Update to .NET SDK 8.0.102 and Runtime 8.0.2

Resolves: RHEL-23804
2024-02-15 17:03:59 -05:00 · 2024-02-15 17:03:59 -05:00 · 65654781ed
parent cf0d0b5ff1
commit 65654781ed
5 changed files with 187 additions and 11 deletions
--- a/.gitignore
+++ b/.gitignore
@ -37,3 +37,4 @@
 /dotnet-v8.0.0-rc.2.23479.6.tar.gz
 /dotnet-v8.0.0.tar.gz
 /dotnet-v8.0.1.tar.gz
+/dotnet-v8.0.2.tar.gz
--- a/dotnet8.0.spec
+++ b/dotnet8.0.spec
@ -8,10 +8,10 @@

 %global dotnetver 8.0

-%global host_version 8.0.1
-%global runtime_version 8.0.1
+%global host_version 8.0.2
+%global runtime_version 8.0.2
 %global aspnetcore_runtime_version %{runtime_version}
-%global sdk_version 8.0.101
+%global sdk_version 8.0.102
 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|')
 %global templates_version %{runtime_version}
 #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }')
@ -53,7 +53,7 @@

 Name:           dotnet%{dotnetver}
 Version:        %{sdk_rpm_version}
-Release:        3%{?dist}
+Release:        2%{?dist}
 Summary:        .NET Runtime and SDK
 License:        0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib

@ -89,6 +89,8 @@ Source21:       dotnet.sh.in
 Patch1:         roslyn-analyzers-ppc64le-apphost.patch
 # https://github.com/dotnet/source-build/discussions/3481
 Patch2:         vstest-intent-net8.0.patch
+# https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+Patch3:         runtime-re-enable-implicit-rejection.patch


 ExclusiveArch:  aarch64 ppc64le s390x x86_64
@ -405,7 +407,7 @@ if [[ ${release_json_tag} != %{upstream_tag} ]]; then
 fi

 %if %{without bootstrap}
-%setup -q -n dotnet-%{upstream_tag_without_v}
+%setup -q -c -n dotnet-%{upstream_tag_without_v}

 # Remove all prebuilts
 find -iname '*.dll' -type f -delete
@ -704,6 +706,10 @@ export COMPlus_LTTng=0


 %changelog
+* Wed Feb 14 2024 Omair Majid <omajid@redhat.com> - 8.0.102-2
+- Update to .NET SDK 8.0.102 and Runtime 8.0.2
+- Resolves: RHEL-23804
+
 * Mon Jan 29 2024 Omair Majid <omajid@redhat.com> - 8.0.101-3
 - Add -dbg subpackages for symbol files
 - Resolves: RHEL-23070
--- a/release.json
+++ b/release.json
@ -1,9 +1,9 @@
 {
-  "release": "8.0.1",
+  "release": "8.0.2",
  "channel": "8.0",
-  "tag": "v8.0.1",
-  "sdkVersion": "8.0.101",
-  "runtimeVersion": "8.0.1",
+  "tag": "v8.0.2",
+  "sdkVersion": "8.0.102",
+  "runtimeVersion": "8.0.2",
  "sourceRepository": "https://github.com/dotnet/dotnet",
-  "sourceVersion": "b27976e5a6850466ee5b4ce24f91ee93bef645f7"
+  "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa"
 }
--- a/runtime-re-enable-implicit-rejection.patch
+++ b/runtime-re-enable-implicit-rejection.patch
@ -0,0 +1,169 @@
+From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
+From: Omair Majid <omajid@redhat.com>
+Date: Fri, 2 Feb 2024 15:51:23 -0500
+Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
+
+This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
+
+To quote Clemens Lang:
+
+> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
+> attack against PKCS#1v1.5 decryption. See
+> https://people.redhat.com/~hkario/marvin/ for details and
+> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
+> comment by the researcher who published the vulnerability and proposed the
+> change in OpenSSL.
+
+For more details, see:
+https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+---
+ .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
+ .../opensslshim.h                             |  6 ---
+ .../pal_evp_pkey_rsa.c                        | 13 -----
+ 3 files changed, 10 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+index 39f3ebc82ec..5b97f468a42 100644
+--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
+             Assert.Equal(TestData.HelloBytes, output);
+         }
+ 
+-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
+        [ConditionalFact]
+         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
+         public void RoundtripEmptyArray()
+         {
+            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+            {
+                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
+            }
+            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+            {
+                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
+            }
+
+             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+             {
+                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
+@@ -716,26 +725,6 @@ public void NotSupportedValueMethods()
+             }
+         }
+ 
+-        [ConditionalTheory]
+-        [InlineData(new byte[] { 1, 2, 3, 4 })]
+-        [InlineData(new byte[0])]
+-        public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data)
+-        {
+-            if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption)
+-            {
+-                throw new SkipTestException("Platform does not support RSA encryption of empty data.");
+-            }
+-
+-            using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+-            {
+-                byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1);
+-                encrypted[1] ^= 0xFF;
+-
+-                // PKCS#1, the data, and the key are all deterministic so this should always throw an exception.
+-                Assert.ThrowsAny<CryptographicException>(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1));
+-            }
+-        }
+-
+         public static IEnumerable<object[]> OaepPaddingModes
+         {
+             get
+@@ -757,23 +746,5 @@ public static IEnumerable<object[]> OaepPaddingModes
+                 }
+             }
+         }
+-
+-        public static bool PlatformSupportsEmptyRSAEncryption
+-        {
+-            get
+-            {
+-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+-                {
+-                    return false;
+-                }
+-
+-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+-                {
+-                    return false;
+-                }
+-
+-                return true;
+-            }
+-        }
+     }
+ }
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+index 0748e305d5c..cf10d2f7949 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(ERR_peek_error) \
+     REQUIRED_FUNCTION(ERR_peek_error_line) \
+     REQUIRED_FUNCTION(ERR_peek_last_error) \
+-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
+     FALLBACK_FUNCTION(ERR_put_error) \
+     REQUIRED_FUNCTION(ERR_reason_error_string) \
+-    REQUIRED_FUNCTION(ERR_set_mark) \
+     LIGHTUP_FUNCTION(ERR_set_debug) \
+     LIGHTUP_FUNCTION(ERR_set_error) \
+     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
+@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
+     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
+-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
+@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define ERR_peek_error_line ERR_peek_error_line_ptr
+ #define ERR_peek_last_error ERR_peek_last_error_ptr
+ #define ERR_put_error ERR_put_error_ptr
+-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
+ #define ERR_reason_error_string ERR_reason_error_string_ptr
+ #define ERR_set_debug ERR_set_debug_ptr
+-#define ERR_set_mark ERR_set_mark_ptr
+ #define ERR_set_error ERR_set_error_ptr
+ #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
+ #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
+@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
+ #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
+ #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
+-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
+ #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
+ #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
+ #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+index 043bf9f9d1e..c9ccdf33e3a 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
+         {
+             return false;
+         }
+-
+-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
+-        // If the padding is invalid, the decryption operation returns random data.
+-        // See https://github.com/openssl/openssl/pull/13817 for background.
+-        // Some Linux distributions backported this change to previous versions of OpenSSL.
+-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
+-        ERR_set_mark();
+-
+-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
+-
+-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
+-        // current version does not support implicit rejection.
+-        ERR_pop_to_mark();
+     }
+     else
+     {
+-- 
+2.43.0
+
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (dotnet-v8.0.1.tar.gz) = 8867133406eb79f906f3b7aeccf4aa72f8bd3d5af831d11bec304dc3a1b87c2eccb8176c36b404a81c34c9157a7e620eba22abaa1000226ba027d1c5f4efbe04
+SHA512 (dotnet-v8.0.2.tar.gz) = a3deea4728a09825e4db7c979f6f1c4441d5a8011accee073f46ea0457f0e2ea84ddca7396681c6b333990ea6a8b549f3736d98b2d0be0602cf7c2f1e4e11a95