Skip to content

Commit

Permalink
Merge branch 'fasttrack/2.0' into sumsharma/2-0_terraform_cve_2024_45338
Browse files Browse the repository at this point in the history
  • Loading branch information
@jslobodzian
jslobodzian authored Jan 8, 2025
2 parents fb5dfbf + 98b7fda commit b5b118d
Show file tree
Hide file tree
Showing 5 changed files with 102 additions and 44 deletions.
48 changes: 42 additions & 6 deletions .pipelines/prchecks/PackageBuildPRCheck.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,11 @@ extends:
# GCC fails to build as a regular package.
ignoredSpecs: ["gcc"]

- script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
name: "ToolchainArtifactName"
displayName: "Set variable for published artifact name"
displayName: "Set variables for published toolchain tarball"
# 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
# then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
Expand All @@ -104,24 +106,38 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
outputRPMsTarballName: "rpms.tar.gz"
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isCheckBuild: true
isQuickRebuildPackages: true
isUseCCache: true
maxCPU: "${{ configuration.maxCPUs }}"
outputArtifactsFolder: $(ob_outputDirectory)
outputRPMsTarballName: $(outputRPMsTarballName)
pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
selfRepoName: self
testSuiteName: "[${{ configuration.name }}] Package test"

- script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
name: "RPMsArtifactName"
displayName: "Set variable for published artifact name"
Expand All @@ -142,15 +158,25 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isAllowToolchainRebuilds: true
isCheckBuild: true
isQuickRebuildPackages: true
Expand Down Expand Up @@ -179,8 +205,18 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download RPMs tarball"
inputs:
artifact: $(rpmsArtifactName)
patterns: "**/$(rpmsTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
parameters:
inputArtifactName: $(rpmsArtifactName)
inputArtifactsFolder: $(inputArtifactsLocation)
inputRPMsTarballName: $(rpmsTarballName)
40 changes: 14 additions & 26 deletions .pipelines/templates/PackageBuild.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,9 @@ parameters:
type: number
default: 12

- name: customToolchainArtifactName
type: string
default: ""

- name: customToolchainTarballName
type: string
default: "toolchain_built_rpms_all.tar.gz"
default: ""

- name: extraPackageRepos
type: string
Expand All @@ -30,12 +26,16 @@ parameters:
type: boolean
default: true

- name: inputCacheArtifacts
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputCacheRPMsTarballs
type: object
default: []
# Sample:
# - name: build-artifacts
# rpmsTarball: cache.tar.gz
# - cache.tar.gz
# - cache2.tar.gz

- name: isAllowToolchainRebuilds
type: string
Expand Down Expand Up @@ -160,15 +160,9 @@ steps:
artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
displayName: "Authenticate to custom pip artifact feeds"

- ${{ if parameters.customToolchainArtifactName }}:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: "${{ parameters.customToolchainArtifactName }}"
patterns: "**/${{ parameters.customToolchainTarballName }}"

- ${{ if parameters.customToolchainTarballName }}:
- script: |
toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
if [[ ! -f "$toolchain_archive" ]]; then
echo "ERROR: toolchain archive not found!" >&2
exit 1
Expand All @@ -178,17 +172,11 @@ steps:
sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
displayName: "Populate toolchain"
- ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
- task: DownloadPipelineArtifact@2
displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
inputs:
artifact: "${{ inputCacheArtifact.name }}"
patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"

- ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
- script: |
rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
if [[ ! -f "$rpms_archive" ]]; then
echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
exit 1
fi
Expand All @@ -200,7 +188,7 @@ steps:
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
fi
Expand Down
13 changes: 3 additions & 10 deletions .pipelines/templatesWithCheckout/SodiffCheck.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"

- name: inputArtifactName
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputRPMsTarballName
type: string
Expand All @@ -26,19 +27,11 @@ parameters:
default: "$(Agent.TempDirectory)/SourcesWorkspace"

steps:
- task: DownloadPipelineArtifact@2
displayName: "Download sources for signing"
inputs:
artifact: ${{ parameters.inputArtifactName }}
patterns: |
**/${{ parameters.inputRPMsTarballName }}
targetPath: "$(Agent.TempDirectory)"

- script: |
set -e
mkdir -p "${{ parameters.sourcesWorkspace }}"
find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
displayName: "Extract sources tarball"
- script: |
Expand Down
37 changes: 37 additions & 0 deletions SPECS/socat/CVE-2024-54661.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
From be474a81dc2d9010ac16f9690f97cf7ff68b36d7 Mon Sep 17 00:00:00 2001
From: Muhammad Falak R Wani <[email protected]>
Date: Sun, 29 Dec 2024 17:47:45 +0530
Subject: [PATCH] CVE-2024-54661: Arbitrary file overwrite in readline.sh

Link: https://repo.or.cz/socat.git/commit/4ee1f31cf80019c5907876576d6dfd49368d660f
Author: Gerhard Rieger <[email protected]>
Signed-off-by: Muhammad Falak R Wani <[email protected]>
---
readline.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/readline.sh b/readline.sh
index b6f8438..1045303 100755
--- a/readline.sh
+++ b/readline.sh
@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
else
HISTOPT=
fi
-mkdir -p /tmp/$USER || exit 1
#
#

-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
+if test -w .; then
+ STDERR=./socat-readline.${1##*/}.log
+ rm -f $STDERR
+else
+ STDERR=/dev/null
+fi
+
+exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR

--
2.40.1

8 changes: 6 additions & 2 deletions SPECS/socat/socat.spec
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
Summary: Multipurpose relay (SOcket CAT)
Name: socat
Version: 1.7.4.3
Release: 1%{?dist}
Release: 2%{?dist}
License: GPL2
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/Internet
URL: http://www.dest-unreach.org/socat
Source0: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
Patch0: CVE-2024-54661.patch

%description
Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.

%prep
%setup -q
%autosetup -p1

%build
./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
Expand All @@ -36,6 +37,9 @@ make %{?_smp_mflags} test
%{_mandir}/man1/*

%changelog
* Sun Dec 29 2024 Muhammad Falak <[email protected]> - 1.7.4.3-2
- Patch CVE-2024-54661

* Mon Jan 24 2022 Neha Agarwal <[email protected]> - 1.7.4.3-1
- Update to version 1.7.4.3.

Expand Down

0 comments on commit b5b118d

Please sign in to comment.