Merge branch 'fasttrack/3.0' into kevin-b-lockwood/ceph-CVE-2012-6708

SPECS/git/git.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "git-2.45.2.tar.xz": "51bfe87eb1c02fed1484051875365eeab229831d30d0cec5d89a14f9e40e9adb"
+    "git-2.45.3.tar.gz": "3075ec9cbcf44a72d7fb232191c0982d6676a1d7432d3c74b96d397ff874b071"
   }
 }

SPECS/git/git.spec

@@ -6,14 +6,14 @@
 
 Summary:        Fast distributed version control system
 Name:           git
-Version:        2.45.2
+Version:        2.45.3
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Programming
 URL:            https://git-scm.com/
-Source0:        https://www.kernel.org/pub/software/scm/git/%{name}-%{version}.tar.xz
+Source0:        https://github.com/git/git/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires:  curl-devel
 BuildRequires:  python3-devel
 Requires:       curl
@@ -110,6 +110,7 @@ BuildArch:      noarch
 %{py3_shebang_fix} git-p4.py
 
 %build
+make configure
 %configure \
     CFLAGS="%{optflags}" \
     CXXFLAGS="%{optflags}" \
@@ -172,6 +173,9 @@ fi
 %endif
 
 %changelog
+* Tue Jan 14 2025 CBL-Mariner Servicing Account <[email protected]> - 2.45.3-1
+- Auto-upgrade to 2.45.3 - CVE-2024-50349 and CVE-2024-52006
+
 * Fri Jul 05 2024 CBL-Mariner Servicing Account <[email protected]> - 2.45.2-1
 - Auto-upgrade to 2.45.2 - none
 

SPECS/qtbase/CVE-2024-56732.patch

@@ -0,0 +1,58 @@
+From 1767f99e2e2196c3fcae27db6d8b60098d3f6d26 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <[email protected]>
+Date: Sun, 10 Nov 2024 22:43:28 -0700
+Subject: [PATCH] [cairo] Guard hb_cairo_glyphs_from_buffer() against bad UTF-8
+
+Previously it was assuming valid UTF-8.
+---
+ src/3rdparty/harfbuzz-ng/src/hb-cairo.cc | 2 ++
+ src/3rdparty/harfbuzz-ng/src/hb-utf.hh   | 6 ++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/3rdparty/harfbuzz-ng/src/hb-cairo.cc b/src/3rdparty/harfbuzz-ng/src/hb-cairo.cc
+index d8b582c4908..4d22ae059ff 100644
+--- a/src/3rdparty/harfbuzz-ng/src/hb-cairo.cc
++++ b/src/3rdparty/harfbuzz-ng/src/hb-cairo.cc
+@@ -1000,6 +1000,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
+ 	    end = start + hb_glyph[i].cluster - hb_glyph[i+1].cluster;
+ 	  else
+ 	    end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
++								      (const uint8_t *) utf8, utf8_len,
+ 								      (signed) (hb_glyph[i].cluster - hb_glyph[i+1].cluster));
+ 	  (*clusters)[cluster].num_bytes = end - start;
+ 	  start = end;
+@@ -1020,6 +1021,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
+ 	    end = start + hb_glyph[i].cluster - hb_glyph[i-1].cluster;
+ 	  else
+ 	    end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
++								      (const uint8_t *) utf8, utf8_len,
+ 								      (signed) (hb_glyph[i].cluster - hb_glyph[i-1].cluster));
+ 	  (*clusters)[cluster].num_bytes = end - start;
+ 	  start = end;
+diff --git a/src/3rdparty/harfbuzz-ng/src/hb-utf.hh b/src/3rdparty/harfbuzz-ng/src/hb-utf.hh
+index 1120bd1cccf..6db9bf2fd79 100644
+--- a/src/3rdparty/harfbuzz-ng/src/hb-utf.hh
++++ b/src/3rdparty/harfbuzz-ng/src/hb-utf.hh
+@@ -458,19 +458,21 @@ struct hb_ascii_t
+ template <typename utf_t>
+ static inline const typename utf_t::codepoint_t *
+ hb_utf_offset_to_pointer (const typename utf_t::codepoint_t *start,
++			  const typename utf_t::codepoint_t *text,
++			  unsigned text_len,
+ 			  signed offset)
+ {
+   hb_codepoint_t unicode;
+
+   while (offset-- > 0)
+     start = utf_t::next (start,
+-			 start + utf_t::max_len,
++			 text + text_len,
+ 			 &unicode,
+ 			 HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);
+
+   while (offset++ < 0)
+     start = utf_t::prev (start,
+-			 start - utf_t::max_len,
++			 text,
+ 			 &unicode,
+ 			 HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);

SPECS/qtbase/qtbase.signatures.json

@@ -2,7 +2,7 @@
  "Signatures": {
   "macros.qtbase": "033a4124b7dbb211068a64b6e500427fb645825f6c94a5f49afbd764e9d65543",
   "qconfig-multilib.h": "2d01cdbfd11a887a1729f1ce2c4e0ad0c080509cc009279090bd68521845be93",
-  "qtbase-everywhere-src-6.6.2.tar.xz": "b89b426b9852a17d3e96230ab0871346574d635c7914480a2a27f98ff942677b",
+  "qtbase-everywhere-src-6.6.3.tar.xz": "0493fd0b380c4edf8872f011a7f26d245aa4cdd75b349904ef340a22dedf7462",
   "qtlogging.ini": "7493edc0df47c1bb9040331694922d4500b897b30515d698ec482c866ee5d9d3"
  }
 }

SPECS/qtbase/qtbase.spec

@@ -34,15 +34,16 @@
 
 Name:         qtbase
 Summary:      Qt6 - QtBase components
-Version:      6.6.2
-Release:      1%{?dist}
+Version:      6.6.3
+Release:      2%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
 Distribution:   Azure Linux
 URL:          https://qt-project.org/
 %global       majmin %(echo %{version} | cut -d. -f1-2)
 Source0:      https://download.qt.io/archive/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz
+Patch0:       CVE-2024-56732.patch
 
 BuildRequires: build-essential
 BuildRequires: systemd
@@ -700,6 +701,12 @@ fi
 %{_qt_plugindir}/platformthemes/libqxdgdesktopportal.so
 
 %changelog
+* Thu Jan 16 2025 Lanze Liu <[email protected]> - 6.6.3-2
+- Added a patch for addressing CVE-2024-56732
+
+* Wed Jan 15 2025 Lanze Liu <[email protected]> - 6.6.3-1
+- Upgrade to version 6.6.3 to fix CVE-2024-30161
+
 * Fri May 17 2024 Neha Agarwal <[email protected]> - 6.6.2-1
 - Upgrade to version 6.6.2 to fix CVE-2023-51714
 

SPECS/tensorflow/CVE-2024-35195.patch

@@ -0,0 +1,108 @@
+From 645c871ad0578ac7fc79ea84e64380984423af0c Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <[email protected]>
+Date: Thu, 19 Dec 2024 06:10:36 +0000
+Subject: [PATCH] Fix CVE-2024-35195
+
+---
+ .../site-packages/requests/adapters.py        | 58 ++++++++++++++++++-
+ 1 file changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/pypi_requests/site-packages/requests/adapters.py b/pypi_requests/site-packages/requests/adapters.py
+index 78e3bb6..03cd069 100644
+--- a/pypi_requests/site-packages/requests/adapters.py
++++ b/pypi_requests/site-packages/requests/adapters.py
+@@ -8,6 +8,7 @@ and maintain connections.
+
+ import os.path
+ import socket  # noqa: F401
++import typing
+
+ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -61,12 +62,38 @@ except ImportError:
+         raise InvalidSchema("Missing dependencies for SOCKS support.")
+
+
++if typing.TYPE_CHECKING:
++    from .models import PreparedRequest
++
++
+ DEFAULT_POOLBLOCK = False
+ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+
+
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter:
+     """The Base Transport Adapter"""
+
+@@ -328,6 +355,35 @@ class HTTPAdapter(BaseAdapter):
+
+         return response
+
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -451,7 +507,7 @@ class HTTPAdapter(BaseAdapter):
+         """
+
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request, verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+
+-- 
+2.45.2
+

SPECS/tensorflow/tensorflow.spec

@@ -1,7 +1,7 @@
 Summary:        TensorFlow is an open source machine learning framework for everyone.
 Name:           tensorflow
 Version:        2.16.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Patch0:         CVE-2024-7592.patch
 Patch1:         CVE-2024-6232.patch
 Patch2:         CVE-2024-8088.patch
 Patch3:         CVE-2024-3651.patch
+Patch4:         CVE-2024-35195.patch
 BuildRequires:  bazel
 BuildRequires:  binutils
 BuildRequires:  build-essential
@@ -89,6 +90,11 @@ pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-l
 patch -p1 < %{PATCH3}
 popd
 
+# Need to patch CVE-2024-35195 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/
+patch -p1 < %{PATCH4}
+popd
+
 export TF_PYTHON_VERSION=3.12
 ln -s %{_bindir}/python3 %{_bindir}/python
 
@@ -118,6 +124,9 @@ bazel --batch build  //tensorflow/tools/pip_package:build_pip_package
 %{_bindir}/toco_from_protos
 
 %changelog
+* Wed Jan 15 2025 Kanishk Bansal <[email protected]> - 2.16.1-8
+- Address CVE-2024-35195 with an upstream patch
+
 * Wed Sep 25 2024 Archana Choudhary <[email protected]> - 2.16.1-7
 - Bump release to build with new python3 to fix CVE-2024-6232, CVE-2024-8088, CVE-2024-3651
 

cgmanifest.json

@@ -4300,8 +4300,8 @@
         "type": "other",
         "other": {
           "name": "git",
-          "version": "2.45.2",
-          "downloadUrl": "https://www.kernel.org/pub/software/scm/git/git-2.45.2.tar.xz"
+          "version": "2.45.3",
+          "downloadUrl": "https://github.com/git/git/archive/refs/tags/v2.45.3.tar.gz"
         }
       }
     },
@@ -25373,8 +25373,8 @@
         "type": "other",
         "other": {
           "name": "qtbase",
-          "version": "6.6.2",
-          "downloadUrl": "https://download.qt.io/archive/qt/6.6/6.6.2/submodules/qtbase-everywhere-src-6.6.2.tar.xz"
+          "version": "6.6.3",
+          "downloadUrl": "https://download.qt.io/archive/qt/6.6/6.6.3/submodules/qtbase-everywhere-src-6.6.3.tar.xz"
         }
       }
     },