From 65654781edc0917c10e93edfbc14ceb9602c3efe Mon Sep 17 00:00:00 2001 From: Omair Majid Date: Thu, 15 Feb 2024 17:03:59 -0500 Subject: [PATCH] Update to .NET SDK 8.0.102 and Runtime 8.0.2 Resolves: RHEL-23804 --- .gitignore | 1 + dotnet8.0.spec | 16 +- release.json | 10 +- runtime-re-enable-implicit-rejection.patch | 169 +++++++++++++++++++++ sources | 2 +- 5 files changed, 187 insertions(+), 11 deletions(-) create mode 100644 runtime-re-enable-implicit-rejection.patch diff --git a/.gitignore b/.gitignore index 06cade9..58ebc46 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ /dotnet-v8.0.0-rc.2.23479.6.tar.gz /dotnet-v8.0.0.tar.gz /dotnet-v8.0.1.tar.gz +/dotnet-v8.0.2.tar.gz diff --git a/dotnet8.0.spec b/dotnet8.0.spec index afea725..b509f70 100644 --- a/dotnet8.0.spec +++ b/dotnet8.0.spec @@ -8,10 +8,10 @@ %global dotnetver 8.0 -%global host_version 8.0.1 -%global runtime_version 8.0.1 +%global host_version 8.0.2 +%global runtime_version 8.0.2 %global aspnetcore_runtime_version %{runtime_version} -%global sdk_version 8.0.101 +%global sdk_version 8.0.102 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|') %global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') @@ -53,7 +53,7 @@ Name: dotnet%{dotnetver} Version: %{sdk_rpm_version} -Release: 3%{?dist} +Release: 2%{?dist} Summary: .NET Runtime and SDK License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib @@ -89,6 +89,8 @@ Source21: dotnet.sh.in Patch1: roslyn-analyzers-ppc64le-apphost.patch # https://github.com/dotnet/source-build/discussions/3481 Patch2: vstest-intent-net8.0.patch +# https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314 +Patch3: runtime-re-enable-implicit-rejection.patch ExclusiveArch: aarch64 ppc64le s390x x86_64 @@ -405,7 +407,7 @@ if [[ ${release_json_tag} != %{upstream_tag} ]]; then fi %if %{without bootstrap} -%setup -q -n dotnet-%{upstream_tag_without_v} +%setup -q -c -n dotnet-%{upstream_tag_without_v} # Remove all prebuilts find -iname '*.dll' -type f -delete @@ -704,6 +706,10 @@ export COMPlus_LTTng=0 %changelog +* Wed Feb 14 2024 Omair Majid - 8.0.102-2 +- Update to .NET SDK 8.0.102 and Runtime 8.0.2 +- Resolves: RHEL-23804 + * Mon Jan 29 2024 Omair Majid - 8.0.101-3 - Add -dbg subpackages for symbol files - Resolves: RHEL-23070 diff --git a/release.json b/release.json index 4463ecb..de0aaf9 100644 --- a/release.json +++ b/release.json @@ -1,9 +1,9 @@ { - "release": "8.0.1", + "release": "8.0.2", "channel": "8.0", - "tag": "v8.0.1", - "sdkVersion": "8.0.101", - "runtimeVersion": "8.0.1", + "tag": "v8.0.2", + "sdkVersion": "8.0.102", + "runtimeVersion": "8.0.2", "sourceRepository": "https://github.com/dotnet/dotnet", - "sourceVersion": "b27976e5a6850466ee5b4ce24f91ee93bef645f7" + "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa" } diff --git a/runtime-re-enable-implicit-rejection.patch b/runtime-re-enable-implicit-rejection.patch new file mode 100644 index 0000000..5276e79 --- /dev/null +++ b/runtime-re-enable-implicit-rejection.patch @@ -0,0 +1,169 @@ +From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001 +From: Omair Majid +Date: Fri, 2 Feb 2024 15:51:23 -0500 +Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)" + +This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995. + +To quote Clemens Lang: + +> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle +> attack against PKCS#1v1.5 decryption. See +> https://people.redhat.com/~hkario/marvin/ for details and +> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a +> comment by the researcher who published the vulnerability and proposed the +> change in OpenSSL. + +For more details, see: +https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314 +--- + .../RSA/EncryptDecrypt.cs | 49 ++++--------------- + .../opensslshim.h | 6 --- + .../pal_evp_pkey_rsa.c | 13 ----- + 3 files changed, 10 insertions(+), 58 deletions(-) + +diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +index 39f3ebc82ec..5b97f468a42 100644 +--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs ++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc + Assert.Equal(TestData.HelloBytes, output); + } + +- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))] ++ [ConditionalFact] + [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)] + public void RoundtripEmptyArray() + { ++ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) ++ { ++ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data."); ++ } ++ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) ++ { ++ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data."); ++ } ++ + using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) + { + void RoundtripEmpty(RSAEncryptionPadding paddingMode) +@@ -716,26 +725,6 @@ public void NotSupportedValueMethods() + } + } + +- [ConditionalTheory] +- [InlineData(new byte[] { 1, 2, 3, 4 })] +- [InlineData(new byte[0])] +- public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data) +- { +- if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption) +- { +- throw new SkipTestException("Platform does not support RSA encryption of empty data."); +- } +- +- using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) +- { +- byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1); +- encrypted[1] ^= 0xFF; +- +- // PKCS#1, the data, and the key are all deterministic so this should always throw an exception. +- Assert.ThrowsAny(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1)); +- } +- } +- + public static IEnumerable OaepPaddingModes + { + get +@@ -757,23 +746,5 @@ public static IEnumerable OaepPaddingModes + } + } + } +- +- public static bool PlatformSupportsEmptyRSAEncryption +- { +- get +- { +- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) +- { +- return false; +- } +- +- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) +- { +- return false; +- } +- +- return true; +- } +- } + } + } +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +index 0748e305d5c..cf10d2f7949 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(ERR_peek_error) \ + REQUIRED_FUNCTION(ERR_peek_error_line) \ + REQUIRED_FUNCTION(ERR_peek_last_error) \ +- REQUIRED_FUNCTION(ERR_pop_to_mark) \ + FALLBACK_FUNCTION(ERR_put_error) \ + REQUIRED_FUNCTION(ERR_reason_error_string) \ +- REQUIRED_FUNCTION(ERR_set_mark) \ + LIGHTUP_FUNCTION(ERR_set_debug) \ + LIGHTUP_FUNCTION(ERR_set_error) \ + REQUIRED_FUNCTION(EVP_aes_128_cbc) \ +@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(EVP_PKCS82PKEY) \ + REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \ +- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \ +@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define ERR_peek_error_line ERR_peek_error_line_ptr + #define ERR_peek_last_error ERR_peek_last_error_ptr + #define ERR_put_error ERR_put_error_ptr +-#define ERR_pop_to_mark ERR_pop_to_mark_ptr + #define ERR_reason_error_string ERR_reason_error_string_ptr + #define ERR_set_debug ERR_set_debug_ptr +-#define ERR_set_mark ERR_set_mark_ptr + #define ERR_set_error ERR_set_error_ptr + #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr + #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr +@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr + #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr + #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr +-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr + #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr + #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr + #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +index 043bf9f9d1e..c9ccdf33e3a 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const + { + return false; + } +- +- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding. +- // If the padding is invalid, the decryption operation returns random data. +- // See https://github.com/openssl/openssl/pull/13817 for background. +- // Some Linux distributions backported this change to previous versions of OpenSSL. +- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid. +- ERR_set_mark(); +- +- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0"); +- +- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the +- // current version does not support implicit rejection. +- ERR_pop_to_mark(); + } + else + { +-- +2.43.0 + diff --git a/sources b/sources index 3180100..89c40d8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dotnet-v8.0.1.tar.gz) = 8867133406eb79f906f3b7aeccf4aa72f8bd3d5af831d11bec304dc3a1b87c2eccb8176c36b404a81c34c9157a7e620eba22abaa1000226ba027d1c5f4efbe04 +SHA512 (dotnet-v8.0.2.tar.gz) = a3deea4728a09825e4db7c979f6f1c4441d5a8011accee073f46ea0457f0e2ea84ddca7396681c6b333990ea6a8b549f3736d98b2d0be0602cf7c2f1e4e11a95