From 939be69ff93b0455282e8a7914135ed550707162 Mon Sep 17 00:00:00 2001 From: Shubham Shinde Date: Thu, 22 Aug 2024 23:52:08 +0530 Subject: [PATCH 1/7] (PA-6324) Add windowsfips-2016-x64 to agent-runtime-main and agent-runtime-7.x - Add the platform file for windowsfips-2016-x64. - Add windowsfips-2016 to ruby dtrace for both 7.x and main. - Set fips version and fips flags properly. - Set NM to the system nm (version 2.42) since mingw nm (version 2.25) conflicts with sed during curl-build. - Patch rbconfig.rb to remove the '\r' character appended to CONFIG["ruby_version"] during ruby-build. --- configs/components/curl.rb | 1 + configs/components/openssl-1.0.2.rb | 2 +- configs/components/ruby-2.7.8.rb | 16 +++++- configs/components/ruby-3.2.5.rb | 16 +++++- configs/platforms/windowsfips-2016-x64.rb | 54 ++++++++++++++++++++ configs/projects/_shared-agent-components.rb | 2 +- configs/projects/_shared-agent-settings.rb | 4 +- resources/patches/ruby_27/rbconfig_win.patch | 22 ++++++++ resources/patches/ruby_32/rbconfig_win.patch | 22 ++++++++ 9 files changed, 133 insertions(+), 6 deletions(-) create mode 100644 configs/platforms/windowsfips-2016-x64.rb create mode 100755 resources/patches/ruby_27/rbconfig_win.patch create mode 100644 resources/patches/ruby_32/rbconfig_win.patch diff --git a/configs/components/curl.rb b/configs/components/curl.rb index b7100d54e..ded62da68 100644 --- a/configs/components/curl.rb +++ b/configs/components/curl.rb @@ -27,6 +27,7 @@ elsif platform.is_windows? pkg.build_requires "runtime-#{settings[:runtime_project]}" pkg.environment "PATH", "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)" + pkg.environment "NM" , "/usr/bin/nm" if platform.name =~ /windowsfips-2016/ pkg.environment "CYGWIN", settings[:cygwin] elsif platform.is_aix? && platform.name != 'aix-7.1-ppc' pkg.environment "PKG_CONFIG_PATH", "/opt/puppetlabs/puppet/lib/pkgconfig" diff --git a/configs/components/openssl-1.0.2.rb b/configs/components/openssl-1.0.2.rb index ce51a1cec..29108b6ec 100644 --- a/configs/components/openssl-1.0.2.rb +++ b/configs/components/openssl-1.0.2.rb @@ -129,7 +129,7 @@ 'no-ssl3', ] - configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-2012r2/ + configure_flags += ['fips', "--with-fipsdir=#{settings[:prefix]}/usr/local/ssl/fips-2.0"] if platform.name =~ /windowsfips-/ # Individual projects may provide their own openssl configure flags: project_flags = settings[:openssl_extra_configure_flags] || [] diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb index 5346e3988..7ad7581d1 100644 --- a/configs/components/ruby-2.7.8.rb +++ b/configs/components/ruby-2.7.8.rb @@ -141,7 +141,8 @@ 'windows-2012r2-x64', 'windows-2012r2-x86', 'windows-2019-x64', - 'windowsfips-2012r2-x64' + 'windowsfips-2012r2-x64', + 'windowsfips-2016-x64' ] unless without_dtrace.include? platform.name @@ -170,6 +171,19 @@ ] end + if(platform.name =~ /windowsfips-2016/) + # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds, + # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config. + # We patch rbconfig.rb to remove the '\r' character. + # This patch has to run after the build step since rbconfig.rb is generated during the build step. + # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to + # 'ruby_version' field in the future so that this patch can be removed - PA-6902. + pkg.add_source("#{base}/rbconfig_win.patch") + pkg.build do + ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"] + end + end + ######### # INSTALL ######### diff --git a/configs/components/ruby-3.2.5.rb b/configs/components/ruby-3.2.5.rb index 433c33698..58537063e 100644 --- a/configs/components/ruby-3.2.5.rb +++ b/configs/components/ruby-3.2.5.rb @@ -161,7 +161,8 @@ 'windows-2012r2-x64', 'windows-2012r2-x86', 'windows-2019-x64', - 'windowsfips-2012r2-x64' + 'windowsfips-2012r2-x64', + 'windowsfips-2016-x64' ] unless without_dtrace.include? platform.name @@ -195,6 +196,19 @@ ] end + if(platform.name =~ /windowsfips-2016/) + # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds, + # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config. + # We patch rbconfig.rb to remove the '\r' character. + # This patch has to run after the build step since rbconfig.rb is generated during the build step. + # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to + # 'ruby_version' field in the future so that this patch can be removed - PA-6902. + pkg.add_source("#{base}/rbconfig_win.patch") + pkg.build do + ["TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch"] + end + end + ######### # INSTALL ######### diff --git a/configs/platforms/windowsfips-2016-x64.rb b/configs/platforms/windowsfips-2016-x64.rb new file mode 100644 index 000000000..4d32b41e2 --- /dev/null +++ b/configs/platforms/windowsfips-2016-x64.rb @@ -0,0 +1,54 @@ +platform "windowsfips-2016-x64" do |plat| + plat.vmpooler_template 'win-2016-fips-x86_64' + + plat.servicetype 'windows' + visual_studio_version = '2017' + visual_studio_sdk_version = 'win8.1' + + # We need to ensure we install chocolatey prior to adding any nuget repos. Otherwise, everything will fall over + plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/generic/buildsources/windows/chocolatey/install-chocolatey-1.4.0.ps1" + plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe feature enable -n useFipsCompliantChecksums" + + plat.add_build_repository "https://artifactory.delivery.puppetlabs.net/artifactory/api/nuget/nuget" + + # C:\tools is likely added by mingw, however because we also want to use that + # dir for vsdevcmd.bat we create it for safety + plat.provision_with "mkdir -p C:/tools" + # We don't want to install any packages from the chocolatey repo by accident + plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe sources remove -name chocolatey" + + packages = [ + "cmake", + "pl-gdbm-#{self._platform.architecture}", + "pl-iconv-#{self._platform.architecture}", + "pl-libffi-#{self._platform.architecture}", + "pl-pdcurses-#{self._platform.architecture}", + "pl-toolchain-#{self._platform.architecture}", + "pl-zlib-#{self._platform.architecture}", + "mingw-w64 -version 5.2.0 -debug", + ] + + packages.each do |name| + plat.provision_with("C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress #{name}") + end + # We use cache-location in the following install because msvc has several long paths + # if we do not update the cache location choco will fail because paths get too long + plat.provision_with "C:/ProgramData/chocolatey/bin/choco.exe install msvc.#{visual_studio_version}-#{visual_studio_sdk_version}.sdk.en-us -y --cache-location=\"C:\\msvc\" --no-progress" + # The following creates a batch file that will execute the vsdevcmd batch file located within visual studio. + # We create the following batch file under C:\tools\vsdevcmd.bat so we can avoid using both the %ProgramFiles(x86)% + # evironment var, as well as any spaces in the path when executing things with cygwin. This makes command execution + # through cygwin much easier. + # + # Note that the unruly \'s in the following string escape the following sequence to literal chars: "\" and then \"" + plat.provision_with "touch C:/tools/vsdevcmd.bat && echo \"\\\"%ProgramFiles(x86)%\\Microsoft Visual Studio\\#{visual_studio_version}\\BuildTools\\Common7\\Tools\\vsdevcmd\\\"\" >> C:/tools/vsdevcmd.bat" + + plat.install_build_dependencies_with "C:/ProgramData/chocolatey/bin/choco.exe install -y --no-progress" + + plat.make "/usr/bin/make" + plat.patch "TMP=/var/tmp /usr/bin/patch.exe --binary" + + plat.platform_triple "x86_64-w64-mingw32" + + plat.package_type "archive" + plat.output_dir "windows" +end diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..667aa77c9 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -26,7 +26,7 @@ elsif platform.name =~ /^redhatfips-.*/ proj.component "openssl-1.1.1-fips" else - proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-2012r2/ && proj.openssl_version =~ /1.0.2/ + proj.component "openssl-fips-2.0.16" if platform.name =~ /windowsfips-/ && proj.openssl_version =~ /1.0.2/ proj.component "openssl-#{proj.openssl_version}" end diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb index 1baff55b1..f8e578c7d 100644 --- a/configs/projects/_shared-agent-settings.rb +++ b/configs/projects/_shared-agent-settings.rb @@ -162,7 +162,7 @@ proj.setting(:openssl_version, '3.0') elsif platform.name =~ /^redhatfips-/ proj.setting(:openssl_version, '1.1.1-fips') -elsif platform.name =~ /^windowsfips-2012r2/ +elsif platform.name =~ /^windowsfips-/ proj.setting(:openssl_version, '1.0.2') else proj.setting(:openssl_version, '1.1.1') @@ -183,7 +183,7 @@ proj.setting(:cflags, "#{proj.cppflags}") ldflags = "-L#{proj.tools_root}/lib -L#{proj.gcc_root}/lib -L#{proj.libdir} -Wl,--nxcompat" - if platform.name !~ /windowsfips-2012r2/ || name != 'agent-runtime-7.x' + if platform.name !~ /windowsfips-/ || name != 'agent-runtime-7.x' ldflags += ' -Wl,--dynamicbase' end proj.setting(:ldflags, ldflags) diff --git a/resources/patches/ruby_27/rbconfig_win.patch b/resources/patches/ruby_27/rbconfig_win.patch new file mode 100755 index 000000000..bf08d4edd --- /dev/null +++ b/resources/patches/ruby_27/rbconfig_win.patch @@ -0,0 +1,22 @@ +diff --git a/rbconfig.rb b/rbconfig.rb +index de4f173..87459fe 100644 +--- a/rbconfig.rb ++++ b/rbconfig.rb +@@ -13,7 +13,7 @@ module RbConfig + raise "ruby lib version (2.7.8) doesn't match executable version (#{RUBY_VERSION})" + + # Ruby installed directory. +- TOPDIR = File.dirname(__FILE__).chomp!("/lib/ruby/2.7.0\r/x64-mingw32") ++ TOPDIR = File.dirname(__FILE__).chomp!("/lib/ruby/2.7.0/x64-mingw32") + # DESTDIR on make install. + DESTDIR = TOPDIR && TOPDIR[/\A[a-z]:/i] || '' unless defined? DESTDIR + # The hash configurations stored. +@@ -54,7 +54,7 @@ module RbConfig + CONFIG["sitedir"] = "$(rubylibprefix)/site_ruby" + CONFIG["rubyarchdir"] = "$(rubylibdir)/$(arch)" + CONFIG["rubylibdir"] = "$(rubylibprefix)/$(ruby_version)" +- CONFIG["ruby_version"] = "2.7.0\r" ++ CONFIG["ruby_version"] = "2.7.0" + CONFIG["sitearch"] = "x64-msvcrt" + CONFIG["arch"] = "x64-mingw32" + CONFIG["sitearchincludedir"] = "$(includedir)/$(sitearch)" diff --git a/resources/patches/ruby_32/rbconfig_win.patch b/resources/patches/ruby_32/rbconfig_win.patch new file mode 100644 index 000000000..2c3d32c4c --- /dev/null +++ b/resources/patches/ruby_32/rbconfig_win.patch @@ -0,0 +1,22 @@ +diff --git a/rbconfig.rb b/rbconfig.rb +index 592dd52..a994b0a 100644 +--- a/rbconfig.rb ++++ b/rbconfig.rb +@@ -13,7 +13,7 @@ module RbConfig + raise "ruby lib version (3.2.5) doesn't match executable version (#{RUBY_VERSION})" + + # Ruby installed directory. +- TOPDIR = File.dirname(__FILE__).chomp!("/lib/ruby/3.2.0\r/x64-mingw32") ++ TOPDIR = File.dirname(__FILE__).chomp!("/lib/ruby/3.2.0/x64-mingw32") + # DESTDIR on make install. + DESTDIR = TOPDIR && TOPDIR[/\A[a-z]:/i] || '' unless defined? DESTDIR + # The hash configurations stored. +@@ -55,7 +55,7 @@ module RbConfig + CONFIG["sitedir"] = "$(rubylibprefix)/site_ruby" + CONFIG["rubyarchdir"] = "$(rubylibdir)/$(arch)" + CONFIG["rubylibdir"] = "$(rubylibprefix)/$(ruby_version)" +- CONFIG["ruby_version"] = "3.2.0\r" ++ CONFIG["ruby_version"] = "3.2.0" + CONFIG["sitearch"] = "x64-msvcrt" + CONFIG["arch"] = "x64-mingw32" + CONFIG["sitearchincludedir"] = "$(includedir)/$(sitearch)" From b166fcdaf03c54e3a1e78fd5d3d0d1a66af124e4 Mon Sep 17 00:00:00 2001 From: Maqsood Ahmad Date: Mon, 26 Aug 2024 11:30:07 +0530 Subject: [PATCH 2/7] (PA-6901) Bump REXML to 3.3.6 to address CVE-2024-43398 --- configs/components/rubygem-rexml.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index 48b0ff231..8ea510cd8 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -1,6 +1,6 @@ component 'rubygem-rexml' do |pkg, settings, platform| - pkg.version '3.3.4' - pkg.md5sum 'b7411377f3c1a9cbe65e862f74067f91' + pkg.version '3.3.6' + pkg.md5sum 'be54ad1a5f661ebf9824bf6ca36e50eb' # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets @@ -9,6 +9,6 @@ if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3 settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies" end - + instance_eval File.read('configs/components/_base-rubygem.rb') end From f545d2d9592b43b662731e161ab607c16a0143de Mon Sep 17 00:00:00 2001 From: Amit Karsale Date: Wed, 28 Aug 2024 11:51:35 +0530 Subject: [PATCH 3/7] (PA-6900) Update ruby-augeas to 0.6.0 --- configs/components/_base-ruby-augeas.rb | 14 +++----------- .../ruby-augeas-0.5.0-patch_c_extension.patch | 12 ------------ ...ugeas-0.5.0-patch_remove_unused_parameter.patch | 12 ------------ 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100644 resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch delete mode 100644 resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch diff --git a/configs/components/_base-ruby-augeas.rb b/configs/components/_base-ruby-augeas.rb index 47ffc5c3c..e22ec78ab 100644 --- a/configs/components/_base-ruby-augeas.rb +++ b/configs/components/_base-ruby-augeas.rb @@ -3,10 +3,6 @@ # load it with instance_eval. See ruby-x.y-augeas.rb configs. # -pkg.add_source("file://resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch") - -# We can remove the below patch after https://github.com/hercules-team/ruby-augeas/pull/17 is merged. -pkg.add_source("file://resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch") # These can be overridden by the including component. ruby_version ||= settings[:ruby_version] @@ -14,9 +10,9 @@ ruby_dir ||= settings[:ruby_dir] ruby_bindir ||= settings[:ruby_bindir] -pkg.version "0.5.0" -pkg.md5sum "a132eace43ce13ccd059e22c0b1188ac" -pkg.url "http://download.augeas.net/ruby/ruby-augeas-#{pkg.get_version}.tgz" +pkg.version "0.6.0" +pkg.md5sum "3c2a13b748300b5a984bab9a30e74d0f" +pkg.url "https://github.com/hercules-team/ruby-augeas/releases/download/release-#{pkg.get_version}/ruby-augeas-#{pkg.get_version}.tgz" pkg.mirror "#{settings[:buildsources_url]}/ruby-augeas-#{pkg.get_version}.tgz" pkg.build_requires "ruby-#{ruby_version}" @@ -75,10 +71,6 @@ pkg.build do build_commands = [] - if ruby_version =~ /^3/ - build_commands << "#{platform.patch} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../ruby-augeas-0.5.0-patch_c_extension.patch" - end - build_commands << "#{platform.patch} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../ruby-augeas-0.5.0-patch_remove_unused_parameter.patch" build_commands << "#{ruby} ext/augeas/extconf.rb" build_commands << "#{platform[:make]} -e -j$(shell expr $(shell #{platform[:num_cores]}) + 1)" diff --git a/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch b/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch deleted file mode 100644 index 7b73f8eb3..000000000 --- a/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/ruby-augeas-0.5.0/ext/augeas/_augeas.c b/ruby-augeas-0.5.0/ext/augeas/_augeas.c -index 95d9e05024..7aac0eb96d 100644 ---- a/ruby-augeas-0.5.0/ext/augeas/_augeas.c -+++ b/ruby-augeas-0.5.0/ext/augeas/_augeas.c -@@ -489,6 +489,7 @@ void Init__augeas() { - - /* Define the ruby class */ - c_augeas = rb_define_class("Augeas", rb_cObject) ; -+ rb_undef_alloc_func(c_augeas); - - /* Constants for enum aug_flags */ - #define DEF_AUG_FLAG(name) \ diff --git a/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch b/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch deleted file mode 100644 index 416ac7b11..000000000 --- a/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/ext/augeas/_augeas.c b/ext/augeas/_augeas.c -index f9b49d1..7ef0d7d 100644 ---- a/ruby-augeas-0.5.0/ext/augeas/_augeas.c -+++ b/ruby-augeas-0.5.0/ext/augeas/_augeas.c -@@ -184,7 +184,7 @@ VALUE augeas_mv(VALUE s, VALUE src, VALUE dst) { - * - * Remove path and all its children. Returns the number of entries removed - */ --VALUE augeas_rm(VALUE s, VALUE path, VALUE sibling) { -+VALUE augeas_rm(VALUE s, VALUE path) { - augeas *aug = aug_handle(s); - const char *cpath = StringValueCStr(path) ; From 3e9c3071f9121529a44be3da3896b5fe7f854fc3 Mon Sep 17 00:00:00 2001 From: Maqsood Ahmad Date: Fri, 23 Aug 2024 13:02:59 +0530 Subject: [PATCH 4/7] (PA-6881) Adding rexml gem to agent-runtime-main for CVE-2024-41123 and CVE-2024-41946 --- configs/components/_base-rubygem.rb | 18 +++++++++--------- configs/components/rubygem-rexml.rb | 2 ++ configs/projects/_shared-agent-components.rb | 6 ++++++ configs/projects/_shared-agent-settings.rb | 1 + configs/projects/agent-runtime-7.x.rb | 5 ----- 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb index a5614b81b..0d16ecbe6 100644 --- a/configs/components/_base-rubygem.rb +++ b/configs/components/_base-rubygem.rb @@ -40,13 +40,13 @@ # If a gem needs more command line options to install set the :gem_install_options # in its component file rubygem-, before the instance_eval of this file. gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym] -if gem_install_options.nil? - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem" - end -else - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" - end +remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym] +pkg.install do + steps = [] + steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions + steps << if gem_install_options.nil? + "#{settings[:gem_install]} #{name}-#{version}.gem" + else + "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" + end end - diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index 48b0ff231..c58758bff 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -2,6 +2,8 @@ pkg.version '3.3.4' pkg.md5sum 'b7411377f3c1a9cbe65e862f74067f91' + settings["#{pkg.get_name}_remove_older_versions".to_sym] = true + # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets # confused when installing rexml. It tries to install rexml's dependency 'strscan' by building native extensions diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..bbcc60c9e 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -62,6 +62,12 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' +# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version +# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908. +# So, we add it here to update to a higher version +# free from the CVEs. +proj.component 'rubygem-rexml' + if platform.is_windows? || platform.is_solaris? || platform.is_aix? proj.component 'rubygem-minitar' end diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb index 22d76367f..f9d45724f 100644 --- a/configs/projects/_shared-agent-settings.rb +++ b/configs/projects/_shared-agent-settings.rb @@ -131,6 +131,7 @@ end proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ") +proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ") # For AIX, we use the triple to install a better rbconfig if platform.is_aix? diff --git a/configs/projects/agent-runtime-7.x.rb b/configs/projects/agent-runtime-7.x.rb index 1d55aeec8..93f45363a 100644 --- a/configs/projects/agent-runtime-7.x.rb +++ b/configs/projects/agent-runtime-7.x.rb @@ -61,11 +61,6 @@ proj.component 'rubygem-thor' proj.component 'rubygem-scanf' - # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version - # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version - # free from the CVEs. - proj.component 'rubygem-rexml' - if platform.is_linux? proj.component "virt-what" proj.component "dmidecode" unless platform.architecture =~ /ppc64/ From 8954d1b3b4d349435eba0ae9cd0e3df64ce32000 Mon Sep 17 00:00:00 2001 From: Maqsood Ahmad Date: Thu, 29 Aug 2024 18:34:08 +0530 Subject: [PATCH 5/7] (PA-6282) RDoc vulnerability in Puppet7/Ruby 2.7.8 (CVE-2024-27281) --- configs/components/ruby-2.7.8.rb | 3 + ...0001-Filter-marshaled-objects-ruby30.patch | 94 +++++++++++++++++++ ...-and-safe_load_file-for-rdoc_options.patch | 57 +++++++++++ 3 files changed, 154 insertions(+) create mode 100644 resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch create mode 100644 resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb index 3ef82786b..f708889a9 100644 --- a/configs/components/ruby-2.7.8.rb +++ b/configs/components/ruby-2.7.8.rb @@ -43,6 +43,9 @@ pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch" pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch" + pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch" + pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch" + if platform.is_cross_compiled? unless platform.is_macos? pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch" diff --git a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch new file mode 100644 index 000000000..7741d321b --- /dev/null +++ b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch @@ -0,0 +1,94 @@ +From 6a35becc9ac9f4b27b1d5b5b1fb8cf7aa9b49d5d Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Tue, 20 Feb 2024 17:30:25 +0900 +Subject: [PATCH] Filter marshaled objects + +--- + lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 5ba671ca1b..5b663d73fb 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -556,9 +556,7 @@ def load_all + def load_cache + #orig_enc = @encoding + +- File.open cache_path, 'rb' do |io| +- @cache = Marshal.load io.read +- end ++ @cache = marshal_load(cache_path) + + load_enc = @cache[:encoding] + +@@ -615,9 +613,7 @@ def load_class klass_name + def load_class_data klass_name + file = class_file klass_name + +- File.open file, 'rb' do |io| +- Marshal.load io.read +- end ++ marshal_load(file) + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name) + error.set_backtrace e.backtrace +@@ -630,14 +626,10 @@ def load_class_data klass_name + def load_method klass_name, method_name + file = method_file klass_name, method_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj.parent = +- find_class_or_module(klass_name) || load_class(klass_name) unless +- obj.parent +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name) ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name + method_name) + error.set_backtrace e.backtrace +@@ -650,11 +642,9 @@ def load_method klass_name, method_name + def load_page page_name + file = page_file page_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, page_name) + error.set_backtrace e.backtrace +@@ -976,4 +966,21 @@ def unique_modules + @unique_modules + end + ++ private ++ def marshal_load(file) ++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)} ++ end ++ ++ MarshalFilter = proc do |obj| ++ case obj ++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text ++ else ++ unless obj.class.name.start_with("RDoc::") ++ raise TypeError, "not permitted class: #{obj.class.name}" ++ end ++ end ++ obj ++ end ++ private_constant :MarshalFilter ++ + end +-- +2.43.2 + diff --git a/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch b/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch new file mode 100644 index 000000000..70bd18b84 --- /dev/null +++ b/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch @@ -0,0 +1,57 @@ +author Marc Deslauriers 2024-06-19 10:33:00 -0400 +committer git-ubuntu importer 2024-06-26 12:22:56 +0000 +commit 7584287c1cf59926252197badedde2cbc08e084c (patch) +tree 246e4fa465245f04c53f82cfb8cfeda7ea843db4 +parent 7128299adb87ba73094732751d96621648db1bce (diff) +[PATCH] Use safe_load and safe_load_file for .rdoc_options +Gbp-Pq: CVE-2024-27281-2.patch. +Diffstat +-rw-r--r-- lib/rdoc/rdoc.rb 3 +-rw-r--r-- test/rdoc/test_rdoc_options.rb 6 +2 files changed, 5 insertions, 4 deletions +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index 605172ae..f6105c68 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -156,8 +156,9 @@ class RDoc::RDoc + RDoc.load_yaml + + begin +- options = YAML.load_file '.rdoc_options' ++ options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol] + rescue Psych::SyntaxError ++ raise RDoc::Error, "#{options_file} is not a valid rdoc options file" + end + + raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless +diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb +index 140c4afc..f547f5bf 100644 +--- a/test/rdoc/test_rdoc_options.rb ++++ b/test/rdoc/test_rdoc_options.rb +@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase + + @options.encoding = Encoding::IBM437 + +- options = YAML.load YAML.dump @options ++ options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol]) + + assert_equal Encoding::IBM437, options.encoding + end +@@ -161,7 +161,7 @@ rdoc_include: + - /etc + YAML + +- options = YAML.load yaml ++ options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol]) + + assert_empty options.rdoc_include + assert_empty options.static_path +@@ -749,7 +749,7 @@ rdoc_include: + + assert File.exist? '.rdoc_options' + +- assert_equal @options, YAML.load(File.read('.rdoc_options')) ++ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol]) + end + end + From 446dc91ee640daa1293c7cd7535cc36fe827a9be Mon Sep 17 00:00:00 2001 From: Amit Karsale Date: Fri, 30 Aug 2024 18:08:19 +0530 Subject: [PATCH 6/7] (PA-6878) Patch agent-runtime-7.x and main Curl for CVE-2024-7264 --- configs/components/curl.rb | 1 + resources/patches/curl/CVE-2024-7264.patch | 93 ++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 resources/patches/curl/CVE-2024-7264.patch diff --git a/configs/components/curl.rb b/configs/components/curl.rb index 08e78cf33..95b3ecf1a 100644 --- a/configs/components/curl.rb +++ b/configs/components/curl.rb @@ -48,6 +48,7 @@ pkg.apply_patch 'resources/patches/curl/CVE-2023-46218.patch' pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch' pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch' + pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch' end configure_options = [] diff --git a/resources/patches/curl/CVE-2024-7264.patch b/resources/patches/curl/CVE-2024-7264.patch new file mode 100644 index 000000000..220a13800 --- /dev/null +++ b/resources/patches/curl/CVE-2024-7264.patch @@ -0,0 +1,93 @@ +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index 39e4fb33b..7e2e3d724 100644 +--- a/lib/vtls/x509asn1.c ++++ b/lib/vtls/x509asn1.c +@@ -566,28 +566,40 @@ static const char *GTime2str(const char *beg, const char *end) + tzp = fracp; + fracl = 0; + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +- fracp++; +- do ++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */ ++ fracp++; /* should be a digit char or BAD ARGUMENT */ ++ tzp = fracp; ++ while(tzp < end && ISDIGIT(*tzp)) + tzp++; +- while(tzp < end && *tzp >= '0' && *tzp <= '9'); +- /* Strip leading zeroes in fractional seconds. */ +- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) +- ; ++ if(tzp == fracp) /* never looped, no digit after [.,] */ ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ fracl = tzp - fracp; /* number of fractional sec digits */ ++ DEBUGASSERT(fracl > 0); ++ /* Strip trailing zeroes in fractional seconds. ++ * May reduce fracl to 0 if only '0's are present. */ ++ while(fracl && fracp[fracl - 1] == '0') ++ fracl--; + } + + /* Process timezone. */ +- if(tzp >= end) +- ; /* Nothing to do. */ ++ if(tzp >= end) { ++ sep = " "; ++ tzp = "GMT"; ++ tzl = 3; ++ } ++ else if((*tzp == '+') || (*tzp == '-')) { ++ sep = " UTC"; ++ tzl = end - tzp; ++ } /* Nothing to do. */ + else if(*tzp == 'Z') { + tzp = " GMT"; + end = tzp + 4; + } + else { + sep = " "; +- tzp++; ++ tzl = end - tzp; + } + +- tzl = end - tzp; + return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", + beg, beg + 4, beg + 6, + beg + 8, beg + 10, sec1, sec2, +@@ -595,6 +607,15 @@ static const char *GTime2str(const char *beg, const char *end) + sep, (int)tzl, tzp); + } + ++#ifdef UNITTESTS ++/* used by unit1656.c */ ++CURLcode Curl_x509_GTime2str(struct dynbuf *store, ++ const char *beg, const char *end) ++{ ++ return GTime2str(store, beg, end); ++} ++#endif ++ + /* + * Convert an ASN.1 UTC time to a printable string. + * Return the dynamically allocated string, or NULL if an error occurs. +diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h +index 5496de40e..93925718c 100644 +--- a/lib/vtls/x509asn1.h ++++ b/lib/vtls/x509asn1.h +@@ -76,6 +76,17 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum, + const char *beg, const char *end); + CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data, + const char *beg, const char *end); ++ ++#ifdef UNITTESTS ++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ ++ defined(USE_MBEDTLS) ++ ++/* used by unit1656.c */ ++CURLcode Curl_x509_GTime2str(struct dynbuf *store, ++ const char *beg, const char *end); ++#endif ++#endif ++ + #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL + * or USE_SECTRANSP */ + #endif /* HEADER_CURL_X509ASN1_H */ From 0cd19d49719d4092203d49e14dac4adaaa3c4f97 Mon Sep 17 00:00:00 2001 From: Amit Karsale Date: Sat, 31 Aug 2024 07:07:35 +0530 Subject: [PATCH 7/7] Revert "(PA-6900) Update ruby-augeas to 0.6.0" --- configs/components/_base-ruby-augeas.rb | 14 +++++++++++--- .../ruby-augeas-0.5.0-patch_c_extension.patch | 12 ++++++++++++ ...ugeas-0.5.0-patch_remove_unused_parameter.patch | 12 ++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch create mode 100644 resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch diff --git a/configs/components/_base-ruby-augeas.rb b/configs/components/_base-ruby-augeas.rb index e22ec78ab..47ffc5c3c 100644 --- a/configs/components/_base-ruby-augeas.rb +++ b/configs/components/_base-ruby-augeas.rb @@ -3,6 +3,10 @@ # load it with instance_eval. See ruby-x.y-augeas.rb configs. # +pkg.add_source("file://resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch") + +# We can remove the below patch after https://github.com/hercules-team/ruby-augeas/pull/17 is merged. +pkg.add_source("file://resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch") # These can be overridden by the including component. ruby_version ||= settings[:ruby_version] @@ -10,9 +14,9 @@ ruby_dir ||= settings[:ruby_dir] ruby_bindir ||= settings[:ruby_bindir] -pkg.version "0.6.0" -pkg.md5sum "3c2a13b748300b5a984bab9a30e74d0f" -pkg.url "https://github.com/hercules-team/ruby-augeas/releases/download/release-#{pkg.get_version}/ruby-augeas-#{pkg.get_version}.tgz" +pkg.version "0.5.0" +pkg.md5sum "a132eace43ce13ccd059e22c0b1188ac" +pkg.url "http://download.augeas.net/ruby/ruby-augeas-#{pkg.get_version}.tgz" pkg.mirror "#{settings[:buildsources_url]}/ruby-augeas-#{pkg.get_version}.tgz" pkg.build_requires "ruby-#{ruby_version}" @@ -71,6 +75,10 @@ pkg.build do build_commands = [] + if ruby_version =~ /^3/ + build_commands << "#{platform.patch} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../ruby-augeas-0.5.0-patch_c_extension.patch" + end + build_commands << "#{platform.patch} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../ruby-augeas-0.5.0-patch_remove_unused_parameter.patch" build_commands << "#{ruby} ext/augeas/extconf.rb" build_commands << "#{platform[:make]} -e -j$(shell expr $(shell #{platform[:num_cores]}) + 1)" diff --git a/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch b/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch new file mode 100644 index 000000000..7b73f8eb3 --- /dev/null +++ b/resources/patches/augeas/ruby-augeas-0.5.0-patch_c_extension.patch @@ -0,0 +1,12 @@ +diff --git a/ruby-augeas-0.5.0/ext/augeas/_augeas.c b/ruby-augeas-0.5.0/ext/augeas/_augeas.c +index 95d9e05024..7aac0eb96d 100644 +--- a/ruby-augeas-0.5.0/ext/augeas/_augeas.c ++++ b/ruby-augeas-0.5.0/ext/augeas/_augeas.c +@@ -489,6 +489,7 @@ void Init__augeas() { + + /* Define the ruby class */ + c_augeas = rb_define_class("Augeas", rb_cObject) ; ++ rb_undef_alloc_func(c_augeas); + + /* Constants for enum aug_flags */ + #define DEF_AUG_FLAG(name) \ diff --git a/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch b/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch new file mode 100644 index 000000000..416ac7b11 --- /dev/null +++ b/resources/patches/augeas/ruby-augeas-0.5.0-patch_remove_unused_parameter.patch @@ -0,0 +1,12 @@ +diff --git a/ext/augeas/_augeas.c b/ext/augeas/_augeas.c +index f9b49d1..7ef0d7d 100644 +--- a/ruby-augeas-0.5.0/ext/augeas/_augeas.c ++++ b/ruby-augeas-0.5.0/ext/augeas/_augeas.c +@@ -184,7 +184,7 @@ VALUE augeas_mv(VALUE s, VALUE src, VALUE dst) { + * + * Remove path and all its children. Returns the number of entries removed + */ +-VALUE augeas_rm(VALUE s, VALUE path, VALUE sibling) { ++VALUE augeas_rm(VALUE s, VALUE path) { + augeas *aug = aug_handle(s); + const char *cpath = StringValueCStr(path) ;