Merge branch 'main' into 2.0

microsoft · Feb 7, 2025 · 9bb55a6 · 9bb55a6
2 parents 50d764d + 919a02b
commit 9bb55a6
Show file tree

Hide file tree

Showing 8 changed files with 912 additions and 7 deletions.
diff --git a/SPECS-EXTENDED/pipewire/pipewire.spec b/SPECS-EXTENDED/pipewire/pipewire.spec
@@ -18,7 +18,7 @@
 Summary:        Media Sharing Server
 Name:           pipewire
 Version:        %{majorversion}.%{minorversion}.%{microversion}
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,7 +42,6 @@ BuildRequires:  pkgconfig(gstreamer-base-1.0) >= 1.10.0
 BuildRequires:  pkgconfig(gstreamer-plugins-base-1.0) >= 1.10.0
 BuildRequires:  pkgconfig(gstreamer-net-1.0) >= 1.10.0
 BuildRequires:  pkgconfig(gstreamer-allocators-1.0) >= 1.10.0
-BuildRequires:  pkgconfig(fdk-aac)
 %if %{with vulkan}
 BuildRequires:  pkgconfig(vulkan)
 %endif
@@ -214,6 +213,7 @@ cp %{SOURCE1} subprojects/packagefiles/
     -D bluez5-codec-lc3plus=disabled						\
     -D bluez5-codec-ldac=disabled						\
     -D bluez5-codec-opus=disabled                                               \
+    -D bluez5-codec-aac=disabled \
     -D x11-xfixes=disabled                                                      \
 %if %{with media_session}
     -D session-managers="media-session" 	         			\
@@ -428,6 +428,9 @@ systemctl --no-reload preset --global pipewire.socket >/dev/null 2>&1 || :
 %endif
 
 %changelog
+* Thu Feb 6 2025 Jon Slobodzian <[email protected]> - 0.3.60-3
+- Remove bluez5-codec-aac
+
 * Thu Nov 24 2022 Sumedh Sharma <[email protected]> - 0.3.60-2
 - Initial CBL-Mariner import from Fedora 37 (license: MIT)
 - Build with features disabled: jack, jackserver-plugin and libcamera-plugin

diff --git a/SPECS/golang/CVE-2024-45336.patch b/SPECS/golang/CVE-2024-45336.patch
diff --git a/SPECS/golang/CVE-2024-45341.patch b/SPECS/golang/CVE-2024-45341.patch
@@ -0,0 +1,67 @@
+From 6d97029a7eff74a7ed5e695f192d106d1346130c Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <[email protected]>
+Date: Tue, 4 Feb 2025 15:30:59 +0000
+Subject: [PATCH] Address CVE-2024-45341
+
+---
+ src/crypto/x509/name_constraints_test.go | 18 ++++++++++++++++++
+ src/crypto/x509/verify.go                |  7 +++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
+index 4c22c4c..78263fc 100644
+--- a/src/crypto/x509/name_constraints_test.go
++++ b/src/crypto/x509/name_constraints_test.go
+@@ -1599,6 +1599,24 @@ var nameConstraintsTests = []nameConstraintsTest{
+ 			cn:   "foo.bar",
+ 		},
+ 	},
++
++	// #86: URIs with IPv6 addresses with zones and ports are rejected
++	{
++		roots: []constraintsSpec{
++			{
++				ok: []string{"uri:example.com"},
++			},
++		},
++		intermediates: [][]constraintsSpec{
++			{
++				{},
++			},
++		},
++		leaf: leafSpec{
++			sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
++		},
++		expectedError: "URI with IP",
++	},
+ }
+
+ func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 6efbff2..2d2a271 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -11,6 +11,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"reflect"
+ 	"runtime"
+@@ -429,8 +430,10 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
+ 		}
+ 	}
+
+-	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") ||
+-		net.ParseIP(host) != nil {
++	// netip.ParseAddr will reject the URI IPv6 literal form "[...]", so we
++	// check if _either_ the string parses as an IP, or if it is enclosed in
++	// square brackets.
++	if _, err := netip.ParseAddr(host); err == nil || (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {
+ 		return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
+ 	}
+
+-- 
+2.43.0
+
diff --git a/SPECS/golang/golang-1.18.spec b/SPECS/golang/golang-1.18.spec
@@ -13,7 +13,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.18.8
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,7 +25,8 @@ Patch0:         go14_bootstrap_aarch64.patch
 # CVE-2022-41717 is fixed in 1.18.9
 Patch1:         CVE-2022-41717.patch
 # CVE-2024-24790 is fixed in 1.18.8
-Patch2:		CVE-2024-24790.patch
+Patch2:         CVE-2024-24790.patch
+Patch3:         CVE-2024-45341.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -44,6 +45,7 @@ mv -v go go-bootstrap
 %setup -q -n go
 patch -Np1 --ignore-whitespace < %{PATCH1}
 patch -Np1 --ignore-whitespace < %{PATCH2}
+patch -Np1 --ignore-whitespace < %{PATCH3}
 %build
 # Build go 1.4 bootstrap
 pushd %{_topdir}/BUILD/go-bootstrap/src
@@ -123,7 +125,10 @@ fi
 %{_bindir}/*
 
 %changelog
-* Mon July 29 2024 Bhagyashri Pathak [email protected] - 1.18.8.4
+* Tue Feb 04 2025 Kanishk bansal <[email protected]> - 1.18.8-5
+- Address CVE-2024-45341 using an upstream patch.
+
+* Mon July 29 2024 Bhagyashri Pathak [email protected] - 1.18.8-4
 - Patch CVE-2024-24790
 
 * Mon Jan 23 2022 Nicolas Guibourge <[email protected]> - 1.18.8-3

diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec
@@ -15,7 +15,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.22.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,6 +26,8 @@ Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
 Source2:        https://dl.google.com/go/go%{bootstrap_compiler_version_0}.src.tar.gz
 Source3:        https://dl.google.com/go/go%{bootstrap_compiler_version_1}.src.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
+Patch1:         CVE-2024-45336.patch
+Patch2:         CVE-2024-45341.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -41,6 +43,8 @@ patch -Np1 --ignore-whitespace < %{PATCH0}
 mv -v go go-bootstrap
 
 %setup -q -n go
+%patch 1 -p1
+%patch 2 -p1
 
 %build
 # Go 1.22 requires the final point release of Go 1.20 or later for bootstrap.
@@ -156,6 +160,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Tue Feb 04 2025 Kanishk bansal <[email protected]> - 1.22.7-2
+- Address CVE-2024-45336, CVE-2024-45341 using an upstream patch.
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.22.7-1
 - Auto-upgrade to 1.22.7 - Address CVE-2024-34158, CVE-2024-34156, CVE-2024-34155