Merge branch 'puppetlabs:master' into openssl

configs/components/_base-rubygem.rb

@@ -40,13 +40,13 @@
 # If a gem needs more command line options to install set the :gem_install_options
 # in its component file rubygem-<compoment>, before the instance_eval of this file.
 gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym]
-if gem_install_options.nil?
- pkg.install do
- "#{settings[:gem_install]} #{name}-#{version}.gem"
- end
-else
- pkg.install do
- "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
- end
+remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym]
+pkg.install do
+ steps = []
+ steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions
+ steps << if gem_install_options.nil?
+ "#{settings[:gem_install]} #{name}-#{version}.gem"
+ else
+ "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
+ end
 end
-

configs/components/curl.rb

@@ -27,6 +27,7 @@
  elsif platform.is_windows?
  pkg.build_requires "runtime-#{settings[:runtime_project]}"
  pkg.environment "PATH", "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)"
+ pkg.environment "NM" , "/usr/bin/nm" if platform.name =~ /windowsfips-2016/
  pkg.environment "CYGWIN", settings[:cygwin]
  elsif platform.is_aix? && platform.name != 'aix-7.1-ppc'
  pkg.environment "PKG_CONFIG_PATH", "/opt/puppetlabs/puppet/lib/pkgconfig"
@@ -47,6 +48,7 @@
  pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch'
  pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
  pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
+ pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
  end
 
  configure_options = []

configs/components/openssl-1.0.2.rb

@@ -129,7 +129,7 @@
  'no-ssl3',
  ]
 
- configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-2012r2/
+ configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-/
 
  # Individual projects may provide their own openssl configure flags:
  project_flags = settings[:openssl_extra_configure_flags] || []

configs/components/ruby-2.7.8.rb

@@ -43,6 +43,9 @@
  pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
  pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch"
 
+ pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch"
+ pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch"
+
  if platform.is_cross_compiled?
  unless platform.is_macos?
  pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch"
@@ -141,7 +144,8 @@
  'windows-2012r2-x64',
  'windows-2012r2-x86',
  'windows-2019-x64',
- 'windowsfips-2012r2-x64'
+ 'windowsfips-2012r2-x64',
+ 'windowsfips-2016-x64'
  ]
 
  unless without_dtrace.include? platform.name
@@ -170,6 +174,19 @@
  ]
  end
 
+ if(platform.name =~ /windowsfips-2016/)
+ # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
+ # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
+ # We patch rbconfig.rb to remove the '\r' character.
+ # This patch has to run after the build step since rbconfig.rb is generated during the build step. 
+ # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
+ # 'ruby_version' field in the future so that this patch can be removed - PA-6902.
+ pkg.add_source("#{base}/rbconfig_win.patch")
+ pkg.build do
+ ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
+ end
+ end
+
  #########
  # INSTALL
  #########

configs/components/ruby-3.2.5.rb

@@ -161,7 +161,8 @@
  'windows-2012r2-x64',
  'windows-2012r2-x86',
  'windows-2019-x64',
- 'windowsfips-2012r2-x64'
+ 'windowsfips-2012r2-x64',
+ 'windowsfips-2016-x64'
  ]
 
  unless without_dtrace.include? platform.name
@@ -195,6 +196,19 @@
  ]
  end
 
+ if(platform.name =~ /windowsfips-2016/)
+ # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds,
+ # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config.
+ # We patch rbconfig.rb to remove the '\r' character.
+ # This patch has to run after the build step since rbconfig.rb is generated during the build step. 
+ # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to
+ # 'ruby_version' field in the future so that this patch can be removed - PA-6902.
+ pkg.add_source("#{base}/rbconfig_win.patch")
+ pkg.build do
+ ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"]
+ end
+ end
+
  #########
  # INSTALL
  #########

configs/components/rubygem-rexml.rb

@@ -1,6 +1,8 @@
 component 'rubygem-rexml' do |pkg, settings, platform|
- pkg.version '3.3.4'
- pkg.md5sum 'b7411377f3c1a9cbe65e862f74067f91'
+ pkg.version '3.3.6'
+ pkg.md5sum 'be54ad1a5f661ebf9824bf6ca36e50eb'
+
+ settings["#{pkg.get_name}_remove_older_versions".to_sym] = true
 
  # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml
  # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets
@@ -9,6 +11,6 @@
  if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3
  settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies"
  end
- 
+
  instance_eval File.read('configs/components/_base-rubygem.rb')
 end

configs/platforms/windowsfips-2016-x64.rb

@@ -0,0 +1,54 @@
+platform "windowsfips-2016-x64" do |plat|
+ plat.vmpooler_template 'win-2016-fips-x86_64'
+
+ plat.servicetype 'windows'
+ visual_studio_version = '2017'
+ visual_studio_sdk_version = 'win8.1'
+
+ # We need to ensure we install chocolatey prior to adding any nuget repos. Otherwise, everything will fall over
+ plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/generic/buildsources/windows/chocolatey/install-chocolatey-1.4.0.ps1"
+ plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe feature enable -n useFipsCompliantChecksums"
+
+ plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/api/nuget/nuget"
+
+ # C:\tools is likely added by mingw, however because we also want to use that
+ # dir for vsdevcmd.bat we create it for safety
+ plat.provision_with "mkdir -p C:/tools"
+ # We don't want to install any packages from the chocolatey repo by accident
+ plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe sources remove -name chocolatey"
+
+ packages = [
+ "cmake",
+ "pl-gdbm-#{self._platform.architecture}",
+ "pl-iconv-#{self._platform.architecture}",
+ "pl-libffi-#{self._platform.architecture}",
+ "pl-pdcurses-#{self._platform.architecture}",
+ "pl-toolchain-#{self._platform.architecture}",
+ "pl-zlib-#{self._platform.architecture}",
+ "mingw-w64 -version 5.2.0 -debug",
+ ]
+
+ packages.each do |name|
+ plat.provision_with("C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress #{name}")
+ end
+ # We use cache-location in the following install because msvc has several long paths
+ # if we do not update the cache location choco will fail because paths get too long
+ plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe install msvc.#{visual_studio_version}-#{visual_studio_sdk_version}.sdk.en-us -y --cache-location=\"C:\\msvc\" --no-progress"
+ # The following creates a batch file that will execute the vsdevcmd batch file located within visual studio.
+ # We create the following batch file under C:\tools\vsdevcmd.bat so we can avoid using both the %ProgramFiles(x86)%
+ # evironment var, as well as any spaces in the path when executing things with cygwin. This makes command execution
+ # through cygwin much easier.
+ #
+ # Note that the unruly \'s in the following string escape the following sequence to literal chars: "\" and then \""
+ plat.provision_with "touch C:/tools/vsdevcmd.bat && echo \"\\\"%ProgramFiles(x86)%\\Microsoft Visual Studio\\#{visual_studio_version}\\BuildTools\\Common7\\Tools\\vsdevcmd\\\"\" >> C:/tools/vsdevcmd.bat"
+
+ plat.install_build_dependencies_with "C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress"
+
+ plat.make "/usr/bin/make"
+ plat.patch "TMP=/var/tmp /usr/bin/patch.exe --binary"
+
+ plat.platform_triple "x86_64-w64-mingw32"
+
+ plat.package_type "archive"
+ plat.output_dir "windows"
+end

configs/projects/_shared-agent-components.rb

@@ -26,7 +26,7 @@
 elsif platform.name =~ /^redhatfips-.*/
  proj.component "openssl-1.1.1-fips"
 else
- proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-2012r2/ && proj.openssl_version =~ /1.0.2/
+ proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-/ && proj.openssl_version =~ /1.0.2/
  proj.component "openssl-#{proj.openssl_version}"
 end
 
@@ -62,6 +62,12 @@
 proj.component 'rubygem-fast_gettext'
 proj.component 'rubygem-ffi'
 
+# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version
+# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908.
+# So, we add it here to update to a higher version
+# free from the CVEs.
+proj.component 'rubygem-rexml'
+
 if platform.is_windows? || platform.is_solaris? || platform.is_aix?
  proj.component 'rubygem-minitar'
 end

configs/projects/_shared-agent-settings.rb

@@ -131,6 +131,7 @@
 end
 
 proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ")
+proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ")
 
 # For AIX, we use the triple to install a better rbconfig
 if platform.is_aix?
@@ -147,7 +148,7 @@
  proj.setting(:openssl_version, '3.0')
 elsif platform.name =~ /^redhatfips-/
  proj.setting(:openssl_version, '1.1.1-fips')
-elsif platform.name =~ /^windowsfips-2012r2/
+elsif platform.name =~ /^windowsfips-/
  proj.setting(:openssl_version, '1.0.2')
 else
  proj.setting(:openssl_version, '1.1.1')
@@ -168,7 +169,7 @@
  proj.setting(:cflags, "#{proj.cppflags}")
 
  ldflags = "-L#{proj.tools_root}/lib -L#{proj.gcc_root}/lib -L#{proj.libdir} -Wl,--nxcompat"
- if platform.name !~ /windowsfips-2012r2/ || name != 'agent-runtime-7.x'
+ if platform.name !~ /windowsfips-/ || name != 'agent-runtime-7.x'
  ldflags += ' -Wl,--dynamicbase'
  end
  proj.setting(:ldflags, ldflags)

configs/projects/agent-runtime-7.x.rb

@@ -61,11 +61,6 @@
  proj.component 'rubygem-thor'
  proj.component 'rubygem-scanf'
 
- # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version
- # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version
- # free from the CVEs.
- proj.component 'rubygem-rexml'
-
  if platform.is_linux?
  proj.component "virt-what"
  proj.component "dmidecode" unless platform.architecture =~ /ppc64/

resources/patches/curl/CVE-2024-7264.patch

@@ -0,0 +1,93 @@
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index 39e4fb33b..7e2e3d724 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -566,28 +566,40 @@ static const char *GTime2str(const char *beg, const char *end)
+ tzp = fracp;
+ fracl = 0;
+ if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+- fracp++;
+- do
++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++ fracp++; /* should be a digit char or BAD ARGUMENT */
++ tzp = fracp;
++ while(tzp < end && ISDIGIT(*tzp))
+ tzp++;
+- while(tzp < end && *tzp >= '0' && *tzp <= '9');
+- /* Strip leading zeroes in fractional seconds. */
+- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+- ;
++ if(tzp == fracp) /* never looped, no digit after [.,] */
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ fracl = tzp - fracp; /* number of fractional sec digits */
++ DEBUGASSERT(fracl > 0);
++ /* Strip trailing zeroes in fractional seconds.
++ * May reduce fracl to 0 if only '0's are present. */
++ while(fracl && fracp[fracl - 1] == '0')
++ fracl--;
+ }
+
+ /* Process timezone. */
+- if(tzp >= end)
+- ; /* Nothing to do. */
++ if(tzp >= end) {
++ sep = " ";
++ tzp = "GMT";
++ tzl = 3;
++ }
++ else if((*tzp == '+') || (*tzp == '-')) {
++ sep = " UTC";
++ tzl = end - tzp;
++ } /* Nothing to do. */
+ else if(*tzp == 'Z') {
+ tzp = " GMT";
+ end = tzp + 4;
+ }
+ else {
+ sep = " ";
+- tzp++;
++ tzl = end - tzp;
+ }
+
+- tzl = end - tzp;
+ return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+ beg, beg + 4, beg + 6,
+ beg + 8, beg + 10, sec1, sec2,
+@@ -595,6 +607,15 @@ static const char *GTime2str(const char *beg, const char *end)
+ sep, (int)tzl, tzp);
+ }
+
++#ifdef UNITTESTS
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++ const char *beg, const char *end)
++{
++ return GTime2str(store, beg, end);
++}
++#endif
++
+ /*
+ * Convert an ASN.1 UTC time to a printable string.
+ * Return the dynamically allocated string, or NULL if an error occurs.
+diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h
+index 5496de40e..93925718c 100644
+--- a/lib/vtls/x509asn1.h
++++ b/lib/vtls/x509asn1.h
+@@ -76,6 +76,17 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
+ const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
+ const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++ defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++ const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
+ * or USE_SECTRANSP */
+ #endif /* HEADER_CURL_X509ASN1_H */