Skip to content

Commit

Permalink
Merge branch 'fasttrack/2.0' into sumsharma/2-0_kubevirt_cve_2024_45338
Browse files Browse the repository at this point in the history
  • Loading branch information
@jslobodzian
jslobodzian authored Jan 9, 2025
2 parents 028276b + 7b739b6 commit b0a1abd
Show file tree
Hide file tree
Showing 13 changed files with 442 additions and 48 deletions.
48 changes: 42 additions & 6 deletions .pipelines/prchecks/PackageBuildPRCheck.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,11 @@ extends:
# GCC fails to build as a regular package.
ignoredSpecs: ["gcc"]

- script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
name: "ToolchainArtifactName"
displayName: "Set variable for published artifact name"
displayName: "Set variables for published toolchain tarball"
# 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
# then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
Expand All @@ -104,24 +106,38 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
outputRPMsTarballName: "rpms.tar.gz"
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isCheckBuild: true
isQuickRebuildPackages: true
isUseCCache: true
maxCPU: "${{ configuration.maxCPUs }}"
outputArtifactsFolder: $(ob_outputDirectory)
outputRPMsTarballName: $(outputRPMsTarballName)
pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
selfRepoName: self
testSuiteName: "[${{ configuration.name }}] Package test"

- script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
name: "RPMsArtifactName"
displayName: "Set variable for published artifact name"
Expand All @@ -142,15 +158,25 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isAllowToolchainRebuilds: true
isCheckBuild: true
isQuickRebuildPackages: true
Expand Down Expand Up @@ -179,8 +205,18 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download RPMs tarball"
inputs:
artifact: $(rpmsArtifactName)
patterns: "**/$(rpmsTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
parameters:
inputArtifactName: $(rpmsArtifactName)
inputArtifactsFolder: $(inputArtifactsLocation)
inputRPMsTarballName: $(rpmsTarballName)
40 changes: 14 additions & 26 deletions .pipelines/templates/PackageBuild.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,9 @@ parameters:
type: number
default: 12

- name: customToolchainArtifactName
type: string
default: ""

- name: customToolchainTarballName
type: string
default: "toolchain_built_rpms_all.tar.gz"
default: ""

- name: extraPackageRepos
type: string
Expand All @@ -30,12 +26,16 @@ parameters:
type: boolean
default: true

- name: inputCacheArtifacts
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputCacheRPMsTarballs
type: object
default: []
# Sample:
# - name: build-artifacts
# rpmsTarball: cache.tar.gz
# - cache.tar.gz
# - cache2.tar.gz

- name: isAllowToolchainRebuilds
type: string
Expand Down Expand Up @@ -160,15 +160,9 @@ steps:
artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
displayName: "Authenticate to custom pip artifact feeds"

- ${{ if parameters.customToolchainArtifactName }}:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: "${{ parameters.customToolchainArtifactName }}"
patterns: "**/${{ parameters.customToolchainTarballName }}"

- ${{ if parameters.customToolchainTarballName }}:
- script: |
toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
if [[ ! -f "$toolchain_archive" ]]; then
echo "ERROR: toolchain archive not found!" >&2
exit 1
Expand All @@ -178,17 +172,11 @@ steps:
sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
displayName: "Populate toolchain"
- ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
- task: DownloadPipelineArtifact@2
displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
inputs:
artifact: "${{ inputCacheArtifact.name }}"
patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"

- ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
- script: |
rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
if [[ ! -f "$rpms_archive" ]]; then
echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
exit 1
fi
Expand All @@ -200,7 +188,7 @@ steps:
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
fi
Expand Down
13 changes: 3 additions & 10 deletions .pipelines/templatesWithCheckout/SodiffCheck.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"

- name: inputArtifactName
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputRPMsTarballName
type: string
Expand All @@ -26,19 +27,11 @@ parameters:
default: "$(Agent.TempDirectory)/SourcesWorkspace"

steps:
- task: DownloadPipelineArtifact@2
displayName: "Download sources for signing"
inputs:
artifact: ${{ parameters.inputArtifactName }}
patterns: |
**/${{ parameters.inputRPMsTarballName }}
targetPath: "$(Agent.TempDirectory)"

- script: |
set -e
mkdir -p "${{ parameters.sourcesWorkspace }}"
find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
displayName: "Extract sources tarball"
- script: |
Expand Down
80 changes: 80 additions & 0 deletions SPECS/containerized-data-importer/CVE-2024-45338.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6 changes: 5 additions & 1 deletion SPECS/containerized-data-importer/containerized-data-importer.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
Summary: Container native virtualization
Name: containerized-data-importer
Version: 1.55.0
Release: 21%{?dist}
Release: 22%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -38,6 +38,7 @@ Patch1: CVE-2024-3727.patch
Patch2: CVE-2022-41717.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-28180.patch
Patch5: CVE-2024-45338.patch

%description
Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes
Expand Down Expand Up @@ -205,6 +206,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
%{_datadir}/cdi/manifests

%changelog
* Mon Jan 06 2025 Sumedh Sharma <[email protected]> - 1.55.0-22
- Add patch for CVE-2024-45338

* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.55.0-21
- Bump release to rebuild with go 1.22.7

Expand Down
Loading

0 comments on commit b0a1abd

Please sign in to comment.