { + argv[0] = ::strdup(encodedProgramName.constData()); ++ } + + // Add every argument to the list + for (int i = 0; i < arguments.count(); ++i) +@@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid) + envp = _q_dupEnvironment(environment.d.constData()->vars, &envc); + } + +- QByteArray tmp; + if (!program.contains(QLatin1Char('/'))) { ++ // findExecutable() returns its argument if it's an absolute path, ++ // otherwise it searches $PATH; returns empty if not found (we handle ++ // that case much later) + const QString &exeFilePath = QStandardPaths::findExecutable(program); +- if (!exeFilePath.isEmpty()) +- tmp = QFile::encodeName(exeFilePath); ++ const QByteArray &tmp = QFile::encodeName(exeFilePath); ++ argv[0] = ::strdup(tmp.constData()); ++ } else { ++ argv[0] = ::strdup(QFile::encodeName(program)); + } +- if (tmp.isEmpty()) +- tmp = QFile::encodeName(program); +- argv[0] = tmp.data(); + + if (envp) + qt_safe_execve(argv[0], argv, envp); +-- +2.34.1 + diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 858d8648543..92bbd923e49 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -33,7 +33,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 13%{?dist} +Release: 14%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch Patch92: CVE-2024-39936.patch +Patch93: CVE-2022-25255.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch90 -p1 %patch91 -p1 %patch92 -p1 +%patch93 -p1 ## upstream patches @@ -781,6 +784,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Wed Oct 23 2024 Mykhailo Bykhovtsev - 5.12.11-14 +- Add patch to resolve CVE-2022-25255. + * Wed Aug 07 2024 Sumedh Sharma - 5.12.11-13 - Add patch to resolve CVE-2024-39936. From 3eb66d1e29cc7b587281afde80dec350b05d7759 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:41:49 -0400 Subject: [PATCH 3/3] [AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade msft-golang to 1.22.8 To fix CVE-2022-41717 - branch main (#10834) --- SPECS/msft-golang/msft-golang.signatures.json | 2 +- SPECS/msft-golang/msft-golang.spec | 7 +++++-- cgmanifest.json | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/msft-golang/msft-golang.signatures.json b/SPECS/msft-golang/msft-golang.signatures.json index dcd94f32e1e..d92ca320b25 100644 --- a/SPECS/msft-golang/msft-golang.signatures.json +++ b/SPECS/msft-golang/msft-golang.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", - "go1.22.7-20240905.3.src.tar.gz": "4c2601d9fe6b4692b6bb4487751dec149c30bd76ad9383331a84971a66bdd0bc", + "go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } \ No newline at end of file diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec index 1c1058198b5..6921a3af739 100644 --- a/SPECS/msft-golang/msft-golang.spec +++ b/SPECS/msft-golang/msft-golang.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.22.7-20240905.3.src.tar.gz +%global ms_go_filename go1.22.8-20241001.6.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: msft-golang -Version: 1.22.7 +Version: 1.22.8 Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ fi %{_bindir}/* %changelog +* Thu Oct 24 2024 CBL-Mariner Servicing Account - 1.22.8-1 +- Auto-upgrade to 1.22.8 - To fix CVE-2022-41717 + * Mon Sep 09 2024 Henry Beberman - 1.22.7-1 - Bump version to 1.22.7 to address CVE-2024-34158, CVE-2024-34156, CVE-2024-34155 diff --git a/cgmanifest.json b/cgmanifest.json index 945105423c7..ed336fc0ad7 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13673,8 +13673,8 @@ "type": "other", "other": { "name": "msft-golang", - "version": "1.22.7", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.7-1/go1.22.7-20240905.3.src.tar.gz" + "version": "1.22.8", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.8-1/go1.22.8-20241001.6.src.tar.gz" } } },