4 changed files with 278 additions and 56 deletions
--- a/.dotnet7.0.metadata
+++ b/.dotnet7.0.metadata
@ -1 +1 @@
-c2015d0972371ab8995d18246d1f5b76299f3be3 SOURCES/dotnet-v7.0.103.tar.gz
+0e0bef0a641ecb44414d0f9c4c363621bea115c7 SOURCES/dotnet-v7.0.118.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/dotnet-v7.0.103.tar.gz
+SOURCES/dotnet-v7.0.118.tar.gz
--- a/SOURCES/runtime-re-enable-implicit-rejection.patch
+++ b/SOURCES/runtime-re-enable-implicit-rejection.patch
@ -0,0 +1,169 @@
+From f55ebb4597a1a931edee16283fc43a4ff33d1029 Mon Sep 17 00:00:00 2001
+From: Omair Majid <omajid@redhat.com>
+Date: Fri, 2 Feb 2024 12:23:28 -0500
+Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95217)"
+
+This reverts commit a314c5b3580a9fe25c59d917ff0b7594efc6f81f.
+
+To quote Clemens Lang:
+
+> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
+> attack against PKCS#1v1.5 decryption. See
+> https://people.redhat.com/~hkario/marvin/ for details and
+> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
+> comment by the researcher who published the vulnerability and proposed the
+> change in OpenSSL.
+
+For more details, see:
+https://github.com/dotnet/runtime/pull/95217#issuecomment-1842799362
+---
+ .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
+ .../opensslshim.h                             |  6 ---
+ .../pal_evp_pkey_rsa.c                        | 13 -----
+ 3 files changed, 10 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+index 55a044d62a6..e72d42e87d2 100644
+--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+@@ -338,10 +338,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
+             Assert.Equal(TestData.HelloBytes, output);
+         }
+ 
+-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
+        [ConditionalFact]
+         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
+         public void RoundtripEmptyArray()
+         {
+            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+            {
+                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
+            }
+            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+            {
+                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
+            }
+
+             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+             {
+                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
+@@ -692,26 +701,6 @@ public void NotSupportedValueMethods()
+             }
+         }
+ 
+-        [ConditionalTheory]
+-        [InlineData(new byte[] { 1, 2, 3, 4 })]
+-        [InlineData(new byte[0])]
+-        public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data)
+-        {
+-            if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption)
+-            {
+-                throw new SkipTestException("Platform does not support RSA encryption of empty data.");
+-            }
+-
+-            using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+-            {
+-                byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1);
+-                encrypted[1] ^= 0xFF;
+-
+-                // PKCS#1, the data, and the key are all deterministic so this should always throw an exception.
+-                Assert.ThrowsAny<CryptographicException>(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1));
+-            }
+-        }
+-
+         [Fact]
+         public void Decrypt_Pkcs1_BadPadding()
+         {
+@@ -726,23 +715,5 @@ public static IEnumerable<object[]> OaepPaddingModes
+                 }
+             }
+         }
+-
+-        public static bool PlatformSupportsEmptyRSAEncryption
+-        {
+-            get
+-            {
+-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+-                {
+-                    return false;
+-                }
+-
+-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+-                {
+-                    return false;
+-                }
+-
+-                return true;
+-            }
+-        }
+     }
+ }
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+index 7d5ec84cc7d..efc0d470602 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+@@ -276,10 +276,8 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
+     REQUIRED_FUNCTION(ERR_peek_error) \
+     REQUIRED_FUNCTION(ERR_peek_error_line) \
+     REQUIRED_FUNCTION(ERR_peek_last_error) \
+-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
+     FALLBACK_FUNCTION(ERR_put_error) \
+     REQUIRED_FUNCTION(ERR_reason_error_string) \
+-    REQUIRED_FUNCTION(ERR_set_mark) \
+     LIGHTUP_FUNCTION(ERR_set_debug) \
+     LIGHTUP_FUNCTION(ERR_set_error) \
+     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
+@@ -334,7 +332,6 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
+     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
+     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
+-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
+@@ -761,10 +758,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define ERR_peek_error_line ERR_peek_error_line_ptr
+ #define ERR_peek_last_error ERR_peek_last_error_ptr
+ #define ERR_put_error ERR_put_error_ptr
+-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
+ #define ERR_reason_error_string ERR_reason_error_string_ptr
+ #define ERR_set_debug ERR_set_debug_ptr
+-#define ERR_set_mark ERR_set_mark_ptr
+ #define ERR_set_error ERR_set_error_ptr
+ #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
+ #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
+@@ -818,7 +813,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
+ #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
+ #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
+-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
+ #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
+ #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
+ #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+index 043bf9f9d1e..c9ccdf33e3a 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
+         {
+             return false;
+         }
+-
+-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
+-        // If the padding is invalid, the decryption operation returns random data.
+-        // See https://github.com/openssl/openssl/pull/13817 for background.
+-        // Some Linux distributions backported this change to previous versions of OpenSSL.
+-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
+-        ERR_set_mark();
+-
+-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
+-
+-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
+-        // current version does not support implicit rejection.
+-        ERR_pop_to_mark();
+     }
+     else
+     {
+-- 
+2.43.0
+
--- a/SPECS/dotnet7.0.spec
+++ b/SPECS/dotnet7.0.spec
@ -6,10 +6,10 @@
 # until that's done, disable LTO.  This has to happen before setting the flags below.
 %define _lto_cflags %{nil}

-%global host_version 7.0.3
-%global runtime_version 7.0.3
+%global host_version 7.0.18
+%global runtime_version 7.0.18
 %global aspnetcore_runtime_version %{runtime_version}
-%global sdk_version 7.0.103
+%global sdk_version 7.0.118
 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|')
 %global templates_version %{runtime_version}
 #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }')
@ -77,7 +77,8 @@ Source11:       dotnet.sh.in

 # Disable apphost; there's no net6.0 apphost for ppc64le
 Patch1:         roslyn-analyzers-ppc64le-apphost.patch
-
+# https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+Patch2:         runtime-re-enable-implicit-rejection.patch


 %if 0%{?fedora} || 0%{?rhel} >= 8
@ -324,7 +325,7 @@ applications using the .NET SDK.
 %dotnet_targeting_pack dotnet-apphost-pack-7.0 %{runtime_rpm_version} Microsoft.NETCore.App 7.0 Microsoft.NETCore.App.Host.%{runtime_id}
 %dotnet_targeting_pack dotnet-targeting-pack-7.0 %{runtime_rpm_version} Microsoft.NETCore.App 7.0 Microsoft.NETCore.App.Ref
 %dotnet_targeting_pack aspnetcore-targeting-pack-7.0 %{aspnetcore_runtime_rpm_version} Microsoft.AspNetCore.App 7.0 Microsoft.AspNetCore.App.Ref
-%dotnet_targeting_pack netstandard-targeting-pack-2.1 %{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref
+#%%dotnet_targeting_pack netstandard-targeting-pack-2.1 %%{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref


 %package -n dotnet-sdk-7.0-source-built-artifacts
@ -399,6 +400,7 @@ popd
 %endif

 %patch1 -p1
+%patch2 -p1

 # Fix bad hardcoded path in build
 sed -i 's|/usr/share/dotnet|%{_libdir}/dotnet|' src/runtime/src/native/corehost/hostmisc/pal.unix.cpp
@ -516,30 +518,35 @@ find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.targets' -exec chmod -x {}
 find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.txt' -exec chmod -x {} \;
 find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.xml' -exec chmod -x {} \;

-install -dm 0755 %{buildroot}%{_sysconfdir}/profile.d/
-install dotnet.sh %{buildroot}%{_sysconfdir}/profile.d/
+# Provided by dotnet-host from another SRPM
+#install -dm 0755 %%{buildroot}%%{_sysconfdir}/profile.d/
+#install dotnet.sh %%{buildroot}%%{_sysconfdir}/profile.d/

-install -dm 0755 %{buildroot}/%{_datadir}/bash-completion/completions
+# Provided by dotnet-host from another SRPM
+#install -dm 0755 %%{buildroot}/%%{_datadir}/bash-completion/completions
 # dynamic completion needs the file to be named the same as the base command
-install src/sdk/scripts/register-completions.bash %{buildroot}/%{_datadir}/bash-completion/completions/dotnet
+#install src/sdk/scripts/register-completions.bash %%{buildroot}/%%{_datadir}/bash-completion/completions/dotnet

 # TODO: the zsh completion script needs to be ported to use #compdef
 #install -dm 755 %%{buildroot}/%%{_datadir}/zsh/site-functions
 #install src/cli/scripts/register-completions.zsh %%{buildroot}/%%{_datadir}/zsh/site-functions/_dotnet

-install -dm 0755 %{buildroot}%{_bindir}
-ln -s ../../%{_libdir}/dotnet/dotnet %{buildroot}%{_bindir}/
+# Provided by dotnet-host from another SRPM
+#install -dm 0755 %%{buildroot}%%{_bindir}
+#ln -s ../../%%{_libdir}/dotnet/dotnet %%{buildroot}%%{_bindir}/

-for section in 1 7; do
-    install -dm 0755 %{buildroot}%{_mandir}/man${section}/
-    find -iname 'dotnet*'.${section} -type f -exec cp {} %{buildroot}%{_mandir}/man${section}/ \;
-done
+# Provided by dotnet-host from another SRPM
+#for section in 1 7; do
+#    install -dm 0755 %%{buildroot}%%{_mandir}/man${section}/
+#    find -iname 'dotnet*'.${section} -type f -exec cp {} %%{buildroot}%%{_mandir}/man${section}/ \;
+#done

-install -dm 0755 %{buildroot}%{_sysconfdir}/dotnet
-echo "%{_libdir}/dotnet" >> install_location
-install install_location %{buildroot}%{_sysconfdir}/dotnet/
-echo "%{_libdir}/dotnet" >> install_location_%{runtime_arch}
-install install_location_%{runtime_arch} %{buildroot}%{_sysconfdir}/dotnet/
+# Provided by dotnet-host from another SRPM
+#install -dm 0755 %%{buildroot}%%{_sysconfdir}/dotnet
+#echo "%%{_libdir}/dotnet" >> install_location
+#install install_location %%{buildroot}%%{_sysconfdir}/dotnet/
+#echo "%%{_libdir}/dotnet" >> install_location_%%{runtime_arch}
+#install install_location_%%{runtime_arch} %%{buildroot}%%{_sysconfdir}/dotnet/

 install -dm 0755 %{buildroot}%{_libdir}/dotnet/source-built-artifacts
 install -m 0644 artifacts/%{runtime_arch}/Release/Private.SourceBuilt.Artifacts.*.tar.gz %{buildroot}/%{_libdir}/dotnet/source-built-artifacts/
@ -555,8 +562,7 @@ echo "Testing build results for debug symbols..."
 %{SOURCE10} -v %{buildroot}%{_libdir}/dotnet/


-
-%check
+# Self-check
 %if 0%{?fedora} > 35
 # lttng in Fedora > 35 is incompatible with .NET
 export COMPlus_LTTng=0
@ -565,27 +571,14 @@ export COMPlus_LTTng=0
 %{buildroot}%{_libdir}/dotnet/dotnet --info
 %{buildroot}%{_libdir}/dotnet/dotnet --version

+# Provided by dotnet-host from another SRPM
+rm %{buildroot}%{_libdir}/dotnet/LICENSE.txt
+rm %{buildroot}%{_libdir}/dotnet/ThirdPartyNotices.txt
+rm %{buildroot}%{_libdir}/dotnet/dotnet

-%if 0%{?rhel} <= 8
-%files -n dotnet
-# empty package useful for dependencies
-%endif
+# Provided by netstandard-targeting-pack-2.1 from another SRPM
+rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0

-%files -n dotnet-host
-%dir %{_libdir}/dotnet
-%{_libdir}/dotnet/dotnet
-%dir %{_libdir}/dotnet/host
-%dir %{_libdir}/dotnet/host/fxr
-%{_bindir}/dotnet
-%license %{_libdir}/dotnet/LICENSE.txt
-%license %{_libdir}/dotnet/ThirdPartyNotices.txt
-%doc %{_mandir}/man1/dotnet*.1.gz
-%doc %{_mandir}/man7/dotnet*.7.gz
-%config(noreplace) %{_sysconfdir}/profile.d/dotnet.sh
-%config(noreplace) %{_sysconfdir}/dotnet
-%dir %{_datadir}/bash-completion
-%dir %{_datadir}/bash-completion/completions
-%{_datadir}/bash-completion/completions/dotnet

 %files -n dotnet-hostfxr-7.0
 %dir %{_libdir}/dotnet/host/fxr
@ -619,38 +612,98 @@ export COMPlus_LTTng=0


 %changelog
-* Thu Feb 02 2023 Omair Majid <omajid@redhat.com> - 7.0.103-1
+* Tue Apr 02 2024 Omair Majid <omajid@redhat.com> - 7.0.118-1
+- Update to .NET SDK 7.0.118 and Runtime 7.0.18
+- Resolves: RHEL-31202
+
+* Thu Feb 29 2024 Omair Majid <omajid@redhat.com> - 7.0.117-1
+- Update to .NET SDK 7.0.117 and Runtime 7.0.17
+- Resolves: RHEL-27544
+
+* Thu Feb 01 2024 Omair Majid <omajid@redhat.com> - 7.0.116-1
+- Update to .NET SDK 7.0.116 and Runtime 7.0.16
+- Resolves: RHEL-23793
+
+* Wed Dec 20 2023 Omair Majid <omajid@redhat.com> - 7.0.115-1
+- Update to .NET SDK 7.0.115 and Runtime 7.0.15
+- Resolves: RHEL-19808
+
+* Thu Nov 02 2023 Omair Majid <omajid@redhat.com> - 7.0.114-1
+- Update to .NET SDK 7.0.114 and Runtime 7.0.14
+- Resolves: RHEL-15357
+
+* Tue Oct 24 2023 Omair Majid <omajid@redhat.com> - 7.0.113-2
+- Update to .NET SDK 7.0.113 and Runtime 7.0.13
+- Resolves: RHEL-14467
+
+* Mon Oct 16 2023 Omair Majid <omajid@redhat.com> - 7.0.112-2
+- Update to .NET SDK 7.0.112 and Runtime 7.0.12
+- Resolves: RHEL-11698
+
+* Tue Sep 12 2023 Omair Majid <omajid@redhat.com> - 7.0.111-2
+- Update to .NET SDK 7.0.111 and Runtime 7.0.11
+- Resolves: RHEL-2000
+
+* Wed Aug 09 2023 Omair Majid <omajid@redhat.com> - 7.0.110-2
+- Update to .NET SDK 7.0.110 and Runtime 7.0.10
+- Resolves: RHBZ#2228571
+
+* Tue Jul 11 2023 Omair Majid <omajid@redhat.com> - 7.0.109-2
+- Update to .NET SDK 7.0.109 and Runtime 7.0.9
+- Resolves: RHBZ#2219632
+
+* Tue Jun 13 2023 Andrew Slice <andrew.slice@redhat.com> - 7.0.107-2
+- Update to .NET SDK 7.0.107 and Runtime 7.0.7
+- Resolves: RHBZ#2211767
+
+* Wed Apr 12 2023 Omair Majid <omajid@redhat.com> - 7.0.105-2
+- Update to .NET SDK 7.0.105 and Runtime 7.0.5
+- Resolves: RHBZ#2183591
+
+* Tue Mar 28 2023 Omair Majid <omajid@redhat.com> - 7.0.104-2
+- Bump Release
+- Related: RHBZ#2175025
+
+* Mon Mar 20 2023 Omair Majid <omajid@redhat.com> - 7.0.104-1
+- Update to .NET SDK 7.0.104 and Runtime 7.0.4
+- Resolves: RHBZ#2175025
+
+* Fri Mar 10 2023 Omair Majid <omajid@redhat.com> - 7.0.103-1
 - Update to .NET SDK 7.0.103 and Runtime 7.0.3
- Resolves: RHBZ#2166775
+- Resolves: RHBZ#2166773

-* Mon Dec 19 2022 Omair Majid <omajid@redhat.com> - 7.0.102-1
+* Thu Mar 09 2023 Omair Majid <omajid@redhat.com> - 7.0.102-1
 - Update to .NET SDK 7.0.102 and Runtime 7.0.2
- Resolves: RHBZ#2154466
+- Resolves: RHBZ#2154465

-* Tue Dec 06 2022 Omair Majid <omajid@redhat.com> - 7.0.101-1
+* Wed Jan 11 2023 Omair Majid <omajid@redhat.com> - 7.0.101-2
 - Update to .NET SDK 7.0.101 and Runtime 7.0.1
- Resolves: RHBZ#2150151
+- Resolves: RHBZ#2150150

-* Wed Nov 02 2022 Omair Majid <omajid@redhat.com> - 7.0.100-1
- Update to .NET SDK 7.0.100 and Runtime 7.0.0
- Resolves: RHBZ#2137943
+* Wed Nov 09 2022 Omair Majid <omajid@redhat.com> - 7.0.100-1
+- Update to .NET 7 GA release
+- Resolves: RHBZ#2137944
+
+* Tue Oct 25 2022 Omair Majid <omajid@redhat.com> - 7.0.100-0.5.rc2
+- Add lldb as a build dependency
+- Related: RHBZ#2134641

 * Mon Oct 24 2022 Omair Majid <omajid@redhat.com> - 7.0.100-0.4.rc2
 - Enable ppc64le builds
- Related: RHBZ#2134642
+- Related: RHBZ#2134641

 * Thu Oct 13 2022 Omair Majid <omajid@redhat.com> - 7.0.100-0.3.rc2
 - Update to .NET 7 RC 2
- Resolves: RHBZ#2134642
+- Resolves: RHBZ#2134641

 * Sat Sep 17 2022 Omair Majid <omajid@redhat.com> - 7.0.100-0.2.rc1
 - Update to .NET 7 RC 1
 - Enable s390x builds
- Resolves: RHBZ#2123886
+- Resolves: RHBZ#2123884

 * Thu Aug 25 2022 Omair Majid <omajid@redhat.com> - 7.0.100-0.1
 - Initial .NET 7 package
- Resolves: RHBZ#2112096
+- Resolves: RHBZ#2112027

 * Wed May 11 2022 Omair Majid <omajid@redhat.com> - 6.0.105-1
 - Update to .NET SDK 6.0.105 and Runtime 6.0.5