parent
3f2d0f8b21
commit
f07affc0b8
@ -1 +1 @@
|
||||
63afe4d4947ec5eac76f5f39090da96d72020427 SOURCES/dotnet-v8.0.1.tar.gz
|
||||
94c84fca4115a65111a3ce808564a7273c565022 SOURCES/dotnet-v8.0.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
SOURCES/dotnet-v8.0.1.tar.gz
|
||||
SOURCES/dotnet-v8.0.2.tar.gz
|
||||
|
@ -0,0 +1,104 @@
|
||||
From 68fa6537305beda5cb059c898349f37bda285ca7 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Deseyn <tom.deseyn@gmail.com>
|
||||
Date: Thu, 1 Feb 2024 09:23:16 +0100
|
||||
Subject: [PATCH 1/1] Exec: stop setting a locale on Unix.
|
||||
|
||||
This backports a fix that is part of Microsoft's upcoming
|
||||
8.0.2xx SDK to the 8.0.1xx SDK that we package.
|
||||
|
||||
This fix stops MSBuild Exec from printing warnings and/or
|
||||
failing in bash envionments where the glibc en_US locale
|
||||
is not available (which is common in container images).
|
||||
|
||||
The backport includes the changewave opt-out that allows
|
||||
users to revert back to the previous behavior by setting
|
||||
the MSBUILDDISABLEFEATURESFROMVERSION envvar to the
|
||||
version where the feature is introduced ("17.10").
|
||||
---
|
||||
src/msbuild/src/Framework/ChangeWaves.cs | 3 +-
|
||||
src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs | 36 +++++++++++++++++++
|
||||
src/msbuild/src/Tasks/Exec.cs | 7 +++-
|
||||
3 files changed, 44 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/msbuild/src/Framework/ChangeWaves.cs b/src/msbuild/src/Framework/ChangeWaves.cs
|
||||
index 0050723798..1f925324ac 100644
|
||||
--- a/src/msbuild/src/Framework/ChangeWaves.cs
|
||||
+++ b/src/msbuild/src/Framework/ChangeWaves.cs
|
||||
@@ -27,7 +27,8 @@ namespace Microsoft.Build.Framework
|
||||
internal static readonly Version Wave17_4 = new Version(17, 4);
|
||||
internal static readonly Version Wave17_6 = new Version(17, 6);
|
||||
internal static readonly Version Wave17_8 = new Version(17, 8);
|
||||
- internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8 };
|
||||
+ internal static readonly Version Wave17_10 = new Version(17, 10);
|
||||
+ internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8, Wave17_10 };
|
||||
|
||||
/// <summary>
|
||||
/// Special value indicating that all features behind all Change Waves should be enabled.
|
||||
diff --git a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
|
||||
index cb468a6cce..c0598e4978 100644
|
||||
--- a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
|
||||
+++ b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
|
||||
@@ -69,6 +69,42 @@ namespace Microsoft.Build.UnitTests
|
||||
}
|
||||
}
|
||||
|
||||
+ [UnixOnlyTheory]
|
||||
+ [InlineData(true)]
|
||||
+ [InlineData(false)]
|
||||
+ public void ExecSetsLocaleOnUnix(bool enableChangeWave)
|
||||
+ {
|
||||
+ using (var env = TestEnvironment.Create())
|
||||
+ {
|
||||
+ env.SetEnvironmentVariable("LANG", null);
|
||||
+ env.SetEnvironmentVariable("LC_ALL", null);
|
||||
+
|
||||
+ if (enableChangeWave)
|
||||
+ {
|
||||
+ ChangeWaves.ResetStateForTests();
|
||||
+ // Important: use the version here
|
||||
+ env.SetEnvironmentVariable("MSBUILDDISABLEFEATURESFROMVERSION", ChangeWaves.Wave17_10.ToString());
|
||||
+ BuildEnvironmentHelper.ResetInstance_ForUnitTestsOnly();
|
||||
+ }
|
||||
+
|
||||
+ Exec exec = PrepareExec("echo LANG=$LANG; echo LC_ALL=$LC_ALL;");
|
||||
+ bool result = exec.Execute();
|
||||
+ Assert.True(result);
|
||||
+
|
||||
+ MockEngine engine = (MockEngine)exec.BuildEngine;
|
||||
+ if (enableChangeWave)
|
||||
+ {
|
||||
+ engine.AssertLogContains("LANG=en_US.UTF-8");
|
||||
+ engine.AssertLogContains("LC_ALL=en_US.UTF-8");
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ engine.AssertLogDoesntContain("LANG=en_US.UTF-8");
|
||||
+ engine.AssertLogDoesntContain("LC_ALL=en_US.UTF-8");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/// <summary>
|
||||
/// Ensures that calling the Exec task does not leave any extra TEMP files
|
||||
/// lying around.
|
||||
diff --git a/src/msbuild/src/Tasks/Exec.cs b/src/msbuild/src/Tasks/Exec.cs
|
||||
index dbf4be1fc5..9faaa68887 100644
|
||||
--- a/src/msbuild/src/Tasks/Exec.cs
|
||||
+++ b/src/msbuild/src/Tasks/Exec.cs
|
||||
@@ -591,7 +591,12 @@ namespace Microsoft.Build.Tasks
|
||||
{
|
||||
commandLine.AppendSwitch("-c");
|
||||
commandLine.AppendTextUnquoted(" \"");
|
||||
- commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; . ");
|
||||
+ bool setLocale = !ChangeWaves.AreFeaturesEnabled(ChangeWaves.Wave17_10);
|
||||
+ if (setLocale)
|
||||
+ {
|
||||
+ commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; ");
|
||||
+ }
|
||||
+ commandLine.AppendTextUnquoted(". ");
|
||||
commandLine.AppendFileNameIfNotNull(batchFileForCommandLine);
|
||||
commandLine.AppendTextUnquoted("\"");
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,9 +1,9 @@
|
||||
{
|
||||
"release": "8.0.1",
|
||||
"release": "8.0.2",
|
||||
"channel": "8.0",
|
||||
"tag": "v8.0.1",
|
||||
"sdkVersion": "8.0.101",
|
||||
"runtimeVersion": "8.0.1",
|
||||
"tag": "8.0.2",
|
||||
"sdkVersion": "8.0.102",
|
||||
"runtimeVersion": "8.0.2",
|
||||
"sourceRepository": "https://github.com/dotnet/dotnet",
|
||||
"sourceVersion": "b27976e5a6850466ee5b4ce24f91ee93bef645f7"
|
||||
"sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa"
|
||||
}
|
||||
|
@ -0,0 +1,169 @@
|
||||
From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
|
||||
From: Omair Majid <omajid@redhat.com>
|
||||
Date: Fri, 2 Feb 2024 15:51:23 -0500
|
||||
Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
|
||||
|
||||
This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
|
||||
|
||||
To quote Clemens Lang:
|
||||
|
||||
> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
|
||||
> attack against PKCS#1v1.5 decryption. See
|
||||
> https://people.redhat.com/~hkario/marvin/ for details and
|
||||
> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
|
||||
> comment by the researcher who published the vulnerability and proposed the
|
||||
> change in OpenSSL.
|
||||
|
||||
For more details, see:
|
||||
https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
|
||||
---
|
||||
.../RSA/EncryptDecrypt.cs | 49 ++++---------------
|
||||
.../opensslshim.h | 6 ---
|
||||
.../pal_evp_pkey_rsa.c | 13 -----
|
||||
3 files changed, 10 insertions(+), 58 deletions(-)
|
||||
|
||||
diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
|
||||
index 39f3ebc82ec..5b97f468a42 100644
|
||||
--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
|
||||
+++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
|
||||
@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
|
||||
Assert.Equal(TestData.HelloBytes, output);
|
||||
}
|
||||
|
||||
- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
|
||||
+ [ConditionalFact]
|
||||
[SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
|
||||
public void RoundtripEmptyArray()
|
||||
{
|
||||
+ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
|
||||
+ {
|
||||
+ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
|
||||
+ }
|
||||
+ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
|
||||
+ {
|
||||
+ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
|
||||
+ }
|
||||
+
|
||||
using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
|
||||
{
|
||||
void RoundtripEmpty(RSAEncryptionPadding paddingMode)
|
||||
@@ -716,26 +725,6 @@ public void NotSupportedValueMethods()
|
||||
}
|
||||
}
|
||||
|
||||
- [ConditionalTheory]
|
||||
- [InlineData(new byte[] { 1, 2, 3, 4 })]
|
||||
- [InlineData(new byte[0])]
|
||||
- public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data)
|
||||
- {
|
||||
- if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption)
|
||||
- {
|
||||
- throw new SkipTestException("Platform does not support RSA encryption of empty data.");
|
||||
- }
|
||||
-
|
||||
- using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
|
||||
- {
|
||||
- byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1);
|
||||
- encrypted[1] ^= 0xFF;
|
||||
-
|
||||
- // PKCS#1, the data, and the key are all deterministic so this should always throw an exception.
|
||||
- Assert.ThrowsAny<CryptographicException>(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1));
|
||||
- }
|
||||
- }
|
||||
-
|
||||
public static IEnumerable<object[]> OaepPaddingModes
|
||||
{
|
||||
get
|
||||
@@ -757,23 +746,5 @@ public static IEnumerable<object[]> OaepPaddingModes
|
||||
}
|
||||
}
|
||||
}
|
||||
-
|
||||
- public static bool PlatformSupportsEmptyRSAEncryption
|
||||
- {
|
||||
- get
|
||||
- {
|
||||
- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
|
||||
- {
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
|
||||
- {
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
- return true;
|
||||
- }
|
||||
- }
|
||||
}
|
||||
}
|
||||
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
|
||||
index 0748e305d5c..cf10d2f7949 100644
|
||||
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
|
||||
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
|
||||
@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
|
||||
REQUIRED_FUNCTION(ERR_peek_error) \
|
||||
REQUIRED_FUNCTION(ERR_peek_error_line) \
|
||||
REQUIRED_FUNCTION(ERR_peek_last_error) \
|
||||
- REQUIRED_FUNCTION(ERR_pop_to_mark) \
|
||||
FALLBACK_FUNCTION(ERR_put_error) \
|
||||
REQUIRED_FUNCTION(ERR_reason_error_string) \
|
||||
- REQUIRED_FUNCTION(ERR_set_mark) \
|
||||
LIGHTUP_FUNCTION(ERR_set_debug) \
|
||||
LIGHTUP_FUNCTION(ERR_set_error) \
|
||||
REQUIRED_FUNCTION(EVP_aes_128_cbc) \
|
||||
@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
|
||||
REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
|
||||
REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
|
||||
REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
|
||||
- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
|
||||
REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
|
||||
REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
|
||||
REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
|
||||
@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
|
||||
#define ERR_peek_error_line ERR_peek_error_line_ptr
|
||||
#define ERR_peek_last_error ERR_peek_last_error_ptr
|
||||
#define ERR_put_error ERR_put_error_ptr
|
||||
-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
|
||||
#define ERR_reason_error_string ERR_reason_error_string_ptr
|
||||
#define ERR_set_debug ERR_set_debug_ptr
|
||||
-#define ERR_set_mark ERR_set_mark_ptr
|
||||
#define ERR_set_error ERR_set_error_ptr
|
||||
#define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
|
||||
#define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
|
||||
@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
|
||||
#define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
|
||||
#define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
|
||||
#define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
|
||||
-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
|
||||
#define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
|
||||
#define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
|
||||
#define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
|
||||
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
|
||||
index 043bf9f9d1e..c9ccdf33e3a 100644
|
||||
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
|
||||
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
|
||||
@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
|
||||
{
|
||||
return false;
|
||||
}
|
||||
-
|
||||
- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
|
||||
- // If the padding is invalid, the decryption operation returns random data.
|
||||
- // See https://github.com/openssl/openssl/pull/13817 for background.
|
||||
- // Some Linux distributions backported this change to previous versions of OpenSSL.
|
||||
- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
|
||||
- ERR_set_mark();
|
||||
-
|
||||
- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
|
||||
-
|
||||
- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
|
||||
- // current version does not support implicit rejection.
|
||||
- ERR_pop_to_mark();
|
||||
}
|
||||
else
|
||||
{
|
||||
--
|
||||
2.43.0
|
||||
|
Loading…
Reference in new issue