From 9731efbadc7335c9fc92a84483179d4ae95f7631 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 05:06:44 +0000 Subject: [PATCH 01/43] Fix podman install issue and add required dependent packages --- .../criu/001-upstream-pr-2653.patch | 134 ++++++++++ SPECS-EXTENDED/criu/criu.signatures.json | 4 +- SPECS-EXTENDED/criu/criu.spec | 239 +++++++++--------- SPECS-EXTENDED/crun/crun.signatures.json | 5 + SPECS-EXTENDED/crun/crun.spec | 186 ++++++++++++++ SPECS-EXTENDED/podman/podman.spec | 6 +- SPECS/util-linux/util-linux.spec | 20 +- 7 files changed, 470 insertions(+), 124 deletions(-) create mode 100644 SPECS-EXTENDED/criu/001-upstream-pr-2653.patch create mode 100644 SPECS-EXTENDED/crun/crun.signatures.json create mode 100644 SPECS-EXTENDED/crun/crun.spec diff --git a/SPECS-EXTENDED/criu/001-upstream-pr-2653.patch b/SPECS-EXTENDED/criu/001-upstream-pr-2653.patch new file mode 100644 index 00000000000..bcb96fd1df3 --- /dev/null +++ b/SPECS-EXTENDED/criu/001-upstream-pr-2653.patch @@ -0,0 +1,134 @@ +From 22fdffbdde9476b27988b3ee0a4013a4453784c9 Mon Sep 17 00:00:00 2001 +From: Andrei Vagin +Date: Mon, 21 Apr 2025 06:33:41 +0000 +Subject: [PATCH] net: nftables: avoid restore failure if the CRIU nft table + already exist + +CRIU locks the network during restore in an "empty" network namespace. +However, "empty" in this context means CRIU isn't restoring the +namespace. This network namespace can be the same namespace where +processes have been dumped and so the network is already locked in it. + +Fixes #2650 + +Signed-off-by: Andrei Vagin +--- + criu/cr-restore.c | 2 +- + criu/include/net.h | 2 +- + criu/net.c | 30 +++++++++++++++++------------- + 3 files changed, 19 insertions(+), 15 deletions(-) + +diff --git a/criu/cr-restore.c b/criu/cr-restore.c +index 583b446e0b..30932f60a2 100644 +--- a/criu/cr-restore.c ++++ b/criu/cr-restore.c +@@ -2119,7 +2119,7 @@ static int restore_root_task(struct pstree_item *init) + * the '--empty-ns net' mode no iptables C/R is done and we + * need to return these rules by hands. + */ +- ret = network_lock_internal(); ++ ret = network_lock_internal(/* restore = */ true); + if (ret) + goto out_kill; + } +diff --git a/criu/include/net.h b/criu/include/net.h +index 5e8a848620..7c5ede21e1 100644 +--- a/criu/include/net.h ++++ b/criu/include/net.h +@@ -31,7 +31,7 @@ extern int collect_net_namespaces(bool for_dump); + + extern int network_lock(void); + extern void network_unlock(void); +-extern int network_lock_internal(void); ++extern int network_lock_internal(bool restore); + + extern struct ns_desc net_ns_desc; + +diff --git a/criu/net.c b/criu/net.c +index ee46f1c495..300df480b0 100644 +--- a/criu/net.c ++++ b/criu/net.c +@@ -3206,12 +3206,12 @@ static inline FILE *redirect_nftables_output(struct nft_ctx *nft) + } + #endif + +-static inline int nftables_lock_network_internal(void) ++static inline int nftables_lock_network_internal(bool restore) + { + #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1) + cleanup_file FILE *fp = NULL; + struct nft_ctx *nft; +- int ret = 0; ++ int ret = 0, exit_code = -1; + char table[32]; + char buf[128]; + +@@ -3224,11 +3224,16 @@ static inline int nftables_lock_network_internal(void) + + fp = redirect_nftables_output(nft); + if (!fp) +- goto out; ++ goto err2; + + snprintf(buf, sizeof(buf), "create table %s", table); +- if (NFT_RUN_CMD(nft, buf)) ++ ret = NFT_RUN_CMD(nft, buf); ++ if (ret) { ++ /* The network has been locked on dump. */ ++ if (restore && errno == EEXIST) ++ return 0; + goto err2; ++ } + + snprintf(buf, sizeof(buf), "add chain %s output { type filter hook output priority 0; policy drop; }", table); + if (NFT_RUN_CMD(nft, buf)) +@@ -3246,17 +3251,16 @@ static inline int nftables_lock_network_internal(void) + if (NFT_RUN_CMD(nft, buf)) + goto err1; + +- goto out; +- ++ exit_code = 0; ++out: ++ nft_ctx_free(nft); ++ return exit_code; + err1: + snprintf(buf, sizeof(buf), "delete table %s", table); + NFT_RUN_CMD(nft, buf); + err2: +- ret = -1; + pr_err("Locking network failed using nftables\n"); +-out: +- nft_ctx_free(nft); +- return ret; ++ goto out; + #else + pr_err("CRIU was built without libnftables support\n"); + return -1; +@@ -3288,7 +3292,7 @@ static int iptables_network_lock_internal(void) + return ret; + } + +-int network_lock_internal(void) ++int network_lock_internal(bool restore) + { + int ret = 0, nsret; + +@@ -3301,7 +3305,7 @@ int network_lock_internal(void) + if (opts.network_lock_method == NETWORK_LOCK_IPTABLES) + ret = iptables_network_lock_internal(); + else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES) +- ret = nftables_lock_network_internal(); ++ ret = nftables_lock_network_internal(restore); + + if (restore_ns(nsret, &net_ns_desc)) + ret = -1; +@@ -3427,7 +3431,7 @@ int network_lock(void) + if (run_scripts(ACT_NET_LOCK)) + return -1; + +- return network_lock_internal(); ++ return network_lock_internal(false); + } + + void network_unlock(void) diff --git a/SPECS-EXTENDED/criu/criu.signatures.json b/SPECS-EXTENDED/criu/criu.signatures.json index 31dcbf81e54..1068f5f56b3 100644 --- a/SPECS-EXTENDED/criu/criu.signatures.json +++ b/SPECS-EXTENDED/criu/criu.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "criu-3.15.tar.bz2": "447cc1f350da94d190bcfda753695bf34ce91eee969df8263fcc33d08990a025", + "criu-4.1.1.tar.gz": "a5338fe696395843543e6e09c85ccaf36614bf172c26fe8506191b7b930d2dae", "criu-tmpfiles.conf": "d40c7153756d170c4d68ac57598236a011c177ac41a1125813f8b2e16dc15c1a" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/criu/criu.spec b/SPECS-EXTENDED/criu/criu.spec index adfa656e4e7..dd6526fc746 100644 --- a/SPECS-EXTENDED/criu/criu.spec +++ b/SPECS-EXTENDED/criu/criu.spec @@ -4,54 +4,45 @@ Distribution: Azure Linux %global py_prefix python3 %global py_binary %{py_prefix} - - - - # With annobin enabled, CRIU does not work anymore. It seems CRIU's # parasite code breaks if annobin is enabled. %undefine _annotated_build -Name: criu -Version: 3.15 -Release: 3%{?dist} -Provides: crtools = %{version}-%{release} -Obsoletes: crtools <= 1.0-2 -Summary: Tool for Checkpoint/Restore in User-space -License: GPLv2 -URL: http://criu.org/ -Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2 - -Patch0: unifying_struct_names.patch - -%if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: perl -# RHEL has no asciidoc; take man-page from Fedora 26 -# zcat /usr/share/man/man8/criu.8.gz > criu.8 -Source1: criu.8 -Source2: crit.1 -Source3: compel.1 -# The patch aio-fix.patch is needed as RHEL7 -# doesn't do "nr_events *= 2" in ioctx_alloc(). -Patch100: aio-fix.patch -%endif - -Source4: criu-tmpfiles.conf - -BuildRequires: gcc -BuildRequires: systemd -BuildRequires: libnet-devel -BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel - -BuildRequires: asciidoc xmlto -BuildRequires: perl-interpreter -BuildRequires: libselinux-devel -BuildRequires: gnutls-devel -BuildRequires: nftables-devel -BuildRequires: git +Name: criu +Version: 4.1.1 +Release: 1%{?dist} +Provides: crtools = %{version}-%{release} +Obsoletes: crtools <= 1.0-2 +Summary: Tool for Checkpoint/Restore in User-space +License: GPLv2 +URL: http://criu.org/ +Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz + +Patch0: 001-upstream-pr-2653.patch + +Source5: criu-tmpfiles.conf + +BuildRequires: gcc +BuildRequires: systemd +BuildRequires: libnet-devel +BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel +BuildRequires: %{py_prefix}-pip +BuildRequires: %{py_prefix}-setuptools +BuildRequires: %{py_prefix}-wheel +BuildRequires: %{py_prefix}-protobuf +BuildRequires: asciidoc +BuildRequires: perl-interpreter +BuildRequires: libselinux-devel +BuildRequires: gnutls-devel +BuildRequires: libdrm-devel +BuildRequires: libuuid-devel +BuildRequires: libbsd-devel +BuildRequires: nftables-devel +BuildRequires: make +BuildRequires: git +BuildRequires: xmlto # Checkpointing containers with a tmpfs requires tar -Recommends: tar -BuildRequires: libbsd-devel +Recommends: tar # user-space and kernel changes are only available for x86_64, arm, @@ -65,102 +56,99 @@ criu is the user-space part of Checkpoint/Restore in User-space Linux in user-space. -%package devel -Summary: Header files and libraries for %{name} -Requires: %{name} = %{version}-%{release} +%package devel +Summary: Header files and libraries for %{name} +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} -%description devel +%description devel This package contains header files and libraries for %{name}. -%package libs -Summary: Libraries for %{name} -Requires: %{name} = %{version}-%{release} +%package libs +Summary: Libraries for %{name} +Requires: %{name} = %{version}-%{release} -%description libs +%description libs This package contains the libraries for %{name} - -%package -n %{py_prefix}-%{name} +%package amdgpu-plugin +Summary: AMD GPU plugin for %{name} +Requires: %{name} = %{version}-%{release} + +%description amdgpu-plugin +This package contains the AMD GPU plugin for %{name} + +%package cuda-plugin +Summary: CUDA plugin for %{name} +Requires: %{name} = %{version}-%{release} + +%description cuda-plugin +This package contains the CUDA plugin for %{name} + +%package -n %{py_prefix}-%{name} %{?python_provide:%python_provide %{py_prefix}-%{name}} -Summary: Python bindings for %{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: protobuf-python -Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr -%else -Requires: protobuf-%{py_prefix} -Obsoletes: python2-criu < 3.10-1 -%endif - +Summary: Python bindings for %{name} +Requires: %{py_prefix}-protobuf + %description -n %{py_prefix}-%{name} %{py_prefix}-%{name} contains Python bindings for %{name}. - -%package -n crit -Summary: CRIU image tool -Requires: %{py_prefix}-%{name} = %{version}-%{release} - + +%package -n crit +Summary: CRIU image tool +Requires: %{py_prefix}-%{name} = %{version}-%{release} + %description -n crit crit is a tool designed to decode CRIU binary dump files and show their content in human-readable form. - + +%package -n criu-ns +Summary: Tool to run CRIU in different namespaces +Requires: %{name} = %{version}-%{release} + +%description -n criu-ns +The purpose of the criu-ns wrapper script is to enable restoring a process +tree that might require a specific PID that is already used on the system. +This script can help to workaround the so called "PID mismatch" problem. %prep -%setup -q -%patch 0 -p1 - -%if 0%{?rhel} && 0%{?rhel} <= 7 -%patch 100 -p1 -%endif +%autosetup -p1 %build -# A small part of the build makes direct calls to "ld" instead of GCC and "LDFLAGS-MASK" -# is used to cut out parts of "LDFLAGS", which "ld" doesn't understand. -# "LDFLAGS-MASK" didn't expect the "-specs" argument Mariner contains -# in the hardening flags and all direct calls to "ld" were crashing. -sed -i -E "s/(LDFLAGS-MASK.*:= -Wl,%)/\1 -specs=%/" scripts/nmk/scripts/build.mk -CFLAGS=`echo "$CFLAGS" | sed -e 's,-fstack-protector\S*,,g'` %make_build V=1 WERROR=0 RUNDIR=/run/criu PYTHON=%{py_binary} - +# This package calls LD directly without specifying the LTO plugins. Until +# that is fixed, disable LTO. +%define _lto_cflags %{nil} + +# %{?_smp_mflags} does not work +# -fstack-protector breaks build +LDFLAGS='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now ' +export LDFLAGS +make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary} PLUGINDIR=%{_libdir}/criu NETWORK_LOCK_DEFAULT=NETWORK_LOCK_NFTABLES +make V=1 WERROR=0 PREFIX=%{_prefix} PLUGINDIR=%{_libdir}/criu amdgpu_plugin make docs V=1 - %install -make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} -make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} - -# only install documentation on Fedora as it requires asciidoc, -# which is not available on RHEL7 +sed -e "s,--upgrade --ignore-installed,--no-index --no-deps -v --no-build-isolation,g" -i lib/Makefile -i crit/Makefile +make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} BINDIR=%{_bindir} SBINDIR=%{_sbindir} +make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} PIPFLAGS="--no-build-isolation --no-index --no-deps --progress-bar off --upgrade --ignore-installed" +make install-amdgpu_plugin DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PLUGINDIR=%{_libdir}/criu +make install-cuda_plugin DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PLUGINDIR=%{_libdir}/criu +make install-crit DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} BINDIR=%{_bindir} SBINDIR=%{_sbindir} PYTHON=%{py_binary} PIPFLAGS="--no-build-isolation --no-index --no-deps --progress-bar off --upgrade --ignore-installed" make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} - - - - - - +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/compel.1 + mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -d -m 0755 %{buildroot}/run/%{name}/ -%if 0%{?rhel} -# remove devel and libs packages -rm -rf $RPM_BUILD_ROOT%{_includedir}/criu -rm $RPM_BUILD_ROOT%{_libdir}/*.so* -rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig -rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} -%endif - -# remove static lib -rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a - %files +%license COPYING +%doc README.md %{_sbindir}/%{name} %doc %{_mandir}/man8/criu.8* -%doc %{_mandir}/man1/compel.1* - %{_libexecdir}/%{name} - %dir /run/%{name} %{_tmpfilesdir}/%{name}.conf -%doc README.md COPYING %files devel @@ -170,23 +158,36 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a %files libs %{_libdir}/*.so.* - - +%{_libdir}/*.a + +%files amdgpu-plugin +%{_libdir}/%{name}/amdgpu_plugin.so +%doc %{_mandir}/man1/criu-amdgpu-plugin.1* + +%files cuda-plugin +%{_libdir}/%{name}/cuda_plugin.so +%doc plugins/cuda/README.md + %files -n %{py_prefix}-%{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -%{python2_sitelib}/pycriu/* -%{python2_sitelib}/*egg-info -%else -%{python3_sitelib}/pycriu/* -%{python3_sitelib}/*egg-info -%endif - +%{python3_sitelib}/pycriu* + %files -n crit %{_bindir}/crit +%{python3_sitelib}/crit-%{version}.dist-info/ +%{python3_sitelib}/crit %doc %{_mandir}/man1/crit.1* + +%files -n criu-ns +%{_sbindir}/criu-ns +%doc %{_mandir}/man1/criu-ns.1* +%post +%tmpfiles_create %{name}.conf %changelog +* Fri Nov 07 2025 Sandeep Karambelkar - 4.1.1-1 +- Upgrade to 4.1.1 ref from Fedora 42 + * Tue Sep 21 2021 Pawel Winogrodzki - 3.15-3 - Added a patch to fix build errors by unifying struct names across the source code. - Removed the "-fstack-protector" flag breaking the build. diff --git a/SPECS-EXTENDED/crun/crun.signatures.json b/SPECS-EXTENDED/crun/crun.signatures.json new file mode 100644 index 00000000000..a3a523b62ed --- /dev/null +++ b/SPECS-EXTENDED/crun/crun.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "crun-1.24.tar.gz": "90b6e33a6400ba5355eed6efc46a4c890e48e6c96d99d2bbc7fe92803bdfce52" + } +} \ No newline at end of file diff --git a/SPECS-EXTENDED/crun/crun.spec b/SPECS-EXTENDED/crun/crun.spec new file mode 100644 index 00000000000..be0dd99d3bb --- /dev/null +++ b/SPECS-EXTENDED/crun/crun.spec @@ -0,0 +1,186 @@ +%global krun_opts %{nil} +%global wasmedge_opts %{nil} +%global yajl_opts %{nil} + +%if %{defined copr_username} +%define copr_build 1 +%endif + +# krun and wasm support not yet provided in azurelinux +%global yajl_opts --enable-embedded-yajl + +Summary: OCI runtime written in C +Name: crun +Version: 1.24 +Release: 1 +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://github.com/containers/%{name} +Source0: %{url}/releases/download/%{version}/%{name}-%{version}.tar.gz +License: GPL-2.0-only +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: git-core +BuildRequires: gperf +BuildRequires: libcap-devel + +%if %{defined krun_support} +BuildRequires: libkrun-devel +%endif + +BuildRequires: systemd-devel + +%if %{defined system_yajl} +BuildRequires: yajl-devel +%endif + +BuildRequires: libseccomp-devel +BuildRequires: python3-libmount +BuildRequires: libtool +BuildRequires: protobuf-c-devel +BuildRequires: criu-devel >= 3.17.1-2 +Recommends: criu >= 3.17.1 +Recommends: criu-libs + +%if %{defined wasmedge_support} +BuildRequires: wasmedge-devel +%endif + +BuildRequires: python +BuildRequires: glibc-static +Provides: oci-runtime + +%description +%{name} is a OCI runtime + +%if %{defined krun_support} +%package krun +Summary: %{name} with libkrun support +Requires: libkrun +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Provides: krun = %{?epoch:%{epoch}:}%{version}-%{release} + +%description krun +krun is a symlink to the %{name} binary, with libkrun as an additional dependency. +%endif + +%if %{defined wasm_support} +%package wasm +Summary: %{name} with wasm support +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +# wasm packages are not present on RHEL yet and are currently a PITA to test +# Best to only include wasmedge as weak dep on rhel +%if %{defined fedora} +Requires: wasm-library +%endif +Recommends: wasmedge + +%description wasm +%{name}-wasm is a symlink to the %{name} binary, with wasm as an additional dependency. +%endif + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +./autogen.sh +./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts} +%make_build + +%install +%make_install prefix=%{_prefix} +rm -rf %{buildroot}%{_prefix}/lib* + +# Placeholder check to silence rpmlint +%check + +%files +%license COPYING +%{_bindir}/%{name} +%{_mandir}/man1/%{name}.1.gz + +%if %{defined krun_support} +%files krun +%license COPYING +%{_bindir}/krun +%{_mandir}/man1/krun.1.gz +%endif + +%if %{defined wasm_support} +%files wasm +%license COPYING +%{_bindir}/%{name}-wasm +%endif + +%changelog +* Fri Nov 07 2025 Sandeep Karambelkar - 1.24-1 +- Initial Azure Linux import from Fedora 42 (license: MIT). +- Modified for building in azurelinux +- License verified + +* Thu Jul 31 2025 Packit - 1.23.1-1 +- Update to 1.23.1 upstream release + +* Thu Jul 24 2025 Packit - 1.23-1 +- Update to 1.23 upstream release + +* Fri Jun 27 2025 Packit - 1.22-1 +- Update to 1.22 upstream release + +* Fri Mar 28 2025 Packit - 1.21-1 +- Update to 1.21 upstream release + +* Mon Feb 10 2025 Lokesh Mandvekar - 1.20-2 +- fix gating config + +* Wed Feb 05 2025 Packit - 1.20-1 +- Update to 1.20 upstream release + +* Thu Jan 16 2025 Fedora Release Engineering - 1.19.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Wed Jan 15 2025 Lokesh Mandvekar - 1.19.1-3 +- TMT: use prepare conditionals + +* Thu Dec 26 2024 Lokesh Mandvekar - 1.19.1-2 +- TMT: sync tests from upstream + +* Tue Dec 17 2024 Packit - 1.19.1-1 +- Update to 1.19.1 upstream release + +* Fri Dec 06 2024 Packit - 1.19-1 +- Update to 1.19 upstream release + +* Thu Oct 31 2024 Packit - 1.18.2-1 +- Update to 1.18.2 upstream release + +* Wed Oct 30 2024 Packit - 1.18.1-1 +- Update to 1.18.1 upstream release + +* Tue Oct 22 2024 Packit - 1.18-1 +- Update to 1.18 upstream release + +* Mon Oct 21 2024 Yaakov Selkowitz - 1.17-3 +- Use embedded yajl in RHEL builds + +* Thu Sep 26 2024 David Abdurachmanov - 1.17-2 +- Disable criu support on riscv64 + +* Tue Sep 10 2024 Lokesh Mandvekar - 1.17-1 +- bump to 1.17 + +* Wed Jul 17 2024 Fedora Release Engineering - 1.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu May 02 2024 Packit - 1.15-1 +- Update to 1.15 upstream release + +* Wed Mar 27 2024 Lokesh Mandvekar - 1.14.4-5 +- wasmedge should stay enabled for official fedora + +* Wed Mar 27 2024 Lokesh Mandvekar - 1.14.4-4 +- remove eln macro + +* Tue Mar 05 2024 Giuseppe Scrivano - 1.14.4-3 +- Revert "Add riscv64 support." diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec index 51e8b5459cc..6409ae265b8 100644 --- a/SPECS-EXTENDED/podman/podman.spec +++ b/SPECS-EXTENDED/podman/podman.spec @@ -48,7 +48,7 @@ BuildRequires: btrfs-progs-devel BuildRequires: gcc BuildRequires: glib2-devel BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-15%{?dist} +BuildRequires: glibc-static >= 2.38-14%{?dist} BuildRequires: golang BuildRequires: git-core @@ -68,7 +68,7 @@ BuildRequires: ostree-devel BuildRequires: systemd BuildRequires: systemd-devel Requires: catatonit -Requires: conmon >= 2:2.1.7-2 +Requires: conmon >= 2.1.7-2 Requires: libcontainers-common Provides: %{name}-quadlet = %{epoch}:%{version}-%{release} @@ -114,6 +114,8 @@ Requires: slirp4netns Requires: buildah Requires: gnupg Requires: xfsprogs +Requires: crun +Requires: netavark %description tests %{summary} diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index 349c9d6263a..9ea7fd1c173 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -1,3 +1,6 @@ +%global pypkg python3 +%global pyver 3 + %define majminorver %(echo %{version} | cut -d. -f1-2) Summary: Utilities for file systems, consoles, partitions, and messages Name: util-linux @@ -63,6 +66,17 @@ Group: Development/Libraries %description libs These are library files of util-linux. +%package -n %{pypkg}-libmount +Summary: Python bindings for the libmount library +Requires: %{name}-libs = %{version}-%{release} +License: LGPL-2.1-or-later + +%description -n %{pypkg}-libmount +The libmount-python package contains a module that permits applications +written in the Python programming language to use the interface +supplied by the libmount library to work with mount tables (fstab, +mountinfo, etc) and mount filesystems. + %prep %autosetup -p1 sed -i -e 's@etc/adjtime@var/lib/hwclock/adjtime@g' $(grep -rl '%{_sysconfdir}/adjtime' .) @@ -78,7 +92,7 @@ autoreconf -fi --disable-static \ --disable-use-tty-group \ --disable-liblastlog2 \ - --without-python \ + --with-python=%{pyver} \ --with-selinux \ --with-audit make %{?_smp_mflags} @@ -143,6 +157,10 @@ rm -rf %{buildroot}/lib/systemd/system /lib/libsmartcols.so.* /lib/libfdisk.so.* +%files -n %{pypkg}-libmount +%license Documentation/licenses/COPYING.LGPL-2.1-or-later +%{_libdir}/python*/site-packages/libmount/ + %files devel %defattr(-,root,root) %license Documentation/licenses/COPYING.LGPL-2.1-or-later libsmartcols/COPYING From 22840c474006b9a1e3e739eee5083d7482184f15 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 05:49:42 +0000 Subject: [PATCH 02/43] Update cgmanifest and license maps --- LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md | 2 +- LICENSES-AND-NOTICES/SPECS/data/licenses.json | 1 + SPECS-EXTENDED/criu/criu.spec | 1 + cgmanifest.json | 14 ++++++++++++-- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md index a232b67d6b8..6c974d87399 100644 --- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md +++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md @@ -5,7 +5,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command
delve
fstrm
nodejs-nodemon
rhnlib
rt-setup
rt-tests
rtctl
tuned | | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
ck
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Type-Tiny
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit_xml
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-spnego
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-uamqp
python-uritemplate
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pycares
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-scanf
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
sdl12-compat
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
strongswan
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xpp3
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zix
zopfli
zziplib | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
ck
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crun
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Type-Tiny
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit_xml
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-spnego
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-uamqp
python-uritemplate
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pycares
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-scanf
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
sdl12-compat
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
strongswan
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xpp3
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zix
zopfli
zziplib | | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json index fd3cf942361..9a5381a1366 100644 --- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json +++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json @@ -147,6 +147,7 @@ "cpufrequtils", "cpuid", "criu", + "crun", "crypto-policies", "cryptsetup", "cscope", diff --git a/SPECS-EXTENDED/criu/criu.spec b/SPECS-EXTENDED/criu/criu.spec index dd6526fc746..287c4d965ea 100644 --- a/SPECS-EXTENDED/criu/criu.spec +++ b/SPECS-EXTENDED/criu/criu.spec @@ -187,6 +187,7 @@ install -d -m 0755 %{buildroot}/run/%{name}/ %changelog * Fri Nov 07 2025 Sandeep Karambelkar - 4.1.1-1 - Upgrade to 4.1.1 ref from Fedora 42 +- License verified * Tue Sep 21 2021 Pawel Winogrodzki - 3.15-3 - Added a patch to fix build errors by unifying struct names across the source code. diff --git a/cgmanifest.json b/cgmanifest.json index 8e1b66ec89a..97873c5f0fa 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2297,8 +2297,18 @@ "type": "other", "other": { "name": "criu", - "version": "3.15", - "downloadUrl": "http://download.openvz.org/criu/criu-3.15.tar.bz2" + "version": "4.1.1", + "downloadUrl": "https://github.com/checkpoint-restore/criu/archive/v4.1.1/criu-4.1.1.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "crun", + "version": "1.24", + "downloadUrl": "https://github.com/containers/crun/releases/download/1.24/crun-1.24.tar.gz" } } }, From 84d6e54cce7d48441d980ee689c8484f357a65ab Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 05:52:20 +0000 Subject: [PATCH 03/43] Revert glibc-static version changed for local building --- SPECS-EXTENDED/podman/podman.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec index 6409ae265b8..6d17a56f1b7 100644 --- a/SPECS-EXTENDED/podman/podman.spec +++ b/SPECS-EXTENDED/podman/podman.spec @@ -48,7 +48,7 @@ BuildRequires: btrfs-progs-devel BuildRequires: gcc BuildRequires: glib2-devel BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-14%{?dist} +BuildRequires: glibc-static >= 2.38-15%{?dist} BuildRequires: golang BuildRequires: git-core From 4a01ea995aafb65390158fe70b8eefbc06e8ffd2 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 05:55:04 +0000 Subject: [PATCH 04/43] Update glibc-static check in crun spec --- SPECS-EXTENDED/crun/crun.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS-EXTENDED/crun/crun.spec b/SPECS-EXTENDED/crun/crun.spec index be0dd99d3bb..bac6ce4e2ce 100644 --- a/SPECS-EXTENDED/crun/crun.spec +++ b/SPECS-EXTENDED/crun/crun.spec @@ -48,7 +48,7 @@ BuildRequires: wasmedge-devel %endif BuildRequires: python -BuildRequires: glibc-static +BuildRequires: glibc-static >= 2.38-15%{?dist} Provides: oci-runtime %description From a996200bd50049bf05e55281fda5ee5b6cd1e162 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 06:02:38 +0000 Subject: [PATCH 05/43] Update release --- SPECS-EXTENDED/crun/crun.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS-EXTENDED/crun/crun.spec b/SPECS-EXTENDED/crun/crun.spec index bac6ce4e2ce..39db4f39896 100644 --- a/SPECS-EXTENDED/crun/crun.spec +++ b/SPECS-EXTENDED/crun/crun.spec @@ -12,7 +12,7 @@ Summary: OCI runtime written in C Name: crun Version: 1.24 -Release: 1 +Release: 1%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/containers/%{name} From 2bf6795b372e92203ede78567978db820b02423e Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 08:05:51 +0000 Subject: [PATCH 06/43] Updated release, added changelog and changed the toolchain version --- SPECS/util-linux/util-linux.spec | 6 +++++- .../resources/manifests/package/pkggen_core_x86_64.txt | 6 +++--- .../resources/manifests/package/toolchain_x86_64.txt | 10 +++++----- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index 9ea7fd1c173..c0810c07685 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -5,7 +5,7 @@ Summary: Utilities for file systems, consoles, partitions, and messages Name: util-linux Version: 2.40.2 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -170,6 +170,10 @@ rm -rf %{buildroot}/lib/systemd/system %{_mandir}/man3/* %changelog +* Mon Nov 10 2025 Sandeep Karambelkar - 2.40.2-1 +- Compiled with python +- Added the package python3-libmount + * Wed Sep 18 2024 Vince Perri - 2.40.2-1 - Upgrade to 2.40.2: - Added --disable-liblastlog2 to avoid building new liblastlog2 libraries diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 5fc3c4bf477..b84d2326ba6 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm libcap-ng-0.8.4-1.azl3.x86_64.rpm libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm -util-linux-2.40.2-1.azl3.x86_64.rpm -util-linux-devel-2.40.2-1.azl3.x86_64.rpm -util-linux-libs-2.40.2-1.azl3.x86_64.rpm +util-linux-2.40.2-2.azl3.x86_64.rpm +util-linux-devel-2.40.2-2.azl3.x86_64.rpm +util-linux-libs-2.40.2-2.azl3.x86_64.rpm tar-1.35-2.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm xz-devel-5.4.4-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 533c11430e9..d0213d6b471 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -606,11 +606,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm unzip-6.0-22.azl3.x86_64.rpm unzip-debuginfo-6.0-22.azl3.x86_64.rpm -util-linux-2.40.2-1.azl3.x86_64.rpm -util-linux-debuginfo-2.40.2-1.azl3.x86_64.rpm -util-linux-devel-2.40.2-1.azl3.x86_64.rpm -util-linux-lang-2.40.2-1.azl3.x86_64.rpm -util-linux-libs-2.40.2-1.azl3.x86_64.rpm +util-linux-2.40.2-2.azl3.x86_64.rpm +util-linux-debuginfo-2.40.2-2.azl3.x86_64.rpm +util-linux-devel-2.40.2-2.azl3.x86_64.rpm +util-linux-lang-2.40.2-2.azl3.x86_64.rpm +util-linux-libs-2.40.2-2.azl3.x86_64.rpm which-2.21-8.azl3.x86_64.rpm which-debuginfo-2.21-8.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm From a2a9db346acac7cc3e84740d59a225580d090594 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Mon, 10 Nov 2025 10:06:38 +0000 Subject: [PATCH 07/43] Update aarch toolchain manifests --- .../manifests/package/pkggen_core_aarch64.txt | 6 +++--- .../resources/manifests/package/toolchain_aarch64.txt | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 320976db752..39daae0102a 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm libcap-ng-0.8.4-1.azl3.aarch64.rpm libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm -util-linux-2.40.2-1.azl3.aarch64.rpm -util-linux-devel-2.40.2-1.azl3.aarch64.rpm -util-linux-libs-2.40.2-1.azl3.aarch64.rpm +util-linux-2.40.2-2.azl3.aarch64.rpm +util-linux-devel-2.40.2-2.azl3.aarch64.rpm +util-linux-libs-2.40.2-2.azl3.aarch64.rpm tar-1.35-2.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm xz-devel-5.4.4-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index a403bc48e37..bcb9bd0feae 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -598,11 +598,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm unzip-6.0-22.azl3.aarch64.rpm unzip-debuginfo-6.0-22.azl3.aarch64.rpm -util-linux-2.40.2-1.azl3.aarch64.rpm -util-linux-debuginfo-2.40.2-1.azl3.aarch64.rpm -util-linux-devel-2.40.2-1.azl3.aarch64.rpm -util-linux-lang-2.40.2-1.azl3.aarch64.rpm -util-linux-libs-2.40.2-1.azl3.aarch64.rpm +util-linux-2.40.2-2.azl3.aarch64.rpm +util-linux-debuginfo-2.40.2-2.azl3.aarch64.rpm +util-linux-devel-2.40.2-2.azl3.aarch64.rpm +util-linux-lang-2.40.2-2.azl3.aarch64.rpm +util-linux-libs-2.40.2-2.azl3.aarch64.rpm which-2.21-8.azl3.aarch64.rpm which-debuginfo-2.21-8.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm From c57e22cb7ff9a6d33e2953cd65552c8a3c3b7b6c Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Tue, 25 Nov 2025 08:26:55 +0000 Subject: [PATCH 08/43] Update License Map --- LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md index 783c5e3d056..b3bbdeb529d 100644 --- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md +++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md @@ -5,7 +5,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command
delve
fstrm
nodejs-nodemon
rhnlib
rt-setup
rt-tests
rtctl
tuned | | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
ck
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Type-Tiny
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit_xml
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-spnego
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-uamqp
python-uritemplate
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pycares
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-scanf
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
sdl12-compat
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
strongswan
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xpp3
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zix
zopfli
zziplib | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
ck
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crun
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Type-Tiny
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit_xml
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-spnego
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-uamqp
python-uritemplate
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pycares
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-scanf
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
sdl12-compat
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
strongswan
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xpp3
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zix
zopfli
zziplib | | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | From 212f2218f7effd27a1fca9d349ab75be09419445 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Tue, 25 Nov 2025 09:04:45 +0000 Subject: [PATCH 09/43] Remove core spec changes and try the build and install --- SPECS-EXTENDED/crun/crun.spec | 2 +- SPECS/util-linux/util-linux.spec | 26 ++----------------- .../manifests/package/pkggen_core_aarch64.txt | 6 ++--- .../manifests/package/pkggen_core_x86_64.txt | 6 ++--- .../manifests/package/toolchain_aarch64.txt | 10 +++---- .../manifests/package/toolchain_x86_64.txt | 10 +++---- 6 files changed, 19 insertions(+), 41 deletions(-) diff --git a/SPECS-EXTENDED/crun/crun.spec b/SPECS-EXTENDED/crun/crun.spec index 39db4f39896..fee08cbed99 100644 --- a/SPECS-EXTENDED/crun/crun.spec +++ b/SPECS-EXTENDED/crun/crun.spec @@ -36,7 +36,7 @@ BuildRequires: yajl-devel %endif BuildRequires: libseccomp-devel -BuildRequires: python3-libmount +#BuildRequires: python3-libmount BuildRequires: libtool BuildRequires: protobuf-c-devel BuildRequires: criu-devel >= 3.17.1-2 diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index c0810c07685..349c9d6263a 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -1,11 +1,8 @@ -%global pypkg python3 -%global pyver 3 - %define majminorver %(echo %{version} | cut -d. -f1-2) Summary: Utilities for file systems, consoles, partitions, and messages Name: util-linux Version: 2.40.2 -Release: 2%{?dist} +Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -66,17 +63,6 @@ Group: Development/Libraries %description libs These are library files of util-linux. -%package -n %{pypkg}-libmount -Summary: Python bindings for the libmount library -Requires: %{name}-libs = %{version}-%{release} -License: LGPL-2.1-or-later - -%description -n %{pypkg}-libmount -The libmount-python package contains a module that permits applications -written in the Python programming language to use the interface -supplied by the libmount library to work with mount tables (fstab, -mountinfo, etc) and mount filesystems. - %prep %autosetup -p1 sed -i -e 's@etc/adjtime@var/lib/hwclock/adjtime@g' $(grep -rl '%{_sysconfdir}/adjtime' .) @@ -92,7 +78,7 @@ autoreconf -fi --disable-static \ --disable-use-tty-group \ --disable-liblastlog2 \ - --with-python=%{pyver} \ + --without-python \ --with-selinux \ --with-audit make %{?_smp_mflags} @@ -157,10 +143,6 @@ rm -rf %{buildroot}/lib/systemd/system /lib/libsmartcols.so.* /lib/libfdisk.so.* -%files -n %{pypkg}-libmount -%license Documentation/licenses/COPYING.LGPL-2.1-or-later -%{_libdir}/python*/site-packages/libmount/ - %files devel %defattr(-,root,root) %license Documentation/licenses/COPYING.LGPL-2.1-or-later libsmartcols/COPYING @@ -170,10 +152,6 @@ rm -rf %{buildroot}/lib/systemd/system %{_mandir}/man3/* %changelog -* Mon Nov 10 2025 Sandeep Karambelkar - 2.40.2-1 -- Compiled with python -- Added the package python3-libmount - * Wed Sep 18 2024 Vince Perri - 2.40.2-1 - Upgrade to 2.40.2: - Added --disable-liblastlog2 to avoid building new liblastlog2 libraries diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index eba28e50ecf..33b2d0abe95 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm libcap-ng-0.8.4-1.azl3.aarch64.rpm libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm -util-linux-2.40.2-2.azl3.aarch64.rpm -util-linux-devel-2.40.2-2.azl3.aarch64.rpm -util-linux-libs-2.40.2-2.azl3.aarch64.rpm +util-linux-2.40.2-1.azl3.aarch64.rpm +util-linux-devel-2.40.2-1.azl3.aarch64.rpm +util-linux-libs-2.40.2-1.azl3.aarch64.rpm tar-1.35-2.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm xz-devel-5.4.4-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 067c568ee8e..e34823fd306 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm libcap-ng-0.8.4-1.azl3.x86_64.rpm libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm -util-linux-2.40.2-2.azl3.x86_64.rpm -util-linux-devel-2.40.2-2.azl3.x86_64.rpm -util-linux-libs-2.40.2-2.azl3.x86_64.rpm +util-linux-2.40.2-1.azl3.x86_64.rpm +util-linux-devel-2.40.2-1.azl3.x86_64.rpm +util-linux-libs-2.40.2-1.azl3.x86_64.rpm tar-1.35-2.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm xz-devel-5.4.4-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index df7978bfca7..ae1e996a7de 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -598,11 +598,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm unzip-6.0-22.azl3.aarch64.rpm unzip-debuginfo-6.0-22.azl3.aarch64.rpm -util-linux-2.40.2-2.azl3.aarch64.rpm -util-linux-debuginfo-2.40.2-2.azl3.aarch64.rpm -util-linux-devel-2.40.2-2.azl3.aarch64.rpm -util-linux-lang-2.40.2-2.azl3.aarch64.rpm -util-linux-libs-2.40.2-2.azl3.aarch64.rpm +util-linux-2.40.2-1.azl3.aarch64.rpm +util-linux-debuginfo-2.40.2-1.azl3.aarch64.rpm +util-linux-devel-2.40.2-1.azl3.aarch64.rpm +util-linux-lang-2.40.2-1.azl3.aarch64.rpm +util-linux-libs-2.40.2-1.azl3.aarch64.rpm which-2.21-8.azl3.aarch64.rpm which-debuginfo-2.21-8.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 3dfcd3ed3a9..ee4d13df226 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -606,11 +606,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm unzip-6.0-22.azl3.x86_64.rpm unzip-debuginfo-6.0-22.azl3.x86_64.rpm -util-linux-2.40.2-2.azl3.x86_64.rpm -util-linux-debuginfo-2.40.2-2.azl3.x86_64.rpm -util-linux-devel-2.40.2-2.azl3.x86_64.rpm -util-linux-lang-2.40.2-2.azl3.x86_64.rpm -util-linux-libs-2.40.2-2.azl3.x86_64.rpm +util-linux-2.40.2-1.azl3.x86_64.rpm +util-linux-debuginfo-2.40.2-1.azl3.x86_64.rpm +util-linux-devel-2.40.2-1.azl3.x86_64.rpm +util-linux-lang-2.40.2-1.azl3.x86_64.rpm +util-linux-libs-2.40.2-1.azl3.x86_64.rpm which-2.21-8.azl3.x86_64.rpm which-debuginfo-2.21-8.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm From 47d8928334645b5dc1e865d39227571b9775143f Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Tue, 25 Nov 2025 09:07:56 +0000 Subject: [PATCH 10/43] Update glibc-static version constraint --- SPECS-EXTENDED/crun/crun.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS-EXTENDED/crun/crun.spec b/SPECS-EXTENDED/crun/crun.spec index fee08cbed99..a39ba637862 100644 --- a/SPECS-EXTENDED/crun/crun.spec +++ b/SPECS-EXTENDED/crun/crun.spec @@ -48,7 +48,7 @@ BuildRequires: wasmedge-devel %endif BuildRequires: python -BuildRequires: glibc-static >= 2.38-15%{?dist} +BuildRequires: glibc-static >= 2.38-16%{?dist} Provides: oci-runtime %description From a3d44f7ffee7db559e1c85e02e672713a7d1c0af Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Tue, 25 Nov 2025 11:35:27 +0000 Subject: [PATCH 11/43] Add docker cli conflict for podman-docker --- SPECS-EXTENDED/podman/podman.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec index 7ae7f5bd8f3..32e407c9e79 100644 --- a/SPECS-EXTENDED/podman/podman.spec +++ b/SPECS-EXTENDED/podman/podman.spec @@ -89,6 +89,7 @@ Summary: Emulate Docker CLI using %{name} BuildArch: noarch Requires: %{name} = %{epoch}:%{version}-%{release} Conflicts: docker +Conflicts: docker-cli Conflicts: docker-latest Conflicts: docker-ce Conflicts: docker-ee From 7471dbeebd14d204cf1d6262432f53600b6ee0a7 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Thu, 27 Nov 2025 01:22:11 +0000 Subject: [PATCH 12/43] Add python3-libmount --- SPECS/util-linux/util-linux.spec | 26 +++++++++++++++++-- .../manifests/package/pkggen_core_aarch64.txt | 6 ++--- .../manifests/package/pkggen_core_x86_64.txt | 6 ++--- .../manifests/package/toolchain_aarch64.txt | 10 +++---- .../manifests/package/toolchain_x86_64.txt | 10 +++---- 5 files changed, 40 insertions(+), 18 deletions(-) diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index 349c9d6263a..f24f57c5ba4 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -1,8 +1,11 @@ +%global pypkg python3 +%global pyver 3 + %define majminorver %(echo %{version} | cut -d. -f1-2) Summary: Utilities for file systems, consoles, partitions, and messages Name: util-linux Version: 2.40.2 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -63,6 +66,17 @@ Group: Development/Libraries %description libs These are library files of util-linux. +%package -n %{pypkg}-libmount +Summary: Python bindings for the libmount library +Requires: %{name}-libs = %{version}-%{release} +License: LGPL-2.1-or-later + +%description -n %{pypkg}-libmount +The libmount-python package contains a module that permits applications +written in the Python programming language to use the interface +supplied by the libmount library to work with mount tables (fstab, +mountinfo, etc) and mount filesystems. + %prep %autosetup -p1 sed -i -e 's@etc/adjtime@var/lib/hwclock/adjtime@g' $(grep -rl '%{_sysconfdir}/adjtime' .) @@ -78,7 +92,7 @@ autoreconf -fi --disable-static \ --disable-use-tty-group \ --disable-liblastlog2 \ - --without-python \ + --with-python=%{pyver} \ --with-selinux \ --with-audit make %{?_smp_mflags} @@ -143,6 +157,10 @@ rm -rf %{buildroot}/lib/systemd/system /lib/libsmartcols.so.* /lib/libfdisk.so.* +%files -n %{pypkg}-libmount +%license Documentation/licenses/COPYING.LGPL-2.1-or-later +%{_libdir}/python*/site-packages/libmount/ + %files devel %defattr(-,root,root) %license Documentation/licenses/COPYING.LGPL-2.1-or-later libsmartcols/COPYING @@ -152,6 +170,10 @@ rm -rf %{buildroot}/lib/systemd/system %{_mandir}/man3/* %changelog +* Mon Nov 10 2025 Sandeep Karambelkar - 2.40.2-2 +- Compiled with python +- Added the package python3-libmount + * Wed Sep 18 2024 Vince Perri - 2.40.2-1 - Upgrade to 2.40.2: - Added --disable-liblastlog2 to avoid building new liblastlog2 libraries diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 33b2d0abe95..eba28e50ecf 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm libcap-ng-0.8.4-1.azl3.aarch64.rpm libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm -util-linux-2.40.2-1.azl3.aarch64.rpm -util-linux-devel-2.40.2-1.azl3.aarch64.rpm -util-linux-libs-2.40.2-1.azl3.aarch64.rpm +util-linux-2.40.2-2.azl3.aarch64.rpm +util-linux-devel-2.40.2-2.azl3.aarch64.rpm +util-linux-libs-2.40.2-2.azl3.aarch64.rpm tar-1.35-2.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm xz-devel-5.4.4-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index e34823fd306..067c568ee8e 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm libcap-ng-0.8.4-1.azl3.x86_64.rpm libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm -util-linux-2.40.2-1.azl3.x86_64.rpm -util-linux-devel-2.40.2-1.azl3.x86_64.rpm -util-linux-libs-2.40.2-1.azl3.x86_64.rpm +util-linux-2.40.2-2.azl3.x86_64.rpm +util-linux-devel-2.40.2-2.azl3.x86_64.rpm +util-linux-libs-2.40.2-2.azl3.x86_64.rpm tar-1.35-2.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm xz-devel-5.4.4-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ae1e996a7de..df7978bfca7 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -598,11 +598,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm unzip-6.0-22.azl3.aarch64.rpm unzip-debuginfo-6.0-22.azl3.aarch64.rpm -util-linux-2.40.2-1.azl3.aarch64.rpm -util-linux-debuginfo-2.40.2-1.azl3.aarch64.rpm -util-linux-devel-2.40.2-1.azl3.aarch64.rpm -util-linux-lang-2.40.2-1.azl3.aarch64.rpm -util-linux-libs-2.40.2-1.azl3.aarch64.rpm +util-linux-2.40.2-2.azl3.aarch64.rpm +util-linux-debuginfo-2.40.2-2.azl3.aarch64.rpm +util-linux-devel-2.40.2-2.azl3.aarch64.rpm +util-linux-lang-2.40.2-2.azl3.aarch64.rpm +util-linux-libs-2.40.2-2.azl3.aarch64.rpm which-2.21-8.azl3.aarch64.rpm which-debuginfo-2.21-8.azl3.aarch64.rpm xz-5.4.4-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ee4d13df226..3dfcd3ed3a9 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -606,11 +606,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm unzip-6.0-22.azl3.x86_64.rpm unzip-debuginfo-6.0-22.azl3.x86_64.rpm -util-linux-2.40.2-1.azl3.x86_64.rpm -util-linux-debuginfo-2.40.2-1.azl3.x86_64.rpm -util-linux-devel-2.40.2-1.azl3.x86_64.rpm -util-linux-lang-2.40.2-1.azl3.x86_64.rpm -util-linux-libs-2.40.2-1.azl3.x86_64.rpm +util-linux-2.40.2-2.azl3.x86_64.rpm +util-linux-debuginfo-2.40.2-2.azl3.x86_64.rpm +util-linux-devel-2.40.2-2.azl3.x86_64.rpm +util-linux-lang-2.40.2-2.azl3.x86_64.rpm +util-linux-libs-2.40.2-2.azl3.x86_64.rpm which-2.21-8.azl3.x86_64.rpm which-debuginfo-2.21-8.azl3.x86_64.rpm xz-5.4.4-2.azl3.x86_64.rpm From 30e0696370754000a705749def82eeb9dcd583a7 Mon Sep 17 00:00:00 2001 From: Sandeep Karambelkar Date: Fri, 28 Nov 2025 04:29:32 +0000 Subject: [PATCH 13/43] Update toolchain with python3 --- toolkit/resources/manifests/package/toolchain_aarch64.txt | 1 + toolkit/resources/manifests/package/toolchain_x86_64.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index df7978bfca7..09e8dddb2d3 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -542,6 +542,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm +python3-libmount-2.40.2-2.azl3.aarch64.rpm python3-libs-3.12.9-6.azl3.aarch64.rpm python3-libxml2-2.11.5-7.azl3.aarch64.rpm python3-lxml-4.9.3-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 3dfcd3ed3a9..e92d1d28b33 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -550,6 +550,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm +python3-libmount-2.40.2-2.azl3.x86_64.rpm python3-libs-3.12.9-6.azl3.x86_64.rpm python3-libxml2-2.11.5-7.azl3.x86_64.rpm python3-lxml-4.9.3-1.azl3.x86_64.rpm From e3a7a681bee7196a2a814ddc0ef2cc928b32c7e4 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 25 Nov 2025 07:59:50 -0800 Subject: [PATCH 14/43] [AUTO-CHERRYPICK] [AutoPR- Security] Patch kubevirt for CVE-2025-47913 [HIGH] - branch 3.0-dev (#15134) Co-authored-by: Azure Linux Security Servicing Account Co-authored-by: jslobodzian --- SPECS/kubevirt/CVE-2025-47913.patch | 50 +++++++++++++++++++++++++++++ SPECS/kubevirt/kubevirt.spec | 10 +++--- 2 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 SPECS/kubevirt/CVE-2025-47913.patch diff --git a/SPECS/kubevirt/CVE-2025-47913.patch b/SPECS/kubevirt/CVE-2025-47913.patch new file mode 100644 index 00000000000..65d524aab8b --- /dev/null +++ b/SPECS/kubevirt/CVE-2025-47913.patch @@ -0,0 +1,50 @@ +From 7d6da779448c01f323cf73e38a18850660c95d2d Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 18 Nov 2025 16:23:38 +0000 +Subject: [PATCH] ssh/agent: return an error for unexpected message types + +Previously, receiving an unexpected message type in response to a key +listing or a signing request could cause a panic due to a failed type +assertion. + +This change adds a default case to the type switch in order to detect +and explicitly handle unknown or invalid message types, returning a +descriptive error instead of crashing. + +Fixes golang/go#75178 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch +--- + vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go +index 106708d..410e21b 100644 +--- a/vendor/golang.org/x/crypto/ssh/agent/client.go ++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go +@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) { + return keys, nil + case *failureAgentMsg: + return nil, errors.New("agent: failed to list keys") ++ default: ++ return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg) + } +- panic("unreachable") + } + + // Sign has the agent sign the data using a protocol 2 key as defined +@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl + return &sig, nil + case *failureAgentMsg: + return nil, errors.New("agent: failed to sign challenge") ++ default: ++ return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg) + } +- panic("unreachable") + } + + // unmarshal parses an agent message in packet, returning the parsed +-- +2.45.4 + diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index 20d35656aba..b553e356be3 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -30,8 +30,7 @@ Source0: https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio # The containers_meta packages and associated files are not required for the Mariner build # Nexus team needs these to-be-upstreamed patches for the operator Edge to work # correctly. - -Patch0: CVE-2025-22872.patch +Patch0: CVE-2025-47913.patch %global debug_package %{nil} BuildRequires: swtpm-tools @@ -269,12 +268,15 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog -* Tue Nov 11 2025 Andrew Phelps - 1.5.3-2 +* Mon Nov 24 2025 Andrew Phelps - 1.5.3-2 - Bump to rebuild with updated glibc -* Mon Nov 10 2025 CBL-Mariner Servicing Account - 1.5.3-1 +* Mon Nov 24 2025 CBL-Mariner Servicing Account - 1.5.3-1 - Auto-upgrade to 1.5.3 - for CVE-2025-64437, CVE-2025-64433, CVE-2025-64434, CVE-2025-64432 +* Tue Nov 18 2025 Azure Linux Security Servicing Account - 1.5.0-6 +- Patch for CVE-2025-47913 + * Thu Oct 23 2025 Kanishk Bansal - 1.5.0-5 - Bump to rebuild with updated glibc From c29f13645ea0dbe0ed3004fe2502210f09e41cbd Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 25 Nov 2025 10:56:43 -0800 Subject: [PATCH 15/43] [AUTO-CHERRYPICK] [AutoPR- Security] Patch containerd2 for CVE-2024-25621 [HIGH] - branch 3.0-dev (#15125) Co-authored-by: Azure Linux Security Servicing Account Co-authored-by: jslobodzian Co-authored-by: aaruag Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> --- SPECS/containerd2/CVE-2024-25621.patch | 111 +++++++++++++++++++++++++ SPECS/containerd2/containerd2.spec | 10 ++- 2 files changed, 118 insertions(+), 3 deletions(-) create mode 100644 SPECS/containerd2/CVE-2024-25621.patch diff --git a/SPECS/containerd2/CVE-2024-25621.patch b/SPECS/containerd2/CVE-2024-25621.patch new file mode 100644 index 00000000000..d07a78a1297 --- /dev/null +++ b/SPECS/containerd2/CVE-2024-25621.patch @@ -0,0 +1,111 @@ +From 46223b256bfb3f42e193d947d1b1ef551260749f Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Mon, 27 Oct 2025 16:42:59 +0900 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task// is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Signed-off-by: Akihiro Suda +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5.patch +--- + cmd/containerd/server/server.go | 14 ++++++++++++-- + core/runtime/v2/task_manager.go | 2 ++ + plugins/cri/runtime/plugin.go | 7 +++++++ + plugins/sandbox/controller.go | 6 +++++- + 4 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go +index 9f38cb3..c9e3698 100644 +--- a/cmd/containerd/server/server.go ++++ b/cmd/containerd/server/server.go +@@ -81,10 +81,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + return errors.New("root and state must be different paths") + } + +- if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil { ++ if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0o700); err != nil { + return err + } + ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. + if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil { + return err + } +@@ -99,7 +105,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + } + + if config.TempDir != "" { +- if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil { ++ if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0o700); err != nil { + return err + } + if runtime.GOOS == "windows" { +diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go +index f396ced..024763a 100644 +--- a/core/runtime/v2/task_manager.go ++++ b/core/runtime/v2/task_manager.go +@@ -74,6 +74,8 @@ func init() { + shimManager := shimManagerI.(*ShimManager) + root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir] + for _, d := range []string{root, state} { ++ // root: the parent of this directory is created as 0o700, not 0o711. ++ // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers. + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go +index adc64d9..07f64a1 100644 +--- a/plugins/cri/runtime/plugin.go ++++ b/plugins/cri/runtime/plugin.go +@@ -91,6 +91,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) { + rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri") + containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir]) + stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri") ++ if err := os.MkdirAll(stateDir, 0o700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o755 ++ if err := os.Chmod(stateDir, 0o700); err != nil { ++ return nil, err ++ } + c := criconfig.Config{ + RuntimeConfig: *pluginConfig, + ContainerdRootDir: containerdRootDir, +diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go +index aec9cc3..165f2e8 100644 +--- a/plugins/sandbox/controller.go ++++ b/plugins/sandbox/controller.go +@@ -68,7 +68,11 @@ func init() { + state := ic.Properties[plugins.PropertyStateDir] + root := ic.Properties[plugins.PropertyRootDir] + for _, d := range []string{root, state} { +- if err := os.MkdirAll(d, 0711); err != nil { ++ if err := os.MkdirAll(d, 0700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(d, 0o700); err != nil { + return nil, err + } + } +-- +2.45.4 + diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec index d93d18d4535..0c16c306eee 100644 --- a/SPECS/containerd2/containerd2.spec +++ b/SPECS/containerd2/containerd2.spec @@ -5,7 +5,7 @@ Summary: Industry-standard container runtime Name: %{upstream_name}2 Version: 2.0.0 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -23,7 +23,8 @@ Patch3: CVE-2025-22872.patch Patch4: CVE-2025-47291.patch Patch5: multi-snapshotters-support.patch Patch6: tardev-support.patch -Patch7: CVE-2025-64329.patch +Patch7: CVE-2024-25621.patch +Patch8: CVE-2025-64329.patch %{?systemd_requires} BuildRequires: golang < 1.25 @@ -99,9 +100,12 @@ fi %dir /opt/containerd/lib %changelog -* Sat Nov 08 2025 Azure Linux Security Servicing Account - 2.0.0-15 +* Mon Nov 24 2025 Azure Linux Security Servicing Account - 2.0.0-16 - Patch for CVE-2025-64329 +* Tue Nov 11 2025 Azure Linux Security Servicing Account - 2.0.0-15 +- Patch for CVE-2024-25621 + * Sun Aug 31 2025 Andrew Phelps - 2.0.0-14 - Set BR for golang to < 1.25 From 6f0d52d901c268c0f8bb9f1daf14504f9123219e Mon Sep 17 00:00:00 2001 From: Akhila Guruju Date: Wed, 26 Nov 2025 10:10:41 +0530 Subject: [PATCH 16/43] Build fix for uw-imap (#15000) --- SPECS-EXTENDED/uw-imap/uw-imap.spec | 13 ++++++++----- cgmanifest.json | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/SPECS-EXTENDED/uw-imap/uw-imap.spec b/SPECS-EXTENDED/uw-imap/uw-imap.spec index ff0b247a0d8..25f0f827099 100644 --- a/SPECS-EXTENDED/uw-imap/uw-imap.spec +++ b/SPECS-EXTENDED/uw-imap/uw-imap.spec @@ -24,13 +24,12 @@ Distribution: Azure Linux Summary: UW Server daemons for IMAP and POP network mail protocols Name: uw-imap Version: 2007f -Release: 26%{?dist} +Release: 27%{?dist} # See LICENSE.txt, http://www.apache.org/licenses/LICENSE-2.0 License: ASL 2.0 URL: https://github.com/uw-imap/imap -# Source0: https://github.com/uw-imap/imap/archive/refs/tags/imap-2007f_upstream.tar.gz -Source0: https://github.com/uw-imap/imap/archive/refs/tags/imap-%{version}%{?beta}%{?dev}%{?snap}.tar.gz +Source0: https://github.com/uw-imap/imap/archive/refs/tags/imap-%{version}_upstream.tar.gz#/imap-%{version}.tar.gz %global soname c-client %global shlibname lib%{soname}.so.%{somajor} @@ -202,7 +201,7 @@ export EXTRACFLAGS="$EXTRACFLAGS -Wno-pointer-sign" echo -e "y\ny" | \ -make %{?_smp_mflags} lnp \ +make -j1 lnp \ IP=6 \ EXTRACFLAGS="$EXTRACFLAGS" \ EXTRALDFLAGS="$EXTRALDFLAGS $RPM_LD_FLAGS" \ @@ -328,7 +327,7 @@ done %ldconfig_scriptlets -n %{imap_libs} %files -n %{imap_libs} -%doc LICENSE.txt NOTICE SUPPORT +%license LICENSE.txt NOTICE SUPPORT %doc docs/RELNOTES docs/*.txt %ghost %config(missingok,noreplace) %{_sysconfdir}/c-client.cf %{_libdir}/lib%{soname}.so.* @@ -348,6 +347,10 @@ done %changelog +* Thu Nov 20 2025 Akhila Guruju - 2007f-27 +- Fix build +- License verified + * Fri Oct 15 2021 Pawel Winogrodzki - 2007f-26 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/cgmanifest.json b/cgmanifest.json index f2bcb80d1e7..b0178a60557 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -29757,7 +29757,7 @@ "other": { "name": "uw-imap", "version": "2007f", - "downloadUrl": "https://github.com/uw-imap/imap/archive/refs/tags/imap-2007f.tar.gz" + "downloadUrl": "https://github.com/uw-imap/imap/archive/refs/tags/imap-2007f_upstream.tar.gz" } } }, From eb729e5e41832ae07eefa37ace487a94afb2132e Mon Sep 17 00:00:00 2001 From: AkarshHCL Date: Wed, 26 Nov 2025 10:11:03 +0530 Subject: [PATCH 17/43] Upgrading jdepend to Version-2.10 (#15110) --- SPECS-EXTENDED/jdepend/jdepend-2.9.1.pom | 6 -- SPECS-EXTENDED/jdepend/jdepend-target16.patch | 29 ------- .../jdepend/jdepend.signatures.json | 3 +- SPECS-EXTENDED/jdepend/jdepend.spec | 79 +++++++------------ cgmanifest.json | 4 +- 5 files changed, 31 insertions(+), 90 deletions(-) delete mode 100644 SPECS-EXTENDED/jdepend/jdepend-2.9.1.pom delete mode 100644 SPECS-EXTENDED/jdepend/jdepend-target16.patch diff --git a/SPECS-EXTENDED/jdepend/jdepend-2.9.1.pom b/SPECS-EXTENDED/jdepend/jdepend-2.9.1.pom deleted file mode 100644 index 8813cce6f00..00000000000 --- a/SPECS-EXTENDED/jdepend/jdepend-2.9.1.pom +++ /dev/null @@ -1,6 +0,0 @@ - - 4.0.0 - jdepend - jdepend - 2.9.1 - \ No newline at end of file diff --git a/SPECS-EXTENDED/jdepend/jdepend-target16.patch b/SPECS-EXTENDED/jdepend/jdepend-target16.patch deleted file mode 100644 index 5b1bedfce3d..00000000000 --- a/SPECS-EXTENDED/jdepend/jdepend-target16.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- build.xml -+++ build.xml -@@ -38,7 +38,7 @@ - - -- - -@@ -47,7 +47,7 @@ - - -- - -@@ -57,7 +57,7 @@ - -- - diff --git a/SPECS-EXTENDED/jdepend/jdepend.signatures.json b/SPECS-EXTENDED/jdepend/jdepend.signatures.json index 188e2f63617..fc25eee46b7 100644 --- a/SPECS-EXTENDED/jdepend/jdepend.signatures.json +++ b/SPECS-EXTENDED/jdepend/jdepend.signatures.json @@ -1,6 +1,5 @@ { "Signatures": { - "jdepend-2.9.1.pom": "dff3f46da3fda5de23a0d84b941ab7a105979df07064c6ba0d1817310c2633e4", - "jdepend-2.9.1.tar.bz2": "1381c76064f8e96a7b29b04ba3cb0a6f7ee27b700fd08e358e043bfdd82be1e6" + "jdepend-2.10.tar.gz": "8c19f5d62127c11c20976ae130d1914a64f0115e5113810c38fe53bf8715378b" } } diff --git a/SPECS-EXTENDED/jdepend/jdepend.spec b/SPECS-EXTENDED/jdepend/jdepend.spec index 4143634c0f8..b0cd2458ea6 100644 --- a/SPECS-EXTENDED/jdepend/jdepend.spec +++ b/SPECS-EXTENDED/jdepend/jdepend.spec @@ -1,40 +1,22 @@ Vendor: Microsoft Corporation Distribution: Azure Linux -# -# spec file for package jdepend -# -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via https://bugs.opensuse.org/ -# - - -%define section free Name: jdepend -Version: 2.9.1 -Release: 96%{?dist} +Version: 2.10 +Release: 1%{?dist} Summary: Java Design Quality Metrics -License: BSD-3-Clause -Group: Development/Libraries/Java -URL: http://www.clarkware.com/ -Source0: %{url}software/%{name}-%{version}.tar.bz2 -Source1: https://repo1.maven.org/maven2/jdepend/%{name}/%{version}/%{name}-%{version}.pom -Patch0: jdepend-target16.patch -BuildRequires: ant -BuildRequires: java-devel +License: MIT +URL: https://github.com/clarkware/jdepend +#BuildArch: noarch +#ExclusiveArch: %{java_arches} noarch + +Source0: https://github.com/clarkware/jdepend/archive/refs/tags/2.10.tar.gz#/jdepend-2.10.tar.gz + BuildRequires: javapackages-local-bootstrap -Obsoletes: %{name}-javadoc BuildArch: noarch +BuildRequires: ant +# TODO Remove in Fedora 46 + %description JDepend traverses a set of Java class and source file directories and generates design quality metrics for each Java package. JDepend allows @@ -55,49 +37,44 @@ extensibility, reusability, and maintainability to effectively manage and control package dependencies. This package contains demonstration and sample files for JDepend. - + %prep -%setup -q +%autosetup -p1 # remove all binary libs -find . -name "*.jar" -exec rm -f {} \; +find . -name "*.jar" -delete # fix strange permissions find . -type d -exec chmod 755 {} \; -%patch 0 -b .target15 - +find . -type f -exec chmod 644 {} \; + %build ant jar - + %install # jars install -d -m 755 %{buildroot}%{_javadir} install -m 644 dist/%{name}-%{version}.jar \ %{buildroot}%{_javadir}/%{name}-%{version}.jar -(cd %{buildroot}%{_javadir} && for jar in *-%{version}*; do ln -sf ${jar} ${jar/-%{version}/}; done) -# pom -install -d -m 755 %{buildroot}%{_mavenpomdir} -install -m 655 %{SOURCE1} %{buildroot}%{_mavenpomdir}/%{name}-%{version}.pom -%add_maven_depmap %{name}-%{version}.pom %{name}-%{version}.jar +# provide unversioned symlink for convenience +(cd %{buildroot}%{_javadir} && ln -sf %{name}-%{version}.jar %{name}.jar) -# demo +# demo files install -d -m 755 %{buildroot}%{_datadir}/%{name} cp -pr sample %{buildroot}%{_datadir}/%{name} + %files -%license LICENSE -%doc CHANGES README -%{_javadir}/* -%{_mavenpomdir}/* -%if %{defined _maven_repository} -%{_mavendepmapfragdir}/%{name} -%else -%{_datadir}/maven-metadata/%{name}.xml* -%endif +%license LICENSE.md +%doc README.md CHANGELOG.md docs +%{_javadir}/jdepend*.jar %files demo %{_datadir}/%{name} %changelog +* Mon Nov 17 2025 Akarsh Chaudhary - 2.10-1 +- Upgrade to version 2.10 (license: MIT). +- License verified * Thu Oct 14 2021 Pawel Winogrodzki - 2.9.1-96 - Converting the 'Release' tag to the '[number].[distribution]' format. diff --git a/cgmanifest.json b/cgmanifest.json index b0178a60557..eda032c2ad2 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -7891,8 +7891,8 @@ "type": "other", "other": { "name": "jdepend", - "version": "2.9.1", - "downloadUrl": "http://www.clarkware.com/software/jdepend-2.9.1.tar.bz2" + "version": "2.10", + "downloadUrl": "https://github.com/clarkware/jdepend/archive/refs/tags/2.10.tar.gz" } } }, From 46ebc4120da8e9be61f1a22b7d35612ebf4db9a9 Mon Sep 17 00:00:00 2001 From: Archana Shettigar Date: Fri, 28 Nov 2025 09:03:13 +0530 Subject: [PATCH 18/43] Upgrade: perl-IO-Socket-INET6 version to 2.73 (#13319) --- ...2.72-bz1207174-fix_random_test_error.patch | 11 +++++++ ...IO-Socket-INET6-2.72-fix_die_in_test.patch | 12 +++++++ .../perl-IO-Socket-INET6.signatures.json | 2 +- .../perl-IO-Socket-INET6.spec | 33 ++++++++++++------- cgmanifest.json | 4 +-- 5 files changed, 48 insertions(+), 14 deletions(-) create mode 100644 SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-bz1207174-fix_random_test_error.patch create mode 100644 SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-fix_die_in_test.patch diff --git a/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-bz1207174-fix_random_test_error.patch b/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-bz1207174-fix_random_test_error.patch new file mode 100644 index 00000000000..233b88f2d83 --- /dev/null +++ b/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-bz1207174-fix_random_test_error.patch @@ -0,0 +1,11 @@ +diff -ru IO-Socket-INET6-2.72.orig/t/io_multihomed6.t IO-Socket-INET6-2.72/t/io_multihomed6.t +--- IO-Socket-INET6-2.72.orig/t/io_multihomed6.t 2021-05-19 13:13:17.967244890 +0200 ++++ IO-Socket-INET6-2.72/t/io_multihomed6.t 2021-05-19 13:14:36.633223816 +0200 +@@ -103,6 +103,7 @@ + push @srv, + IO::Socket::INET6->new( + Listen => 2, ++ ReuseAddr => 1, + LocalAddr => $addr, + LocalPort => $port, + ) || die "listen on $addr port $port: $!"; diff --git a/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-fix_die_in_test.patch b/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-fix_die_in_test.patch new file mode 100644 index 00000000000..dcaa4efe30c --- /dev/null +++ b/SPECS-EXTENDED/perl-IO-Socket-INET6/IO-Socket-INET6-2.72-fix_die_in_test.patch @@ -0,0 +1,12 @@ +diff -ru IO-Socket-INET6-2.72.orig/t/io_multihomed6.t IO-Socket-INET6-2.72/t/io_multihomed6.t +--- IO-Socket-INET6-2.72.orig/t/io_multihomed6.t 2014-01-31 11:18:01.000000000 +0100 ++++ IO-Socket-INET6-2.72/t/io_multihomed6.t 2021-05-18 16:56:02.337243627 +0200 +@@ -105,7 +105,7 @@ + Listen => 2, + LocalAddr => $addr, + LocalPort => $port, +- ) or die "listen on $addr port $port: $!"; ++ ) || die "listen on $addr port $port: $!"; + $port ||= $srv[-1]->sockport; + } + diff --git a/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.signatures.json b/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.signatures.json index 3607068fb01..11abe0abcfd 100644 --- a/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.signatures.json +++ b/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "perl-IO-Socket-INET6-2.72.tar.gz": "85e020fa179284125fc1d08e60a9022af3ec1271077fe14b133c1785cdbf1ebb" + "perl-IO-Socket-INET6-2.73.tar.gz": "b6da746853253d5b4ac43191b4f69a4719595ee13a7ca676a8054cf36e6d16bb" } } diff --git a/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.spec b/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.spec index dd2be5ed6f2..70ee4dfce47 100644 --- a/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.spec +++ b/SPECS-EXTENDED/perl-IO-Socket-INET6/perl-IO-Socket-INET6.spec @@ -1,22 +1,29 @@ -Vendor: Microsoft Corporation -Distribution: Azure Linux %if ! (0%{?rhel}) %{bcond_without perl_IO_Socket_INET6_enables_optional_test} %else %{bcond_with perl_IO_Socket_INET6_enables_optional_test} %endif +Vendor: Microsoft Corporation +Distribution: Azure Linux Name: perl-IO-Socket-INET6 -Version: 2.72 -Release: 19%{?dist} +Version: 2.73 +Release: 1%{?dist} Summary: Perl Object interface for AF_INET|AF_INET6 domain sockets -License: GPL+ or Artistic +License: GPL-1.0-or-later OR Artistic-1.0-Perl URL: https://metacpan.org/release/IO-Socket-INET6 -Source0: https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/IO-Socket-INET6-%{version}.tar.gz#/perl-IO-Socket-INET6-%{version}.tar.gz +Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-INET6-%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Fix bad code in test. Original code hides error, related to BZ#1207174 +Patch0: IO-Socket-INET6-2.72-fix_die_in_test.patch +# Fix random test error in binding to socket BZ#1207174 +Patch1: IO-Socket-INET6-2.72-bz1207174-fix_random_test_error.patch BuildArch: noarch # Module Build -BuildRequires: perl-interpreter +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: make BuildRequires: perl-generators +BuildRequires: perl-interpreter BuildRequires: perl(ExtUtils::MakeMaker) # Module Runtime BuildRequires: perl(Carp) @@ -37,14 +44,14 @@ BuildRequires: perl(Test::Pod) >= 1.14 BuildRequires: perl(Test::Pod::Coverage) >= 1.04 BuildRequires: perl(Test::TrailingSpace) %endif +BuildRequires: iana-etc # Runtime -Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) %description Perl Object interface for AF_INET|AF_INET6 domain sockets. %prep -%setup -q -n IO-Socket-INET6-%{version} +%autosetup -n IO-Socket-INET6-%{version} -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -52,8 +59,8 @@ make %{?_smp_mflags} %install make pure_install DESTDIR=%{buildroot} -find %{buildroot} -type f -name .packlist -exec rm -f {} ';' -%{_fixperms} %{buildroot} +find %{buildroot} -type f -name .packlist -delete +%{_fixperms} -c %{buildroot} %check make test @@ -65,6 +72,10 @@ make test %{_mandir}/man3/IO::Socket::INET6.3* %changelog +* Wed Apr 09 2025 Archana Shettigar - 2.73-1 +- Upgrade to 2.73 as per Fedora 41 (license: MIT). +- License verified + * Fri Oct 15 2021 Pawel Winogrodzki - 2.72-19 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/cgmanifest.json b/cgmanifest.json index eda032c2ad2..4936750d4eb 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -18203,8 +18203,8 @@ "type": "other", "other": { "name": "perl-IO-Socket-INET6", - "version": "2.72", - "downloadUrl": "https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/IO-Socket-INET6-2.72.tar.gz" + "version": "2.73", + "downloadUrl": "https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-INET6-2.73.tar.gz" } } }, From 4e6a171d01e72741278e515113a8acb1e1322b8f Mon Sep 17 00:00:00 2001 From: AkarshHCL Date: Fri, 28 Nov 2025 09:08:49 +0530 Subject: [PATCH 19/43] Upgrade:perl-Test2-Plugin-NoWarnings to version 0.10 (#15141) --- ...rl-Test2-Plugin-NoWarnings.signatures.json | 2 +- .../perl-Test2-Plugin-NoWarnings.spec | 24 +++++++++++-------- cgmanifest.json | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.signatures.json b/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.signatures.json index 8338a3f2b29..1ab42584a04 100644 --- a/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.signatures.json +++ b/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "perl-Test2-Plugin-NoWarnings-0.08.tar.gz": "9e914cbd54008f49f9c115539914667d3b30f7acf7a6ab5272e06162f5645988" + "perl-Test2-Plugin-NoWarnings-0.10.tar.gz": "c97cb1122cc6e3e4a079059da71e12f65760bfb0671d19d25a7ec7c5f1f240fb" } } diff --git a/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.spec b/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.spec index a853feb0fa6..cccacb9f09d 100644 --- a/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.spec +++ b/SPECS-EXTENDED/perl-Test2-Plugin-NoWarnings/perl-Test2-Plugin-NoWarnings.spec @@ -1,13 +1,13 @@ -Name: perl-Test2-Plugin-NoWarnings -Version: 0.08 -Release: 3%{?dist} -Summary: Fail if tests warn -License: Artistic 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux -URL: https://metacpan.org/release/Test2-Plugin-NoWarnings -Source0: https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/Test2-Plugin-NoWarnings-%{version}.tar.gz#/perl-Test2-Plugin-NoWarnings-%{version}.tar.gz -BuildArch: noarch +Name: perl-Test2-Plugin-NoWarnings +Version: 0.10 +Release: 1%{?dist} +Summary: Fail if tests warn +License: Artistic-2.0 +URL: https://metacpan.org/release/Test2-Plugin-NoWarnings +Source0: https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/Test2-Plugin-NoWarnings-%{version}.tar.gz#/perl-Test2-Plugin-NoWarnings-%{version}.tar.gz +BuildArch: noarch # Build BuildRequires: coreutils BuildRequires: make @@ -18,7 +18,7 @@ BuildRequires: perl(ExtUtils::MakeMaker) > 6.75 BuildRequires: perl(Carp) BuildRequires: perl(parent) BuildRequires: perl(strict) -BuildRequires: perl(Test2) >= 1.302096 +BuildRequires: perl(Test2) >= 1.302167 BuildRequires: perl(Test2::API) BuildRequires: perl(Test2::Event) BuildRequires: perl(Test2::Util::HashBase) @@ -26,6 +26,7 @@ BuildRequires: perl(warnings) # Test Suite BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Run3) +BuildRequires: perl(Module::Pluggable) BuildRequires: perl(Test2::Require::Module) BuildRequires: perl(Test2::V0) BuildRequires: perl(Test::More) >= 0.96 @@ -33,7 +34,6 @@ BuildRequires: perl(Test::More) >= 0.96 BuildRequires: perl(CPAN::Meta) >= 2.120900 BuildRequires: perl(CPAN::Meta::Prereqs) # Dependencies -Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) %description Loading this plugin causes your tests to fail if there are any warnings while @@ -65,6 +65,10 @@ make test %{_mandir}/man3/Test2::Plugin::NoWarnings.3* %changelog +* Thu Nov 20 2025 Akarsh Chaudhary - 0.10-1 +- Upgrade to version 0.10 (license: MIT). +- License verified + * Fri Oct 15 2021 Pawel Winogrodzki - 0.08-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/cgmanifest.json b/cgmanifest.json index 4936750d4eb..84db7a2efee 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -20533,8 +20533,8 @@ "type": "other", "other": { "name": "perl-Test2-Plugin-NoWarnings", - "version": "0.08", - "downloadUrl": "https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/Test2-Plugin-NoWarnings-0.08.tar.gz" + "version": "0.10", + "downloadUrl": "https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/Test2-Plugin-NoWarnings-0.10.tar.gz" } } }, From e7bd053fde1a53744ed09a3cc6b29d14c416b5bc Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 28 Nov 2025 17:12:00 +0530 Subject: [PATCH 20/43] [AutoPR- Security] Patch libtiff for CVE-2025-8961 [LOW] (#15176) --- SPECS/libtiff/CVE-2025-8961.patch | 75 +++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 6 ++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 SPECS/libtiff/CVE-2025-8961.patch diff --git a/SPECS/libtiff/CVE-2025-8961.patch b/SPECS/libtiff/CVE-2025-8961.patch new file mode 100644 index 00000000000..2a9ce9dc3ed --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8961.patch @@ -0,0 +1,75 @@ +From 6c5b21599783ee9baab4a3ec0b90d215df9987b3 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:42:35 +0000 +Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue + #721 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5.patch +--- + archive/tools/tiffcrop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c +index 93f0779..adfd0d2 100644 +--- a/archive/tools/tiffcrop.c ++++ b/archive/tools/tiffcrop.c +@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; + default: + TIFFError("readContigTilesIntoBuffer", + "Unsupported bit depth %" PRIu16, bps); ++ _TIFFfree(tilebuf); + return 1; + } + } +@@ -2898,7 +2904,7 @@ int main(int argc, char *argv[]) + } + + /* If we did not use the read buffer as the crop buffer */ +- if (read_buff) ++ if (read_buff && read_buff != crop_buff) + _TIFFfree(read_buff); + + if (crop_buff) +-- +2.45.4 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index c65e1f0c71d..97fb63b6bf6 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 10%{?dist} +Release: 11%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -20,6 +20,7 @@ Patch8: CVE-2025-8851.patch Patch9: CVE-2025-9165.patch Patch10: CVE-2025-9900.patch Patch11: CVE-2024-13978.patch +Patch12: CVE-2025-8961.patch BuildRequires: autoconf BuildRequires: automake @@ -76,6 +77,9 @@ make %{?_smp_mflags} -k check %exclude %{_docdir}/tiff-%{version}/LICENSE.md %changelog +* Thu Nov 27 2025 Azure Linux Security Servicing Account - 4.6.0-11 +- Patch for CVE-2025-8961 + * Mon Sep 29 2025 Azure Linux Security Servicing Account - 4.6.0-10 - Patch for CVE-2024-13978 From 3461d1ae4bee7af379540796a68fea28213f247a Mon Sep 17 00:00:00 2001 From: Aditya Singh Date: Sun, 30 Nov 2025 13:23:39 +0530 Subject: [PATCH 21/43] [Low] Patch atop for CVE-2025-31160 (#15029) --- SPECS/atop/CVE-2025-31160.patch | 627 ++++++++++++++++++++++++++++++++ SPECS/atop/atop.spec | 7 +- 2 files changed, 633 insertions(+), 1 deletion(-) create mode 100644 SPECS/atop/CVE-2025-31160.patch diff --git a/SPECS/atop/CVE-2025-31160.patch b/SPECS/atop/CVE-2025-31160.patch new file mode 100644 index 00000000000..b52922c2e76 --- /dev/null +++ b/SPECS/atop/CVE-2025-31160.patch @@ -0,0 +1,627 @@ +From ec8f3038497fcf493c6ff9c9f98f7a7c6216a1cb Mon Sep 17 00:00:00 2001 +From: Gerlof Langeveld +Date: Sat, 29 Mar 2025 18:56:44 +0100 +Subject: [PATCH] Fix security vulnerability CVE-2025-31160 (#334) + +Atop will not connect to the TCP port of 'atopgpud' daemon any more +by default. The flag -k can be used explicitly when 'atopgpud' is +active. Also the code to parse the received strings is improved to +avoid future issues with heap corruption. + +The flag -K has been implemented to connect to netatop/netatop-bpf. + +Upstream Patch reference: https://github.com/Atoptool/atop/commit/ec8f3038497fcf493c6ff9c9f98f7a7c6216a1cb.patch +--- + atop.c | 60 +++++++------- + atop.h | 1 + + gpucom.c | 228 +++++++++++++++++++++++++++++++++++++--------------- + photoproc.c | 3 +- + 4 files changed, 198 insertions(+), 94 deletions(-) + +diff --git a/atop.c b/atop.c +index 735c7ab..109ce00 100644 +--- a/atop.c ++++ b/atop.c +@@ -169,6 +169,8 @@ char calcpss = 0; /* boolean: read/calculate process PSS */ + char getwchan = 0; /* boolean: obtain wchan string */ + char rmspaces = 0; /* boolean: remove spaces from command */ + /* name in case of parsable output */ ++char connectgpud = 0; /* boolean: connect to atopgpud */ ++char connectnetatop = 0; /* boolean: connect to netatop(bpf) */ + + char displaymode = 'T'; /* 'T' = text, 'D' = draw */ + char barmono = 0; /* boolean: bar without categories? */ +@@ -430,6 +432,14 @@ main(int argc, char *argv[]) + rmspaces = 1; + break; + ++ case 'k': /* try to open TCP connection to atopgpud */ ++ connectgpud = 1; ++ break; ++ ++ case 'K': /* try to open connection to netatop/netatop-bpf */ ++ connectnetatop = 1; ++ break; ++ + default: /* gather other flags */ + flaglist[i++] = c; + } +@@ -547,7 +557,8 @@ main(int argc, char *argv[]) + /* + ** open socket to the IP layer to issue getsockopt() calls later on + */ +- netatop_ipopen(); ++ if (connectnetatop) ++ netatop_ipopen(); + + /* + ** since privileged activities are finished now, there is no +@@ -649,11 +660,15 @@ engine(void) + + /* + ** open socket to the atopgpud daemon for GPU statistics ++ ** if explicitly required + */ +- nrgpus = gpud_init(); ++ if (connectgpud) ++ { ++ nrgpus = gpud_init(); + +- if (nrgpus) +- supportflags |= GPUSTAT; ++ if (nrgpus) ++ supportflags |= GPUSTAT; ++ } + + /* + ** MAIN-LOOP: +@@ -700,7 +715,10 @@ engine(void) + ** send request for statistics to atopgpud + */ + if (nrgpus) +- gpupending = gpud_statrequest(); ++ { ++ if ((gpupending = gpud_statrequest()) == 0) ++ nrgpus = 0; ++ } + + /* + ** take a snapshot of the current system-level statistics +@@ -725,28 +743,8 @@ engine(void) + // connection lost or timeout on receive? + if (nrgpuproc == -1) + { +- int ng; +- +- // try to reconnect +- ng = gpud_init(); +- +- if (ng != nrgpus) // no success +- nrgpus = 0; +- +- if (nrgpus) +- { +- // request for stats again +- if (gpud_statrequest()) +- { +- // receive stats response +- nrgpuproc = gpud_statresponse(nrgpus, +- cursstat->gpu.gpu, &gp); +- +- // persistent failure? +- if (nrgpuproc == -1) +- nrgpus = 0; +- } +- } ++ nrgpus = 0; ++ supportflags &= ~GPUSTAT; + } + + cursstat->gpu.nrgpus = nrgpus; +@@ -835,7 +833,7 @@ engine(void) + /* + ** merge GPU per-process stats with other per-process stats + */ +- if (nrgpus && nrgpuproc) ++ if (nrgpus && nrgpuproc > 0) + gpumergeproc(curtpres, ntaskpres, + curpexit, nprocexit, + gp, nrgpuproc); +@@ -866,8 +864,8 @@ engine(void) + if (nprocexitnet > 0) + netatop_exiterase(); + +- if (gp) +- free(gp); ++ free(gp); ++ gp = NULL; // avoid double free + + if (lastcmd == 'r') /* reset requested ? */ + { +@@ -914,6 +912,8 @@ prusage(char *myname) + MRMSPACES); + printf("\t -L alternate line length (default 80) in case of " + "non-screen output\n"); ++ printf("\t -k try to connect to external atopgpud daemon (default: do not connect)\n"); ++ printf("\t -K try to connect to netatop/netatop-bpf interface (default: do not connect)\n"); + + if (vis.show_usage) + (*vis.show_usage)(); +diff --git a/atop.h b/atop.h +index 116919f..effd272 100644 +--- a/atop.h ++++ b/atop.h +@@ -92,6 +92,7 @@ extern char calcpss; + extern char getwchan; + extern char rawname[]; + extern char rawreadflag; ++extern char connectnetatop; + extern char rmspaces; + extern time_t begintime, endtime, cursortime; // epoch or time in day + extern char flaglist[]; +diff --git a/gpucom.c b/gpucom.c +index 1ff3818..d6eb5ec 100644 +--- a/gpucom.c ++++ b/gpucom.c +@@ -43,12 +43,12 @@ + + #define GPUDPORT 59123 + +-static void gputype_parse(char *); ++static int gputype_parse(char *); + +-static void gpustat_parse(int, char *, int, ++static int gpustat_parse(int, char *, int, + struct pergpu *, struct gpupidstat *); +-static void gpuparse(int, char *, struct pergpu *); +-static void pidparse(int, char *, struct gpupidstat *); ++static int gpuparse(int, char *, struct pergpu *); ++static int pidparse(int, char *, struct gpupidstat *); + static int rcvuntil(int, char *, int); + + static int actsock = -1; +@@ -150,20 +150,24 @@ gpud_init(void) + if ( rcvuntil(actsock, buf, length) == -1) + { + perror("receive type request from atopgpud"); ++ free(buf); + goto close_and_return; + } + + buf[length] = '\0'; + +- gputype_parse(buf); +- +- numgpus = numgpus <= MAXGPU ? numgpus : MAXGPU; ++ if (! gputype_parse(buf)) ++ { ++ free(buf); ++ goto close_and_return; ++ } + + return numgpus; + + close_and_return: + close(actsock); + actsock = -1; ++ numgpus = 0; + return 0; + } + +@@ -176,7 +180,7 @@ gpud_init(void) + ** + ** Return value: + ** 0 in case of failure +-** 1 in case of success ++** 1 in case of success (request pending) + */ + int + gpud_statrequest(void) +@@ -190,6 +194,7 @@ gpud_statrequest(void) + { + close(actsock); + actsock = -1; ++ numgpus = 0; + return 0; + } + +@@ -216,7 +221,7 @@ gpud_statresponse(int maxgpu, struct pergpu *ggs, struct gpupidstat **gps) + uint32_t prelude; + char *buf = NULL, *p; + int version, length; +- int pids = 0; ++ int maxprocs = 0, nrprocs; + + if (actsock == -1) + return -1; +@@ -269,22 +274,22 @@ gpud_statresponse(int maxgpu, struct pergpu *ggs, struct gpupidstat **gps) + *(buf+length) = '\0'; + + /* +- ** determine number of per-process stats +- ** and malloc space to parse these stats ++ ** determine number of per-process stats in string ++ ** and malloc space to store these stats + */ + for (p=buf; *p; p++) + { + if (*p == PIDDELIM) +- pids++; ++ maxprocs++; + } + + if (gps) + { +- if (pids) ++ if (maxprocs) + { +- *gps = malloc(pids * sizeof(struct gpupidstat)); +- ptrverify(gps, "Malloc failed for gpu pidstats\n"); +- memset(*gps, 0, pids * sizeof(struct gpupidstat)); ++ *gps = malloc(maxprocs * sizeof(struct gpupidstat)); ++ ptrverify(*gps, "Malloc failed for gpu pidstats\n"); ++ memset(*gps, 0, maxprocs * sizeof(struct gpupidstat)); + } + else + { +@@ -295,18 +300,27 @@ gpud_statresponse(int maxgpu, struct pergpu *ggs, struct gpupidstat **gps) + /* + ** parse stats string for per-gpu stats + */ +- gpustat_parse(version, buf, maxgpu, ggs, gps ? *gps : NULL); ++ if ( (nrprocs = gpustat_parse(version, buf, maxgpu, ggs, gps ? *gps : NULL)) == -1) ++ { ++ if (gps) ++ { ++ free(*gps); ++ *gps = NULL; // avoid double free later on ++ } ++ ++ goto close_and_return; // inconsistent data received from atopgpud ++ } + + free(buf); + +- return pids; ++ return nrprocs; + + close_and_return: +- if (buf) +- free(buf); ++ free(buf); + + close(actsock); + actsock = -1; ++ numgpus = 0; + return -1; + } + +@@ -314,6 +328,9 @@ gpud_statresponse(int maxgpu, struct pergpu *ggs, struct gpupidstat **gps) + /* + ** Receive given number of bytes from given socket + ** into given buffer address ++** ++** Return value: number of bytes received ++** -1 - failed (including end-of-connection) + */ + static int + rcvuntil(int sock, char *buf, int size) +@@ -339,23 +356,27 @@ rcvuntil(int sock, char *buf, int size) + ** + ** Store the type, busid and tasksupport of every GPU in + ** static pointer tables ++** ++** Return value: 1 - success ++** 0 - failed + */ +-static void ++static int + gputype_parse(char *buf) + { +- char *p, *start, **bp, **tp, *cp; ++ char *p, *start, **bp, **tp, *cp, fails=0; + + /* + ** determine number of GPUs + */ + if ( sscanf(buf, "%d@", &numgpus) != 1) +- { +- close(actsock); +- actsock = -1; +- return; +- } ++ return 0; ++ ++ numgpus = numgpus <= MAXGPU ? numgpus : MAXGPU; + +- for (p=buf; *p; p++) // search for first delimiter ++ /* ++ ** search for first GPU delimiter (@) ++ */ ++ for (p=buf; *p; p++) + { + if (*p == GPUDELIM) + { +@@ -364,6 +385,9 @@ gputype_parse(char *buf) + } + } + ++ if (*p == 0) // no delimiter or no data behind delimeter? ++ return 0; ++ + /* + ** parse GPU info and build arrays of pointers to the + ** busid strings, type strings and tasksupport strings. +@@ -380,27 +404,47 @@ gputype_parse(char *buf) + ptrverify(gputypes, "Malloc failed for gpu types\n"); + ptrverify(gputasks, "Malloc failed for gpu tasksup\n"); + +- for (field=0, start=p; ; p++) ++ for (field=0, start=p; fails == 0; p++) + { + if (*p == ' ' || *p == '\0' || *p == GPUDELIM) + { + switch(field) + { + case 0: ++ if (bp - gpubusid >= numgpus) ++ { ++ fails++; ++ break; // inconsistent with number of GPUs ++ } ++ + if (p-start <= MAXGPUBUS) + *bp++ = start; + else + *bp++ = p - MAXGPUBUS; + break; + case 1: ++ if (tp - gputypes >= numgpus) ++ { ++ fails++; ++ break; // inconsistent with number of GPUs ++ } ++ + if (p-start <= MAXGPUTYPE) + *tp++ = start; + else + *tp++ = p - MAXGPUTYPE; + break; + case 2: ++ if (cp - gputasks >= numgpus) ++ { ++ fails++; ++ break; // inconsistent with number of GPUs ++ } ++ + *cp++ = *start; + break; ++ default: ++ fails++; + } + + field++; +@@ -418,7 +462,25 @@ gputype_parse(char *buf) + + *bp = NULL; + *tp = NULL; ++ ++ /* ++ ** verify if number of GPUs and supplied per-GPU information ++ ** appears to be inconsistent ++ */ ++ if (fails || bp - gpubusid != numgpus || tp - gputypes != numgpus || cp - gputasks != numgpus) ++ { ++ free(gpubusid); ++ free(gputypes); ++ free(gputasks); ++ return 0; ++ } + } ++ else ++ { ++ return 0; ++ } ++ ++ return 1; + } + + +@@ -429,106 +491,146 @@ gputype_parse(char *buf) + ** with a '@' delimiter. + ** Every series with counters on process level is introduced + ** with a '#' delimiter (last part of the GPU level data). ++** ++** Return value: valid number of processes ++** -1 - failed + */ +-static void ++static int + gpustat_parse(int version, char *buf, int maxgpu, + struct pergpu *gg, struct gpupidstat *gp) + { +- char *p, *start, delimlast; +- int gpunum = 0; ++ char *p, *pp, *start; ++ int gpunum, nrprocs = 0; + + /* + ** parse stats string + */ +- for (p=start=buf, delimlast=DUMMY; gpunum <= maxgpu; p++) ++ for (p=buf; *p && *p != GPUDELIM; p++) // find first GPU deimiter ++ ; ++ ++ if (*p == 0) // string without GPU delimiter ++ return -1; ++ ++ for (p++, start=p, gpunum=0; gpunum < maxgpu; p++) + { +- char delimnow; ++ char delimnext; + +- if (*p != '\0' && *p != GPUDELIM && *p != PIDDELIM) ++ // search next GPU delimiter ++ // ++ if (*p && *p != GPUDELIM) + continue; + + /* +- ** next delimiter or end-of-string found ++ ** next GPU delimiter or end-of-string found + */ +- delimnow = *p; +- *p = 0; ++ delimnext = *p; ++ *p = 0; + +- switch (delimlast) +- { +- case DUMMY: +- break; +- +- case GPUDELIM: +- gpuparse(version, start, gg); +- +- strcpy(gg->type, gputypes[gpunum]); +- strcpy(gg->busid, gpubusid[gpunum]); ++ /* ++ ** parse GPU itself ++ */ ++ if (! gpuparse(version, start, gg)) ++ return -1; + +- gpunum++; +- gg++; +- break; ++ strncpy(gg->type, gputypes[gpunum], MAXGPUTYPE); ++ strncpy(gg->busid, gpubusid[gpunum], MAXGPUBUS); + +- case PIDDELIM: +- if (gp) ++ /* ++ ** continue searching for per-process stats for this GPU ++ */ ++ if (gp) ++ { ++ for (pp = start; pp < p; pp++) + { +- pidparse(version, start, gp); ++ if (*pp != PIDDELIM) ++ continue; ++ ++ // new PID delimiter (#) found ++ // ++ if (! pidparse(version, pp+1, gp)) ++ return -1; + + gp->gpu.nrgpus++; +- gp->gpu.gpulist = 1<<(gpunum-1); ++ gp->gpu.gpulist = 1<nrprocs++; ++ gg->nrprocs++; // per GPU ++ nrprocs++; // total + } + } + +- if (delimnow == 0 || *(p+1) == 0) ++ gpunum++; ++ gg++; ++ ++ if (delimnext == 0 || *(p+1) == 0) + break; + +- start = p+1; +- delimlast = delimnow; ++ start = p+1; + } ++ ++ return nrprocs; + } + + + /* + ** Parse GPU statistics string ++** ++** Return value: 1 - success ++** 0 - failed + */ +-static void ++static int + gpuparse(int version, char *p, struct pergpu *gg) + { ++ int nr; ++ + switch (version) + { + case 1: +- (void) sscanf(p, "%d %d %lld %lld %lld %lld %lld %lld", ++ nr = sscanf(p, "%d %d %lld %lld %lld %lld %lld %lld", + &(gg->gpupercnow), &(gg->mempercnow), + &(gg->memtotnow), &(gg->memusenow), + &(gg->samples), &(gg->gpuperccum), + &(gg->memperccum), &(gg->memusecum)); + ++ if (nr < 8) // parse error: unexpected data ++ return 0; ++ + gg->nrprocs = 0; + + break; + } ++ ++ return 1; + } + + + /* + ** Parse PID statistics string ++** ++** Return value: 1 - success ++** 0 - failed + */ +-static void ++static int + pidparse(int version, char *p, struct gpupidstat *gp) + { ++ int nr; ++ + switch (version) + { + case 1: +- (void) sscanf(p, "%c %ld %d %d %lld %lld %lld %lld", ++ nr = sscanf(p, "%c %ld %d %d %lld %lld %lld %lld", + &(gp->gpu.state), &(gp->pid), + &(gp->gpu.gpubusy), &(gp->gpu.membusy), + &(gp->gpu.timems), + &(gp->gpu.memnow), &(gp->gpu.memcum), + &(gp->gpu.sample)); ++ ++ if (nr < 8) // parse error: unexpected data ++ return 0; + break; + } ++ ++ return 1; + } + + +diff --git a/photoproc.c b/photoproc.c +index 5219f80..519e6c0 100644 +--- a/photoproc.c ++++ b/photoproc.c +@@ -136,7 +136,8 @@ photoproc(struct tstat *tasklist, int maxtask) + */ + regainrootprivs(); + +- netatop_probe(); ++ if (connectnetatop) ++ netatop_probe(); + + if (supportflags & CGROUPV2) + wipecgroupv2(); +-- +2.45.4 + diff --git a/SPECS/atop/atop.spec b/SPECS/atop/atop.spec index 48423706186..7b78cf69a42 100644 --- a/SPECS/atop/atop.spec +++ b/SPECS/atop/atop.spec @@ -2,7 +2,7 @@ Summary: An advanced interactive monitor to view the load on system and process level Name: atop Version: 2.9.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source1: atop.d Patch0: atop-sysconfig.patch Patch1: format.patch +Patch2: CVE-2025-31160.patch BuildRequires: gcc BuildRequires: make @@ -43,6 +44,7 @@ http://www.atcomputing.nl/Tools/atop/kernpatch.html %setup -q %patch 0 -b .sysconfig %patch 1 -b .format +%patch 2 -p1 # Correct unit file path sed -i "s|%{_sysconfdir}/default/atop|%{_sysconfdir}/sysconfig/atop|g" atop.service @@ -91,6 +93,9 @@ install -Dp -m 0644 atop-rotate.* %{buildroot}%{_unitdir}/ %{_sbindir}/atopacctd %changelog +* Mon Nov 03 2025 Aditya Singh - 2.9.0-2 +- Added Patch for CVE-2025-31160 + * Fri Jan 05 2024 Muhammad Falak - 2.9.0-1 - Bump version to 2.9.0 - Drop un-needed patches From dc866480f3f0618a28b0b8cc38f7876315f9a605 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Sun, 30 Nov 2025 16:32:43 +0530 Subject: [PATCH 22/43] [AutoPR- Security] Patch containerized-data-importer for CVE-2025-58183 [MEDIUM] (#15103) --- .../CVE-2025-58183.patch | 62 +++++++++++++++++++ .../containerized-data-importer.spec | 6 +- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 SPECS/containerized-data-importer/CVE-2025-58183.patch diff --git a/SPECS/containerized-data-importer/CVE-2025-58183.patch b/SPECS/containerized-data-importer/CVE-2025-58183.patch new file mode 100644 index 00000000000..497578c4c70 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2025-58183.patch @@ -0,0 +1,62 @@ +From 58ad7f75f697cc3ec0a11be10f5e2fba24034bc5 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 15 Nov 2025 06:45:51 +0000 +Subject: [PATCH] archive/tar: set limit on GNU sparse 1.0 map size; cap tokens + at maxSpecialFileSize; add errSparseTooLong error + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch +--- + .../github.com/vbatts/tar-split/archive/tar/common.go | 1 + + .../github.com/vbatts/tar-split/archive/tar/reader.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +index dee9e47..e687a08 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +@@ -34,6 +34,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +index a7b5011..02090ac 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +@@ -575,12 +575,18 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { ++ + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -613,8 +619,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.45.4 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index 61e85e9dd95..2e8a7697199 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.57.0 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -38,6 +38,7 @@ Patch9: CVE-2025-27144.patch Patch10: CVE-2025-22868.patch Patch11: CVE-2025-22872.patch Patch12: CVE-2025-58058.patch +Patch13: CVE-2025-58183.patch BuildRequires: golang < 1.25 BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -232,6 +233,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Sat Nov 15 2025 Azure Linux Security Servicing Account - 1.57.0-17 +- Patch for CVE-2025-58183 + * Wed Sep 03 2025 Azure Linux Security Servicing Account - 1.57.0-16 - Patch for CVE-2025-58058 From ba1664eed8c2c10295a387d11c207e3d4949cf43 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Sun, 30 Nov 2025 16:33:27 +0530 Subject: [PATCH 23/43] [AutoPR- Security] Patch moby-engine for CVE-2025-58183 [MEDIUM] (#15102) --- SPECS/moby-engine/CVE-2025-58183.patch | 62 ++++++++++++++++++++++++++ SPECS/moby-engine/moby-engine.spec | 6 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 SPECS/moby-engine/CVE-2025-58183.patch diff --git a/SPECS/moby-engine/CVE-2025-58183.patch b/SPECS/moby-engine/CVE-2025-58183.patch new file mode 100644 index 00000000000..e0a9843ff3d --- /dev/null +++ b/SPECS/moby-engine/CVE-2025-58183.patch @@ -0,0 +1,62 @@ +From 9d9605d279c66333caaf20b3f46a440d659c48c2 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 15 Nov 2025 06:37:02 +0000 +Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0 + regions; cap to maxSpecialFileSize; add errSparseTooLong; update reader to + enforce limit + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch +--- + vendor/github.com/vbatts/tar-split/archive/tar/common.go | 1 + + vendor/github.com/vbatts/tar-split/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +index dee9e47..e687a08 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +@@ -34,6 +34,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +index 40f6c86..7a56fa1 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +@@ -576,12 +576,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -614,8 +619,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.45.4 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index f61a3838790..719a5e1d9d3 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -28,6 +28,7 @@ Patch10: CVE-2025-22868.patch Patch11: CVE-2025-22869.patch Patch12: CVE-2025-30204.patch Patch13: CVE-2024-51744.patch +Patch14: CVE-2025-58183.patch %{?systemd_requires} @@ -123,6 +124,9 @@ fi %{_unitdir}/* %changelog +* Sat Nov 15 2025 Azure Linux Security Servicing Account - 25.0.3-14 +- Patch for CVE-2025-58183 + * Fri May 23 2025 Akhila Guruju - 25.0.3-13 - Patch CVE-2024-51744 From ea4efb198ec6230fa129ef47a9caee3d994b22ae Mon Sep 17 00:00:00 2001 From: AkarshHCL Date: Mon, 1 Dec 2025 17:01:23 +0530 Subject: [PATCH 24/43] Build fix for jakarta-taglibs-standard (#15142) --- .../jakarta-taglibs-standard.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/SPECS-EXTENDED/jakarta-taglibs-standard/jakarta-taglibs-standard.spec b/SPECS-EXTENDED/jakarta-taglibs-standard/jakarta-taglibs-standard.spec index df2bf091a1d..bc5e007fb98 100644 --- a/SPECS-EXTENDED/jakarta-taglibs-standard/jakarta-taglibs-standard.spec +++ b/SPECS-EXTENDED/jakarta-taglibs-standard/jakarta-taglibs-standard.spec @@ -21,7 +21,7 @@ Distribution: Azure Linux %define short_name taglibs-standard Name: jakarta-taglibs-standard Version: 1.1.1 -Release: 261%{?dist} +Release: 262%{?dist} Summary: Open Source Implementation of the JSP Standard Tag Library License: ASL 2.0 Group: Development/Libraries/Java @@ -74,7 +74,7 @@ EOBP %build ant \ - -Dant.build.javac.source=1.6 -Dant.build.javac.target=1.6 \ + -Dant.build.javac.source=1.8 -Dant.build.javac.target=1.8 \ -Dfinal.name=%{short_name} \ -Dj2se.javadoc=%{_javadocdir}/java \ -f standard/build.xml \ @@ -90,11 +90,15 @@ cp -p standard/dist/standard/lib/standard.jar %{buildroot}%{_javadir}/jakarta-ta # javadoc mkdir -p %{buildroot}%{_javadocdir}/%{name} cp -pr standard/dist/standard/javadoc/* %{buildroot}%{_javadocdir}/%{name} +mv %{buildroot}%{_javadocdir}/%{name}/legal/ADDITIONAL_LICENSE_INFO . +mv %{buildroot}%{_javadocdir}/%{name}/legal/LICENSE . %fdupes -s %{buildroot}%{_javadocdir}/%{name} %files %license LICENSE +%license ADDITIONAL_LICENSE_INFO %doc standard/README_src.txt standard/README_bin.txt standard/dist/doc/doc/standard-doc/*.html +%exclude %{_javadocdir}/%{name}/legal/LICENSE %{_javadir}/* %files javadoc @@ -102,6 +106,10 @@ cp -pr standard/dist/standard/javadoc/* %{buildroot}%{_javadocdir}/%{name} %doc %{_javadocdir}/%{name} %changelog +* Thu Nov 20 2025 Akarsh Chaudhary - 1.1.1-262 +- Setting compiler.source to value 1.8 to fix the Build. +- License verified + * Thu Feb 22 2024 Pawel Winogrodzki - 1.1.1-261 - Updating naming for 3.0 version of Azure Linux. From 14267c792b2c49df7fbffb7a7d64eb2fdcf3a813 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 1 Dec 2025 07:51:56 -0800 Subject: [PATCH 25/43] Merge PR "[AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade libpng to 1.6.51 for CVE-2025-64505, CVE-2025-64506, CVE-2025-65018, CVE-2025-64720 - branch 3.0-dev" #15193 Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Co-authored-by: jslobodzian --- SPECS/libpng/libpng.signatures.json | 6 +++--- SPECS/libpng/libpng.spec | 5 ++++- cgmanifest.json | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/SPECS/libpng/libpng.signatures.json b/SPECS/libpng/libpng.signatures.json index d8085300a70..9437c78bbf2 100644 --- a/SPECS/libpng/libpng.signatures.json +++ b/SPECS/libpng/libpng.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "libpng-1.6.40.tar.xz": "535b479b2467ff231a3ec6d92a525906fb8ef27978be4f66dbe05d3f3a01b3a1" - } + "Signatures": { + "libpng-1.6.51.tar.xz": "b1872484c1c5c70acc79cbb15fb366df954fa8d5dacbe7f729d858902d17933c" + } } diff --git a/SPECS/libpng/libpng.spec b/SPECS/libpng/libpng.spec index 38e41968f0b..f9474fc534e 100644 --- a/SPECS/libpng/libpng.spec +++ b/SPECS/libpng/libpng.spec @@ -1,6 +1,6 @@ Summary: contains libraries for reading and writing PNG files. Name: libpng -Version: 1.6.40 +Version: 1.6.51 Release: 1%{?dist} License: zlib Vendor: Microsoft Corporation @@ -57,6 +57,9 @@ make %{?_smp_mflags} -k check %{_mandir}/man3/* %changelog +* Thu Nov 27 2025 CBL-Mariner Servicing Account - 1.6.51-1 +- Auto-upgrade to 1.6.51 - for CVE-2025-64505, CVE-2025-64506, CVE-2025-65018, CVE-2025-64720 + * Fri Dec 15 2023 Neha Agarwal - 1.6.40-1 - Update to v1.6.40 diff --git a/cgmanifest.json b/cgmanifest.json index 84db7a2efee..bf1c76a6f8f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -10831,8 +10831,8 @@ "type": "other", "other": { "name": "libpng", - "version": "1.6.40", - "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.40.tar.xz" + "version": "1.6.51", + "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.51.tar.xz" } } }, From d86501f46a4bedc2ceba57b3b315e1f6b38878a4 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 1 Dec 2025 11:28:35 -0800 Subject: [PATCH 26/43] [AUTO-CHERRYPICK] [High] Patch kubernetes for CVE-2025-31133 and CVE-2025-52565 - branch 3.0-dev (#15192) Co-authored-by: Aditya Singh Co-authored-by: jslobodzian --- SPECS/kubernetes/CVE-2025-31133.patch | 439 ++++ SPECS/kubernetes/CVE-2025-52565.patch | 3156 +++++++++++++++++++++++++ SPECS/kubernetes/kubernetes.spec | 12 +- 3 files changed, 3604 insertions(+), 3 deletions(-) create mode 100644 SPECS/kubernetes/CVE-2025-31133.patch create mode 100644 SPECS/kubernetes/CVE-2025-52565.patch diff --git a/SPECS/kubernetes/CVE-2025-31133.patch b/SPECS/kubernetes/CVE-2025-31133.patch new file mode 100644 index 00000000000..17b8f079e01 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-31133.patch @@ -0,0 +1,439 @@ +From 8476df83b534a2522b878c0507b3491def48db9f Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Thu, 6 Mar 2025 08:19:45 -0800 +Subject: [PATCH] libct: add/use isDevNull, verifyDevNull + +The /dev/null in a container should not be trusted, because when /dev +is a bind mount, /dev/null is not created by runc itself. + +1. Add isDevNull which checks the fd minor/major and device type, + and verifyDevNull which does the stat and the check. + +2. Rewrite maskPath to open and check /dev/null, and use its fd to + perform mounts. Move the loop over the MaskPaths into the function, + and rename it to maskPaths. + +3. reOpenDevNull: use verifyDevNull and isDevNull. + +4. fixStdioPermissions: use isDevNull instead of stat. + +Fixes: GHSA-9493-h29p-rfm2 CVE-2025-31133 +Co-authored-by: Rodrigo Campos +Signed-off-by: Kir Kolyshkin +Signed-off-by: Aleksa Sarai + +Upstream Patch Reference: https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f.patch +--- + .../runc/internal/sys/verify_inode_unix.go | 30 +++++++ + .../runc/libcontainer/init_linux.go | 11 +-- + .../runc/libcontainer/mount_linux.go | 90 ++++++++++++++++++- + .../runc/libcontainer/rootfs_linux.go | 52 ++++++++--- + .../runc/libcontainer/standard_init_linux.go | 7 +- + .../runc/libcontainer/utils/utils_unix.go | 73 +++++++++++++++ + 6 files changed, 240 insertions(+), 23 deletions(-) + create mode 100644 vendor/github.com/opencontainers/runc/internal/sys/verify_inode_unix.go + +diff --git a/vendor/github.com/opencontainers/runc/internal/sys/verify_inode_unix.go b/vendor/github.com/opencontainers/runc/internal/sys/verify_inode_unix.go +new file mode 100644 +index 00000000..d5019db5 +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/sys/verify_inode_unix.go +@@ -0,0 +1,30 @@ ++package sys ++ ++import ( ++ "fmt" ++ "os" ++ "runtime" ++ ++ "golang.org/x/sys/unix" ++) ++ ++// VerifyInodeFunc is the callback passed to [VerifyInode] to check if the ++// inode is the expected type (and on the correct filesystem type, in the case ++// of filesystem-specific inodes). ++type VerifyInodeFunc func(stat *unix.Stat_t, statfs *unix.Statfs_t) error ++ ++// VerifyInode verifies that the underlying inode for the given file matches an ++// expected inode type (possibly on a particular kind of filesystem). This is ++// mainly a wrapper around [VerifyInodeFunc]. ++func VerifyInode(file *os.File, checkFunc VerifyInodeFunc) error { ++ var stat unix.Stat_t ++ if err := unix.Fstat(int(file.Fd()), &stat); err != nil { ++ return fmt.Errorf("fstat %q: %w", file.Name(), err) ++ } ++ var statfs unix.Statfs_t ++ if err := unix.Fstatfs(int(file.Fd()), &statfs); err != nil { ++ return fmt.Errorf("fstatfs %q: %w", file.Name(), err) ++ } ++ runtime.KeepAlive(file) ++ return checkFunc(&stat, &statfs) ++} +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go +index d9f18139..50c7a129 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go +@@ -432,19 +432,16 @@ func setupUser(config *initConfig) error { + // The ownership needs to match because it is created outside of the container and needs to be + // localized. + func fixStdioPermissions(u *user.ExecUser) error { +- var null unix.Stat_t +- if err := unix.Stat("/dev/null", &null); err != nil { +- return &os.PathError{Op: "stat", Path: "/dev/null", Err: err} +- } + for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} { + var s unix.Stat_t + if err := unix.Fstat(int(file.Fd()), &s); err != nil { + return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} + } + +- // Skip chown if uid is already the one we want or any of the STDIO descriptors +- // were redirected to /dev/null. +- if int(s.Uid) == u.Uid || s.Rdev == null.Rdev { ++ // Skip chown if: ++ // - uid is already the one we want, or ++ // - fd is opened to /dev/null. ++ if int(s.Uid) == u.Uid || isDevNull(&s) { + continue + } + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/mount_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/mount_linux.go +index 948b6c0b..32e72782 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/mount_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/mount_linux.go +@@ -2,15 +2,37 @@ package libcontainer + + import ( + "io/fs" ++ "os" + "strconv" + ++ "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ++ "github.com/opencontainers/runc/libcontainer/utils" + ) + ++// mountSourceType indicates what type of file descriptor is being returned. It ++// is used to tell rootfs_linux.go whether or not to use move_mount(2) to ++// install the mount. ++type mountSourceType string ++ ++const ( ++ // An open_tree(2)-style file descriptor that needs to be installed using ++ // move_mount(2) to install. ++ mountSourceOpenTree mountSourceType = "open_tree" ++ // A plain file descriptor that can be mounted through /proc/thread-self/fd. ++ mountSourcePlain mountSourceType = "plain-open" ++) ++ ++type mountSource struct { ++ Type mountSourceType `json:"type"` ++ file *os.File `json:"-"` ++} ++ + // mountError holds an error from a failed mount or unmount operation. + type mountError struct { + op string + source string ++ srcFile *mountSource + target string + procfd string + flags uintptr +@@ -59,6 +81,7 @@ func mount(source, target, procfd, fstype string, flags uintptr, data string) er + return &mountError{ + op: "mount", + source: source, ++ srcFile: nil, + target: target, + procfd: procfd, + flags: flags, +@@ -69,6 +92,71 @@ func mount(source, target, procfd, fstype string, flags uintptr, data string) er + return nil + } + ++// mountViaFds is a unix.Mount wrapper which uses srcFile instead of source, ++// and dstFd instead of target, unless those are empty. ++// ++// If srcFile is non-nil and flags does not contain MS_REMOUNT, mountViaFds ++// will mount it according to the mountSourceType of the file descriptor. ++// ++// The dstFd argument, if non-empty, is expected to be in the form of a path to ++// an opened file descriptor on procfs (i.e. "/proc/thread-self/fd/NN"). ++// ++// If a file descriptor is used instead of a source or a target path, the ++// corresponding path is only used to add context to an error in case the mount ++// operation has failed. ++func mountViaFds(source string, srcFile *mountSource, target, dstFd, fstype string, flags uintptr, data string) error { ++ // MS_REMOUNT and srcFile don't make sense together. ++ if srcFile != nil && flags&unix.MS_REMOUNT != 0 { ++ logrus.Debugf("mount source passed along with MS_REMOUNT -- ignoring srcFile") ++ srcFile = nil ++ } ++ dst := target ++ if dstFd != "" { ++ dst = dstFd ++ } ++ src := source ++ isMoveMount := srcFile != nil && srcFile.Type == mountSourceOpenTree ++ if srcFile != nil { ++ // If we're going to use the /proc/thread-self/... path for classic ++ // mount(2), we need to get a safe handle to /proc/thread-self. This ++ // isn't needed for move_mount(2) because in that case the path is just ++ // a dummy string used for error info. ++ srcFileFd := srcFile.file.Fd() ++ if isMoveMount { ++ src = "/proc/self/fd/" + strconv.Itoa(int(srcFileFd)) ++ } else { ++ var closer utils.ProcThreadSelfCloser ++ src, closer = utils.ProcThreadSelfFd(srcFileFd) ++ defer closer() ++ } ++ } ++ ++ var op string ++ var err error ++ if isMoveMount { ++ op = "move_mount" ++ err = unix.MoveMount(int(srcFile.file.Fd()), "", ++ unix.AT_FDCWD, dstFd, ++ unix.MOVE_MOUNT_F_EMPTY_PATH|unix.MOVE_MOUNT_T_SYMLINKS) ++ } else { ++ op = "mount" ++ err = unix.Mount(src, dst, fstype, flags, data) ++ } ++ if err != nil { ++ return &mountError{ ++ op: op, ++ source: source, ++ srcFile: srcFile, ++ target: target, ++ procfd: dstFd, ++ flags: flags, ++ data: data, ++ err: err, ++ } ++ } ++ return nil ++} ++ + // unmount is a simple unix.Unmount wrapper. + func unmount(target string, flags int) error { + err := unix.Unmount(target, flags) +@@ -97,5 +185,5 @@ func syscallMode(i fs.FileMode) (o uint32) { + o |= unix.S_ISVTX + } + // No mapping for Go's ModeTemporary (plan9 only). +- return ++ return o + } +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +index c701d6a2..b48c387d 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +@@ -21,6 +21,7 @@ import ( + "github.com/opencontainers/runc/libcontainer/devices" + "github.com/opencontainers/runc/libcontainer/userns" + "github.com/opencontainers/runc/libcontainer/utils" ++ "github.com/opencontainers/runc/internal/sys" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -360,7 +361,7 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error { + // Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted + // with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`). + err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error { +- return maskPath(procfd, c.label) ++ return maskPaths([]string{procfd}, c.label) + }) + } + return err +@@ -653,20 +654,20 @@ func setupDevSymlinks(rootfs string) error { + // needs to be called after we chroot/pivot into the container's rootfs so that any + // symlinks are resolved locally. + func reOpenDevNull() error { +- var stat, devNullStat unix.Stat_t + file, err := os.OpenFile("/dev/null", os.O_RDWR, 0) + if err != nil { + return err + } + defer file.Close() //nolint: errcheck +- if err := unix.Fstat(int(file.Fd()), &devNullStat); err != nil { +- return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} ++ if err := verifyDevNull(file); err != nil { ++ return fmt.Errorf("can't reopen /dev/null: %w", err) + } + for fd := 0; fd < 3; fd++ { ++ var stat unix.Stat_t + if err := unix.Fstat(fd, &stat); err != nil { + return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(fd), Err: err} + } +- if stat.Rdev == devNullStat.Rdev { ++ if isDevNull(&stat) { + // Close and re-open the fd. + if err := unix.Dup3(int(file.Fd()), fd, 0); err != nil { + return &os.PathError{ +@@ -1059,17 +1060,46 @@ func remountReadonly(m *configs.Mount) error { + return fmt.Errorf("unable to mount %s as readonly max retries reached", dest) + } + +-// maskPath masks the top of the specified path inside a container to avoid ++func isDevNull(st *unix.Stat_t) bool { ++ return st.Mode&unix.S_IFMT == unix.S_IFCHR && st.Rdev == unix.Mkdev(1, 3) ++} ++ ++func verifyDevNull(f *os.File) error { ++ return sys.VerifyInode(f, func(st *unix.Stat_t, _ *unix.Statfs_t) error { ++ if !isDevNull(st) { ++ return errors.New("container's /dev/null is invalid") ++ } ++ return nil ++ }) ++} ++ ++// maskPaths masks the top of the specified paths inside a container to avoid + // security issues from processes reading information from non-namespace aware + // mounts ( proc/kcore ). + // For files, maskPath bind mounts /dev/null over the top of the specified path. + // For directories, maskPath mounts read-only tmpfs over the top of the specified path. +-func maskPath(path string, mountLabel string) error { +- if err := mount("/dev/null", path, "", "", unix.MS_BIND, ""); err != nil && !errors.Is(err, os.ErrNotExist) { +- if errors.Is(err, unix.ENOTDIR) { +- return mount("tmpfs", path, "", "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel)) ++func maskPaths(paths []string, mountLabel string) error { ++ devNull, err := os.OpenFile("/dev/null", unix.O_PATH, 0) ++ if err != nil { ++ return fmt.Errorf("can't mask paths: %w", err) ++ } ++ defer devNull.Close() ++ if err := verifyDevNull(devNull); err != nil { ++ return fmt.Errorf("can't mask paths: %w", err) ++ } ++ devNullSrc := &mountSource{Type: mountSourcePlain, file: devNull} ++ ++ for _, path := range paths { ++ if err := mountViaFds("", devNullSrc, path, "", "", unix.MS_BIND, ""); err != nil && !errors.Is(err, os.ErrNotExist) { ++ if !errors.Is(err, unix.ENOTDIR) { ++ return fmt.Errorf("can't mask path %q: %w", path, err) ++ } ++ // Destination is a directory: bind mount a ro tmpfs over it. ++ err := mount("tmpfs", path, "", "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel)) ++ if err != nil { ++ return fmt.Errorf("can't mask dir %q: %w", path, err) ++ } + } +- return err + } + return nil + } +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +index d1d94352..809dad5d 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +@@ -141,10 +141,9 @@ func (l *linuxStandardInit) Init() error { + return fmt.Errorf("can't make %q read-only: %w", path, err) + } + } +- for _, path := range l.config.Config.MaskPaths { +- if err := maskPath(path, l.config.Config.MountLabel); err != nil { +- return fmt.Errorf("can't mask path %s: %w", path, err) +- } ++ ++ if err := maskPaths(l.config.Config.MaskPaths, l.config.Config.MountLabel); err != nil { ++ return err + } + pdeath, err := system.GetParentDeathSignal() + if err != nil { +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index bf3237a2..2bc9c422 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -6,9 +6,12 @@ package utils + import ( + "fmt" + "os" ++ "runtime" + "strconv" ++ "sync" + _ "unsafe" // for go:linkname + ++ "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" + ) + +@@ -115,3 +118,73 @@ func NewSockPair(name string) (parent *os.File, child *os.File, err error) { + } + return os.NewFile(uintptr(fds[1]), name+"-p"), os.NewFile(uintptr(fds[0]), name+"-c"), nil + } ++type ProcThreadSelfCloser func() ++ ++var ( ++ haveProcThreadSelf bool ++ haveProcThreadSelfOnce sync.Once ++) ++ ++// ProcThreadSelf returns a string that is equivalent to ++// /proc/thread-self/, with a graceful fallback on older kernels where ++// /proc/thread-self doesn't exist. This method DOES NOT use SecureJoin, ++// meaning that the passed string needs to be trusted. The caller _must_ call ++// the returned procThreadSelfCloser function (which is runtime.UnlockOSThread) ++// *only once* after it has finished using the returned path string. ++func ProcThreadSelf(subpath string) (string, ProcThreadSelfCloser) { ++ haveProcThreadSelfOnce.Do(func() { ++ if _, err := os.Stat("/proc/thread-self/"); err == nil { ++ haveProcThreadSelf = true ++ } else { ++ logrus.Debugf("cannot stat /proc/thread-self (%v), falling back to /proc/self/task/", err) ++ } ++ }) ++ ++ // We need to lock our thread until the caller is done with the path string ++ // because any non-atomic operation on the path (such as opening a file, ++ // then reading it) could be interrupted by the Go runtime where the ++ // underlying thread is swapped out and the original thread is killed, ++ // resulting in pull-your-hair-out-hard-to-debug issues in the caller. In ++ // addition, the pre-3.17 fallback makes everything non-atomic because the ++ // same thing could happen between unix.Gettid() and the path operations. ++ // ++ // In theory, we don't need to lock in the atomic user case when using ++ // /proc/thread-self/, but it's better to be safe than sorry (and there are ++ // only one or two truly atomic users of /proc/thread-self/). ++ runtime.LockOSThread() ++ ++ threadSelf := "/proc/thread-self/" ++ if !haveProcThreadSelf { ++ // Pre-3.17 kernels did not have /proc/thread-self, so do it manually. ++ threadSelf = "/proc/self/task/" + strconv.Itoa(unix.Gettid()) + "/" ++ if _, err := os.Stat(threadSelf); err != nil { ++ // Unfortunately, this code is called from rootfs_linux.go where we ++ // are running inside the pid namespace of the container but /proc ++ // is the host's procfs. Unfortunately there is no real way to get ++ // the correct tid to use here (the kernel age means we cannot do ++ // things like set up a private fsopen("proc") -- even scanning ++ // NSpid in all of the tasks in /proc/self/task/*/status requires ++ // Linux 4.1). ++ // ++ // So, we just have to assume that /proc/self is acceptable in this ++ // one specific case. ++ if os.Getpid() == 1 { ++ logrus.Debugf("/proc/thread-self (tid=%d) cannot be emulated inside the initial container setup -- using /proc/self instead: %v", unix.Gettid(), err) ++ } else { ++ // This should never happen, but the fallback should work in most cases... ++ logrus.Warnf("/proc/thread-self could not be emulated for pid=%d (tid=%d) -- using more buggy /proc/self fallback instead: %v", os.Getpid(), unix.Gettid(), err) ++ } ++ threadSelf = "/proc/self/" ++ } ++ } ++ return threadSelf + subpath, runtime.UnlockOSThread ++} ++ ++// ProcThreadSelfFd is small wrapper around ProcThreadSelf to make it easier to ++// create a /proc/thread-self handle for given file descriptor. ++// ++// It is basically equivalent to ProcThreadSelf(fmt.Sprintf("fd/%d", fd)), but ++// without using fmt.Sprintf to avoid unneeded overhead. ++func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) { ++ return ProcThreadSelf("fd/" + strconv.FormatUint(uint64(fd), 10)) ++} +-- +2.45.4 + diff --git a/SPECS/kubernetes/CVE-2025-52565.patch b/SPECS/kubernetes/CVE-2025-52565.patch new file mode 100644 index 00000000000..48a160b258a --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52565.patch @@ -0,0 +1,3156 @@ +From 01de9d65dc72f67b256ef03f9bfb795a2bf143b4 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 15 May 2025 21:38:32 +1000 +Subject: [PATCH] rootfs: avoid using os.Create for new device inodes + +If an attacker were to make the target of a device inode creation be a +symlink to some host path, os.Create would happily truncate the target +which could lead to all sorts of issues. This exploit is probably not as +exploitable because device inodes are usually only bind-mounted for +rootless containers, which cannot overwrite important host files (though +user files would still be up for grabs). + +The regular inode creation logic could also theoretically be tricked +into changing the access mode and ownership of host files if the +newly-created device inode was swapped with a symlink to a host path. + +Signed-off-by: Aleksa Sarai + +Upstream Patch Reference: https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4.patch +--- + .../internal/consts/consts.go | 15 + + .../pathrs-lite/internal/assert/assert.go | 18 + + .../pathrs-lite/internal/errors_linux.go | 41 ++ + .../pathrs-lite/internal/fd/at_linux.go | 148 +++++ + .../pathrs-lite/internal/fd/fd.go | 55 ++ + .../pathrs-lite/internal/fd/fd_linux.go | 78 +++ + .../pathrs-lite/internal/fd/mount_linux.go | 54 ++ + .../pathrs-lite/internal/fd/openat2_linux.go | 62 ++ + .../gocompat/gocompat_errors_go120.go | 19 + + .../gocompat/gocompat_generics_go121.go | 53 ++ + .../internal/kernelversion/kernel_linux.go | 123 ++++ + .../pathrs-lite/internal/linux/mount_linux.go | 47 ++ + .../internal/linux/openat2_linux.go | 31 + + .../internal/procfs/procfs_linux.go | 544 ++++++++++++++++++ + .../internal/procfs/procfs_lookup_linux.go | 222 +++++++ + .../pathrs-lite/lookup_linux.go | 399 +++++++++++++ + .../pathrs-lite/mkdir_linux.go | 209 +++++++ + .../pathrs-lite/open_linux.go | 35 ++ + .../pathrs-lite/openat2_linux.go | 101 ++++ + .../pathrs-lite/procfs/procfs_linux.go | 157 +++++ + .../internal/pathrs/mkdirall_pathrslite.go | 99 ++++ + .../runc/internal/pathrs/path.go | 34 ++ + .../runc/internal/pathrs/procfs_pathrslite.go | 108 ++++ + .../runc/internal/pathrs/retry.go | 66 +++ + .../runc/internal/sys/opath_linux.go | 53 ++ + .../runc/libcontainer/rootfs_linux.go | 79 ++- + .../runc/libcontainer/utils/utils_unix.go | 15 + + 27 files changed, 2845 insertions(+), 20 deletions(-) + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go + create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/pathrs/path.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/pathrs/procfs_pathrslite.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/pathrs/retry.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go + +diff --git a/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go +new file mode 100644 +index 00000000..c69c4da9 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go +@@ -0,0 +1,15 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++ ++// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. ++// Copyright (C) 2017-2025 SUSE LLC. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package consts contains the definitions of internal constants used ++// throughout filepath-securejoin. ++package consts ++ ++// MaxSymlinkLimit is the maximum number of symlinks that can be encountered ++// during a single lookup before returning -ELOOP. At time of writing, Linux ++// has an internal limit of 40. ++const MaxSymlinkLimit = 255 +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go +new file mode 100644 +index 00000000..b2e990ba +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go +@@ -0,0 +1,18 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++// Copyright (C) 2025 Aleksa Sarai ++// Copyright (C) 2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// Package assert provides some basic assertion helpers for Go. ++package assert ++ ++// Assert panics if the predicate is false with the provided argument. ++func Assert(predicate bool, msg any) { ++ if !predicate { ++ panic(msg) ++ } ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go +new file mode 100644 +index 00000000..d0b200f4 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go +@@ -0,0 +1,41 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// Package internal contains unexported common code for filepath-securejoin. ++package internal ++ ++import ( ++ "errors" ++ ++ "golang.org/x/sys/unix" ++) ++ ++type xdevErrorish struct { ++ description string ++} ++ ++func (err xdevErrorish) Error() string { return err.description } ++func (err xdevErrorish) Is(target error) bool { return target == unix.EXDEV } ++ ++var ( ++ // ErrPossibleAttack indicates that some attack was detected. ++ ErrPossibleAttack error = xdevErrorish{"possible attack detected"} ++ ++ // ErrPossibleBreakout indicates that during an operation we ended up in a ++ // state that could be a breakout but we detected it. ++ ErrPossibleBreakout error = xdevErrorish{"possible breakout detected"} ++ ++ // ErrInvalidDirectory indicates an unlinked directory. ++ ErrInvalidDirectory = errors.New("wandered into deleted directory") ++ ++ // ErrDeletedInode indicates an unlinked file (non-directory). ++ ErrDeletedInode = errors.New("cannot verify path of deleted inode") ++) +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go +new file mode 100644 +index 00000000..09105491 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go +@@ -0,0 +1,148 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package fd ++ ++import ( ++ "fmt" ++ "os" ++ "path/filepath" ++ "runtime" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++) ++ ++// prepareAtWith returns -EBADF (an invalid fd) if dir is nil, otherwise using ++// the dir.Fd(). We use -EBADF because in filepath-securejoin we generally ++// don't want to allow relative-to-cwd paths. The returned path is an ++// *informational* string that describes a reasonable pathname for the given ++// *at(2) arguments. You must not use the full path for any actual filesystem ++// operations. ++func prepareAt(dir Fd, path string) (dirFd int, unsafeUnmaskedPath string) { ++ dirFd, dirPath := -int(unix.EBADF), "." ++ if dir != nil { ++ dirFd, dirPath = int(dir.Fd()), dir.Name() ++ } ++ if !filepath.IsAbs(path) { ++ // only prepend the dirfd path for relative paths ++ path = dirPath + "/" + path ++ } ++ // NOTE: If path is "." or "", the returned path won't be filepath.Clean, ++ // but that's okay since this path is either used for errors (in which case ++ // a trailing "/" or "/." is important information) or will be ++ // filepath.Clean'd later (in the case of fd.Openat). ++ return dirFd, path ++} ++ ++// Openat is an [Fd]-based wrapper around unix.Openat. ++func Openat(dir Fd, path string, flags int, mode int) (*os.File, error) { //nolint:unparam // wrapper func ++ dirFd, fullPath := prepareAt(dir, path) ++ // Make sure we always set O_CLOEXEC. ++ flags |= unix.O_CLOEXEC ++ fd, err := unix.Openat(dirFd, path, flags, uint32(mode)) ++ if err != nil { ++ return nil, &os.PathError{Op: "openat", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ // openat is only used with lexically-safe paths so we can use ++ // filepath.Clean here, and also the path itself is not going to be used ++ // for actual path operations. ++ fullPath = filepath.Clean(fullPath) ++ return os.NewFile(uintptr(fd), fullPath), nil ++} ++ ++// Fstatat is an [Fd]-based wrapper around unix.Fstatat. ++func Fstatat(dir Fd, path string, flags int) (unix.Stat_t, error) { ++ dirFd, fullPath := prepareAt(dir, path) ++ var stat unix.Stat_t ++ if err := unix.Fstatat(dirFd, path, &stat, flags); err != nil { ++ return stat, &os.PathError{Op: "fstatat", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ return stat, nil ++} ++ ++// Faccessat is an [Fd]-based wrapper around unix.Faccessat. ++func Faccessat(dir Fd, path string, mode uint32, flags int) error { ++ dirFd, fullPath := prepareAt(dir, path) ++ err := unix.Faccessat(dirFd, path, mode, flags) ++ if err != nil { ++ err = &os.PathError{Op: "faccessat", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ return err ++} ++ ++// Readlinkat is an [Fd]-based wrapper around unix.Readlinkat. ++func Readlinkat(dir Fd, path string) (string, error) { ++ dirFd, fullPath := prepareAt(dir, path) ++ size := 4096 ++ for { ++ linkBuf := make([]byte, size) ++ n, err := unix.Readlinkat(dirFd, path, linkBuf) ++ if err != nil { ++ return "", &os.PathError{Op: "readlinkat", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ if n != size { ++ return string(linkBuf[:n]), nil ++ } ++ // Possible truncation, resize the buffer. ++ size *= 2 ++ } ++} ++ ++const ( ++ // STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to ++ // avoid bumping the requirement for a single constant we can just define it ++ // ourselves. ++ _STATX_MNT_ID_UNIQUE = 0x4000 //nolint:revive // unix.* name ++ ++ // We don't care which mount ID we get. The kernel will give us the unique ++ // one if it is supported. If the kernel doesn't support ++ // STATX_MNT_ID_UNIQUE, the bit is ignored and the returned request mask ++ // will only contain STATX_MNT_ID (if supported). ++ wantStatxMntMask = _STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID ++) ++ ++var hasStatxMountID = gocompat.SyncOnceValue(func() bool { ++ var stx unix.Statx_t ++ err := unix.Statx(-int(unix.EBADF), "/", 0, wantStatxMntMask, &stx) ++ return err == nil && stx.Mask&wantStatxMntMask != 0 ++}) ++ ++// GetMountID gets the mount identifier associated with the fd and path ++// combination. It is effectively a wrapper around fetching ++// STATX_MNT_ID{,_UNIQUE} with unix.Statx, but with a fallback to 0 if the ++// kernel doesn't support the feature. ++func GetMountID(dir Fd, path string) (uint64, error) { ++ // If we don't have statx(STATX_MNT_ID*) support, we can't do anything. ++ if !hasStatxMountID() { ++ return 0, nil ++ } ++ ++ dirFd, fullPath := prepareAt(dir, path) ++ ++ var stx unix.Statx_t ++ err := unix.Statx(dirFd, path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, wantStatxMntMask, &stx) ++ if stx.Mask&wantStatxMntMask == 0 { ++ // It's not a kernel limitation, for some reason we couldn't get a ++ // mount ID. Assume it's some kind of attack. ++ err = fmt.Errorf("could not get mount id: %w", err) ++ } ++ if err != nil { ++ return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ return stx.Mnt_id, nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go +new file mode 100644 +index 00000000..d2206a38 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go +@@ -0,0 +1,55 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++// Copyright (C) 2025 Aleksa Sarai ++// Copyright (C) 2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// Package fd provides a drop-in interface-based replacement of [*os.File] that ++// allows for things like noop-Close wrappers to be used. ++// ++// [*os.File]: https://pkg.go.dev/os#File ++package fd ++ ++import ( ++ "io" ++ "os" ++) ++ ++// Fd is an interface that mirrors most of the API of [*os.File], allowing you ++// to create wrappers that can be used in place of [*os.File]. ++// ++// [*os.File]: https://pkg.go.dev/os#File ++type Fd interface { ++ io.Closer ++ Name() string ++ Fd() uintptr ++} ++ ++// Compile-time interface checks. ++var ( ++ _ Fd = (*os.File)(nil) ++ _ Fd = noClose{} ++) ++ ++type noClose struct{ inner Fd } ++ ++func (f noClose) Name() string { return f.inner.Name() } ++func (f noClose) Fd() uintptr { return f.inner.Fd() } ++ ++func (f noClose) Close() error { return nil } ++ ++// NopCloser returns an [*os.File]-like object where the [Close] method is now ++// a no-op. ++// ++// Note that for [*os.File] and similar objects, the Go garbage collector will ++// still call [Close] on the underlying file unless you use ++// [runtime.SetFinalizer] to disable this behaviour. This is up to the caller ++// to do (if necessary). ++// ++// [*os.File]: https://pkg.go.dev/os#File ++// [Close]: https://pkg.go.dev/io#Closer ++// [runtime.SetFinalizer]: https://pkg.go.dev/runtime#SetFinalizer ++func NopCloser(f Fd) Fd { return noClose{inner: f} } +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go +new file mode 100644 +index 00000000..e1ec3c0b +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go +@@ -0,0 +1,78 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package fd ++ ++import ( ++ "fmt" ++ "os" ++ "runtime" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal" ++) ++ ++// DupWithName creates a new file descriptor referencing the same underlying ++// file, but with the provided name instead of fd.Name(). ++func DupWithName(fd Fd, name string) (*os.File, error) { ++ fd2, err := unix.FcntlInt(fd.Fd(), unix.F_DUPFD_CLOEXEC, 0) ++ if err != nil { ++ return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err) ++ } ++ runtime.KeepAlive(fd) ++ return os.NewFile(uintptr(fd2), name), nil ++} ++ ++// Dup creates a new file description referencing the same underlying file. ++func Dup(fd Fd) (*os.File, error) { ++ return DupWithName(fd, fd.Name()) ++} ++ ++// Fstat is an [Fd]-based wrapper around unix.Fstat. ++func Fstat(fd Fd) (unix.Stat_t, error) { ++ var stat unix.Stat_t ++ if err := unix.Fstat(int(fd.Fd()), &stat); err != nil { ++ return stat, &os.PathError{Op: "fstat", Path: fd.Name(), Err: err} ++ } ++ runtime.KeepAlive(fd) ++ return stat, nil ++} ++ ++// Fstatfs is an [Fd]-based wrapper around unix.Fstatfs. ++func Fstatfs(fd Fd) (unix.Statfs_t, error) { ++ var statfs unix.Statfs_t ++ if err := unix.Fstatfs(int(fd.Fd()), &statfs); err != nil { ++ return statfs, &os.PathError{Op: "fstatfs", Path: fd.Name(), Err: err} ++ } ++ runtime.KeepAlive(fd) ++ return statfs, nil ++} ++ ++// IsDeadInode detects whether the file has been unlinked from a filesystem and ++// is thus a "dead inode" from the kernel's perspective. ++func IsDeadInode(file Fd) error { ++ // If the nlink of a file drops to 0, there is an attacker deleting ++ // directories during our walk, which could result in weird /proc values. ++ // It's better to error out in this case. ++ stat, err := Fstat(file) ++ if err != nil { ++ return fmt.Errorf("check for dead inode: %w", err) ++ } ++ if stat.Nlink == 0 { ++ err := internal.ErrDeletedInode ++ if stat.Mode&unix.S_IFMT == unix.S_IFDIR { ++ err = internal.ErrInvalidDirectory ++ } ++ return fmt.Errorf("%w %q", err, file.Name()) ++ } ++ return nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go +new file mode 100644 +index 00000000..77549c7a +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go +@@ -0,0 +1,54 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package fd ++ ++import ( ++ "os" ++ "runtime" ++ ++ "golang.org/x/sys/unix" ++) ++ ++// Fsopen is an [Fd]-based wrapper around unix.Fsopen. ++func Fsopen(fsName string, flags int) (*os.File, error) { ++ // Make sure we always set O_CLOEXEC. ++ flags |= unix.FSOPEN_CLOEXEC ++ fd, err := unix.Fsopen(fsName, flags) ++ if err != nil { ++ return nil, os.NewSyscallError("fsopen "+fsName, err) ++ } ++ return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil ++} ++ ++// Fsmount is an [Fd]-based wrapper around unix.Fsmount. ++func Fsmount(ctx Fd, flags, mountAttrs int) (*os.File, error) { ++ // Make sure we always set O_CLOEXEC. ++ flags |= unix.FSMOUNT_CLOEXEC ++ fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs) ++ if err != nil { ++ return nil, os.NewSyscallError("fsmount "+ctx.Name(), err) ++ } ++ return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil ++} ++ ++// OpenTree is an [Fd]-based wrapper around unix.OpenTree. ++func OpenTree(dir Fd, path string, flags uint) (*os.File, error) { ++ dirFd, fullPath := prepareAt(dir, path) ++ // Make sure we always set O_CLOEXEC. ++ flags |= unix.OPEN_TREE_CLOEXEC ++ fd, err := unix.OpenTree(dirFd, path, flags) ++ if err != nil { ++ return nil, &os.PathError{Op: "open_tree", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ return os.NewFile(uintptr(fd), fullPath), nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go +new file mode 100644 +index 00000000..3e937fe3 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go +@@ -0,0 +1,62 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package fd ++ ++import ( ++ "errors" ++ "os" ++ "runtime" ++ ++ "golang.org/x/sys/unix" ++) ++ ++func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool { ++ // RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve ++ // ".." while a mount or rename occurs anywhere on the system. This could ++ // happen spuriously, or as the result of an attacker trying to mess with ++ // us during lookup. ++ // ++ // In addition, scoped lookups have a "safety check" at the end of ++ // complete_walk which will return -EXDEV if the final path is not in the ++ // root. ++ return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 && ++ (errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV)) ++} ++ ++// This is a fairly arbitrary limit we have just to avoid an attacker being ++// able to make us spin in an infinite retry loop -- callers can choose to ++// retry on EAGAIN if they prefer. ++const scopedLookupMaxRetries = 128 ++ ++// Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry ++// logic in case of EAGAIN errors. ++func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) { ++ dirFd, fullPath := prepareAt(dir, path) ++ // Make sure we always set O_CLOEXEC. ++ how.Flags |= unix.O_CLOEXEC ++ var tries int ++ for { ++ fd, err := unix.Openat2(dirFd, path, how) ++ if err != nil { ++ if scopedLookupShouldRetry(how, err) && tries < scopedLookupMaxRetries { ++ // We retry a couple of times to avoid the spurious errors, and ++ // if we are being attacked then returning -EAGAIN is the best ++ // we can do. ++ tries++ ++ continue ++ } ++ return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err} ++ } ++ runtime.KeepAlive(dir) ++ return os.NewFile(uintptr(fd), fullPath), nil ++ } ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go +new file mode 100644 +index 00000000..4a114bd3 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go +@@ -0,0 +1,19 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++//go:build linux && go1.20 ++ ++// Copyright (C) 2024 SUSE LLC. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package gocompat ++ ++import ( ++ "fmt" ++) ++ ++// WrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except ++// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap) ++// is only guaranteed to give you baseErr. ++func WrapBaseError(baseErr, extraErr error) error { ++ return fmt.Errorf("%w: %w", extraErr, baseErr) ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go +new file mode 100644 +index 00000000..d4a93818 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go +@@ -0,0 +1,53 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++ ++//go:build linux && go1.21 ++ ++// Copyright (C) 2024-2025 SUSE LLC. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package gocompat ++ ++import ( ++ "cmp" ++ "slices" ++ "sync" ++) ++ ++// SlicesDeleteFunc is equivalent to Go 1.21's slices.DeleteFunc. ++func SlicesDeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S { ++ return slices.DeleteFunc(slice, delFn) ++} ++ ++// SlicesContains is equivalent to Go 1.21's slices.Contains. ++func SlicesContains[S ~[]E, E comparable](slice S, val E) bool { ++ return slices.Contains(slice, val) ++} ++ ++// SlicesClone is equivalent to Go 1.21's slices.Clone. ++func SlicesClone[S ~[]E, E any](slice S) S { ++ return slices.Clone(slice) ++} ++ ++// SyncOnceValue is equivalent to Go 1.21's sync.OnceValue. ++func SyncOnceValue[T any](f func() T) func() T { ++ return sync.OnceValue(f) ++} ++ ++// SyncOnceValues is equivalent to Go 1.21's sync.OnceValues. ++func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) { ++ return sync.OnceValues(f) ++} ++ ++// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition. ++type CmpOrdered = cmp.Ordered ++ ++// CmpCompare is equivalent to Go 1.21's cmp.Compare. ++func CmpCompare[T CmpOrdered](x, y T) int { ++ return cmp.Compare(x, y) ++} ++ ++// Max2 is equivalent to Go 1.21's max builtin (but only for two parameters). ++func Max2[T CmpOrdered](x, y T) T { ++ return max(x, y) ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go +new file mode 100644 +index 00000000..cb6de418 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go +@@ -0,0 +1,123 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++ ++// Copyright (C) 2022 The Go Authors. All rights reserved. ++// Copyright (C) 2025 SUSE LLC. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE.BSD file. ++ ++// The parsing logic is very loosely based on the Go stdlib's ++// src/internal/syscall/unix/kernel_version_linux.go but with an API that looks ++// a bit like runc's libcontainer/system/kernelversion. ++// ++// TODO(cyphar): This API has been copied around to a lot of different projects ++// (Docker, containerd, runc, and now filepath-securejoin) -- maybe we should ++// put it in a separate project? ++ ++// Package kernelversion provides a simple mechanism for checking whether the ++// running kernel is at least as new as some baseline kernel version. This is ++// often useful when checking for features that would be too complicated to ++// test support for (or in cases where we know that some kernel features in ++// backport-heavy kernels are broken and need to be avoided). ++package kernelversion ++ ++import ( ++ "bytes" ++ "errors" ++ "fmt" ++ "strconv" ++ "strings" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++) ++ ++// KernelVersion is a numeric representation of the key numerical elements of a ++// kernel version (for instance, "4.1.2-default-1" would be represented as ++// KernelVersion{4, 1, 2}). ++type KernelVersion []uint64 ++ ++func (kver KernelVersion) String() string { ++ var str strings.Builder ++ for idx, elem := range kver { ++ if idx != 0 { ++ _, _ = str.WriteRune('.') ++ } ++ _, _ = str.WriteString(strconv.FormatUint(elem, 10)) ++ } ++ return str.String() ++} ++ ++var errInvalidKernelVersion = errors.New("invalid kernel version") ++ ++// parseKernelVersion parses a string and creates a KernelVersion based on it. ++func parseKernelVersion(kverStr string) (KernelVersion, error) { ++ kver := make(KernelVersion, 1, 3) ++ for idx, ch := range kverStr { ++ if '0' <= ch && ch <= '9' { ++ v := &kver[len(kver)-1] ++ *v = (*v * 10) + uint64(ch-'0') ++ } else { ++ if idx == 0 || kverStr[idx-1] < '0' || '9' < kverStr[idx-1] { ++ // "." must be preceded by a digit while in version section ++ return nil, fmt.Errorf("%w %q: kernel version has dot(s) followed by non-digit in version section", errInvalidKernelVersion, kverStr) ++ } ++ if ch != '.' { ++ break ++ } ++ kver = append(kver, 0) ++ } ++ } ++ if len(kver) < 2 { ++ return nil, fmt.Errorf("%w %q: kernel versions must contain at least two components", errInvalidKernelVersion, kverStr) ++ } ++ return kver, nil ++} ++ ++// getKernelVersion gets the current kernel version. ++var getKernelVersion = gocompat.SyncOnceValues(func() (KernelVersion, error) { ++ var uts unix.Utsname ++ if err := unix.Uname(&uts); err != nil { ++ return nil, err ++ } ++ // Remove the \x00 from the release. ++ release := uts.Release[:] ++ return parseKernelVersion(string(release[:bytes.IndexByte(release, 0)])) ++}) ++ ++// GreaterEqualThan returns true if the the host kernel version is greater than ++// or equal to the provided [KernelVersion]. When doing this comparison, any ++// non-numerical suffixes of the host kernel version are ignored. ++// ++// If the number of components provided is not equal to the number of numerical ++// components of the host kernel version, any missing components are treated as ++// 0. This means that GreaterEqualThan(KernelVersion{4}) will be treated the ++// same as GreaterEqualThan(KernelVersion{4, 0, 0, ..., 0, 0}), and that if the ++// host kernel version is "4" then GreaterEqualThan(KernelVersion{4, 1}) will ++// return false (because the host version will be treated as "4.0"). ++func GreaterEqualThan(wantKver KernelVersion) (bool, error) { ++ hostKver, err := getKernelVersion() ++ if err != nil { ++ return false, err ++ } ++ ++ // Pad out the kernel version lengths to match one another. ++ cmpLen := gocompat.Max2(len(hostKver), len(wantKver)) ++ hostKver = append(hostKver, make(KernelVersion, cmpLen-len(hostKver))...) ++ wantKver = append(wantKver, make(KernelVersion, cmpLen-len(wantKver))...) ++ ++ for i := 0; i < cmpLen; i++ { ++ switch gocompat.CmpCompare(hostKver[i], wantKver[i]) { ++ case -1: ++ // host < want ++ return false, nil ++ case +1: ++ // host > want ++ return true, nil ++ case 0: ++ continue ++ } ++ } ++ // equal version values ++ return true, nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go +new file mode 100644 +index 00000000..b29905bf +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go +@@ -0,0 +1,47 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package linux ++ ++import ( ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion" ++) ++ ++// HasNewMountAPI returns whether the new fsopen(2) mount API is supported on ++// the running kernel. ++var HasNewMountAPI = gocompat.SyncOnceValue(func() bool { ++ // All of the pieces of the new mount API we use (fsopen, fsconfig, ++ // fsmount, open_tree) were added together in Linux 5.2[1,2], so we can ++ // just check for one of the syscalls and the others should also be ++ // available. ++ // ++ // Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE. ++ // This is equivalent to openat(2), but tells us if open_tree is ++ // available (and thus all of the other basic new mount API syscalls). ++ // open_tree(2) is most light-weight syscall to test here. ++ // ++ // [1]: merge commit 400913252d09 ++ // [2]: ++ fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC) ++ if err != nil { ++ return false ++ } ++ _ = unix.Close(fd) ++ ++ // RHEL 8 has a backport of fsopen(2) that appears to have some very ++ // difficult to debug performance pathology. As such, it seems prudent to ++ // simply reject pre-5.2 kernels. ++ isNotBackport, _ := kernelversion.GreaterEqualThan(kernelversion.KernelVersion{5, 2}) ++ return isNotBackport ++}) +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go +new file mode 100644 +index 00000000..399609dc +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go +@@ -0,0 +1,31 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package linux ++ ++import ( ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++) ++ ++// HasOpenat2 returns whether openat2(2) is supported on the running kernel. ++var HasOpenat2 = gocompat.SyncOnceValue(func() bool { ++ fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{ ++ Flags: unix.O_PATH | unix.O_CLOEXEC, ++ Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT, ++ }) ++ if err != nil { ++ return false ++ } ++ _ = unix.Close(fd) ++ return true ++}) +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go +new file mode 100644 +index 00000000..21e0a62e +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go +@@ -0,0 +1,544 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// Package procfs provides a safe API for operating on /proc on Linux. Note ++// that this is the *internal* procfs API, mainy needed due to Go's ++// restrictions on cyclic dependencies and its incredibly minimal visibility ++// system without making a separate internal/ package. ++package procfs ++ ++import ( ++ "errors" ++ "fmt" ++ "io" ++ "os" ++ "runtime" ++ "strconv" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux" ++) ++ ++// The kernel guarantees that the root inode of a procfs mount has an ++// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO. ++const ( ++ procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC ++ procRootIno = 1 // PROC_ROOT_INO ++) ++ ++// verifyProcHandle checks that the handle is from a procfs filesystem. ++// Contrast this to [verifyProcRoot], which also verifies that the handle is ++// the root of a procfs mount. ++func verifyProcHandle(procHandle fd.Fd) error { ++ if statfs, err := fd.Fstatfs(procHandle); err != nil { ++ return err ++ } else if statfs.Type != procSuperMagic { ++ return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type) ++ } ++ return nil ++} ++ ++// verifyProcRoot verifies that the handle is the root of a procfs filesystem. ++// Contrast this to [verifyProcHandle], which only verifies if the handle is ++// some file on procfs (regardless of what file it is). ++func verifyProcRoot(procRoot fd.Fd) error { ++ if err := verifyProcHandle(procRoot); err != nil { ++ return err ++ } ++ if stat, err := fd.Fstat(procRoot); err != nil { ++ return err ++ } else if stat.Ino != procRootIno { ++ return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino) ++ } ++ return nil ++} ++ ++type procfsFeatures struct { ++ // hasSubsetPid was added in Linux 5.8, along with hidepid=ptraceable (and ++ // string-based hidepid= values). Before this patchset, it was not really ++ // safe to try to modify procfs superblock flags because the superblock was ++ // shared -- so if this feature is not available, **you should not set any ++ // superblock flags**. ++ // ++ // 6814ef2d992a ("proc: add option to mount only a pids subset") ++ // fa10fed30f25 ("proc: allow to mount many instances of proc in one pid namespace") ++ // 24a71ce5c47f ("proc: instantiate only pids that we can ptrace on 'hidepid=4' mount option") ++ // 1c6c4d112e81 ("proc: use human-readable values for hidepid") ++ // 9ff7258575d5 ("Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace") ++ hasSubsetPid bool ++} ++ ++var getProcfsFeatures = gocompat.SyncOnceValue(func() procfsFeatures { ++ if !linux.HasNewMountAPI() { ++ return procfsFeatures{} ++ } ++ procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC) ++ if err != nil { ++ return procfsFeatures{} ++ } ++ defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here ++ ++ return procfsFeatures{ ++ hasSubsetPid: unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid") == nil, ++ } ++}) ++ ++func newPrivateProcMount(subset bool) (_ *Handle, Err error) { ++ procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC) ++ if err != nil { ++ return nil, err ++ } ++ defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here ++ ++ if subset && getProcfsFeatures().hasSubsetPid { ++ // Try to configure hidepid=ptraceable,subset=pid if possible, but ++ // ignore errors. ++ _ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable") ++ _ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid") ++ } ++ ++ // Get an actual handle. ++ if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil { ++ return nil, os.NewSyscallError("fsconfig create procfs", err) ++ } ++ // TODO: Output any information from the fscontext log to debug logs. ++ procRoot, err := fd.Fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID) ++ if err != nil { ++ return nil, err ++ } ++ defer func() { ++ if Err != nil { ++ _ = procRoot.Close() ++ } ++ }() ++ return newHandle(procRoot) ++} ++ ++func clonePrivateProcMount() (_ *Handle, Err error) { ++ // Try to make a clone without using AT_RECURSIVE if we can. If this works, ++ // we can be sure there are no over-mounts and so if the root is valid then ++ // we're golden. Otherwise, we have to deal with over-mounts. ++ procRoot, err := fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE) ++ if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procRoot) { ++ procRoot, err = fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE) ++ } ++ if err != nil { ++ return nil, fmt.Errorf("creating a detached procfs clone: %w", err) ++ } ++ defer func() { ++ if Err != nil { ++ _ = procRoot.Close() ++ } ++ }() ++ return newHandle(procRoot) ++} ++ ++func privateProcRoot(subset bool) (*Handle, error) { ++ if !linux.HasNewMountAPI() || hookForceGetProcRootUnsafe() { ++ return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP) ++ } ++ // Try to create a new procfs mount from scratch if we can. This ensures we ++ // can get a procfs mount even if /proc is fake (for whatever reason). ++ procRoot, err := newPrivateProcMount(subset) ++ if err != nil || hookForcePrivateProcRootOpenTree(procRoot) { ++ // Try to clone /proc then... ++ procRoot, err = clonePrivateProcMount() ++ } ++ return procRoot, err ++} ++ ++func unsafeHostProcRoot() (_ *Handle, Err error) { ++ procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) ++ if err != nil { ++ return nil, err ++ } ++ defer func() { ++ if Err != nil { ++ _ = procRoot.Close() ++ } ++ }() ++ return newHandle(procRoot) ++} ++ ++// Handle is a wrapper around an *os.File handle to "/proc", which can be used ++// to do further procfs-related operations in a safe way. ++type Handle struct { ++ Inner fd.Fd ++ // Does this handle have subset=pid set? ++ isSubset bool ++} ++ ++func newHandle(procRoot fd.Fd) (*Handle, error) { ++ if err := verifyProcRoot(procRoot); err != nil { ++ // This is only used in methods that ++ _ = procRoot.Close() ++ return nil, err ++ } ++ proc := &Handle{Inner: procRoot} ++ // With subset=pid we can be sure that /proc/uptime will not exist. ++ if err := fd.Faccessat(proc.Inner, "uptime", unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil { ++ proc.isSubset = errors.Is(err, os.ErrNotExist) ++ } ++ return proc, nil ++} ++ ++// Close closes the underlying file for the Handle. ++func (proc *Handle) Close() error { return proc.Inner.Close() } ++ ++var getCachedProcRoot = gocompat.SyncOnceValue(func() *Handle { ++ procRoot, err := getProcRoot(true) ++ if err != nil { ++ return nil // just don't cache if we see an error ++ } ++ if !procRoot.isSubset { ++ return nil // we only cache verified subset=pid handles ++ } ++ ++ // Disarm (*Handle).Close() to stop someone from accidentally closing ++ // the global handle. ++ procRoot.Inner = fd.NopCloser(procRoot.Inner) ++ return procRoot ++}) ++ ++// OpenProcRoot tries to open a "safer" handle to "/proc". ++func OpenProcRoot() (*Handle, error) { ++ if proc := getCachedProcRoot(); proc != nil { ++ return proc, nil ++ } ++ return getProcRoot(true) ++} ++ ++// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or ++// masked paths (but also without "subset=pid"). ++func OpenUnsafeProcRoot() (*Handle, error) { return getProcRoot(false) } ++ ++func getProcRoot(subset bool) (*Handle, error) { ++ proc, err := privateProcRoot(subset) ++ if err != nil { ++ // Fall back to using a /proc handle if making a private mount failed. ++ // If we have openat2, at least we can avoid some kinds of over-mount ++ // attacks, but without openat2 there's not much we can do. ++ proc, err = unsafeHostProcRoot() ++ } ++ return proc, err ++} ++ ++var hasProcThreadSelf = gocompat.SyncOnceValue(func() bool { ++ return unix.Access("/proc/thread-self/", unix.F_OK) == nil ++}) ++ ++var errUnsafeProcfs = errors.New("unsafe procfs detected") ++ ++// lookup is a very minimal wrapper around [procfsLookupInRoot] which is ++// intended to be called from the external API. ++func (proc *Handle) lookup(subpath string) (*os.File, error) { ++ handle, err := procfsLookupInRoot(proc.Inner, subpath) ++ if err != nil { ++ return nil, err ++ } ++ return handle, nil ++} ++ ++// procfsBase is an enum indicating the prefix of a subpath in operations ++// involving [Handle]s. ++type procfsBase string ++ ++const ( ++ // ProcRoot refers to the root of the procfs (i.e., "/proc/"). ++ ProcRoot procfsBase = "/proc" ++ // ProcSelf refers to the current process' subdirectory (i.e., ++ // "/proc/self/"). ++ ProcSelf procfsBase = "/proc/self" ++ // ProcThreadSelf refers to the current thread's subdirectory (i.e., ++ // "/proc/thread-self/"). In multi-threaded programs (i.e., all Go ++ // programs) where one thread has a different CLONE_FS, it is possible for ++ // "/proc/self" to point the wrong thread and so "/proc/thread-self" may be ++ // necessary. Note that on pre-3.17 kernels, "/proc/thread-self" doesn't ++ // exist and so a fallback will be used in that case. ++ ProcThreadSelf procfsBase = "/proc/thread-self" ++ // TODO: Switch to an interface setup so we can have a more type-safe ++ // version of ProcPid and remove the need to worry about invalid string ++ // values. ++) ++ ++// prefix returns a prefix that can be used with the given [Handle]. ++func (base procfsBase) prefix(proc *Handle) (string, error) { ++ switch base { ++ case ProcRoot: ++ return ".", nil ++ case ProcSelf: ++ return "self", nil ++ case ProcThreadSelf: ++ threadSelf := "thread-self" ++ if !hasProcThreadSelf() || hookForceProcSelfTask() { ++ // Pre-3.17 kernels don't have /proc/thread-self, so do it ++ // manually. ++ threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) ++ if err := fd.Faccessat(proc.Inner, threadSelf, unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() { ++ // In this case, we running in a pid namespace that doesn't ++ // match the /proc mount we have. This can happen inside runc. ++ // ++ // Unfortunately, there is no nice way to get the correct TID ++ // to use here because of the age of the kernel, so we have to ++ // just use /proc/self and hope that it works. ++ threadSelf = "self" ++ } ++ } ++ return threadSelf, nil ++ } ++ return "", fmt.Errorf("invalid procfs base %q", base) ++} ++ ++// ProcThreadSelfCloser is a callback that needs to be called when you are done ++// operating on an [os.File] fetched using [ProcThreadSelf]. ++// ++// [os.File]: https://pkg.go.dev/os#File ++type ProcThreadSelfCloser func() ++ ++// open is the core lookup operation for [Handle]. It returns a handle to ++// "/proc//". If the returned [ProcThreadSelfCloser] is non-nil, ++// you should call it after you are done interacting with the returned handle. ++// ++// In general you should use prefer to use the other helpers, as they remove ++// the need to interact with [procfsBase] and do not return a nil ++// [ProcThreadSelfCloser] for [procfsBase] values other than [ProcThreadSelf] ++// where it is necessary. ++func (proc *Handle) open(base procfsBase, subpath string) (_ *os.File, closer ProcThreadSelfCloser, Err error) { ++ prefix, err := base.prefix(proc) ++ if err != nil { ++ return nil, nil, err ++ } ++ subpath = prefix + "/" + subpath ++ ++ switch base { ++ case ProcRoot: ++ file, err := proc.lookup(subpath) ++ if errors.Is(err, os.ErrNotExist) { ++ // The Handle handle in use might be a subset=pid one, which will ++ // result in spurious errors. In this case, just open a temporary ++ // unmasked procfs handle for this operation. ++ proc, err2 := OpenUnsafeProcRoot() // !subset=pid ++ if err2 != nil { ++ return nil, nil, err ++ } ++ defer proc.Close() //nolint:errcheck // close failures aren't critical here ++ ++ file, err = proc.lookup(subpath) ++ } ++ return file, nil, err ++ ++ case ProcSelf: ++ file, err := proc.lookup(subpath) ++ return file, nil, err ++ ++ case ProcThreadSelf: ++ // We need to lock our thread until the caller is done with the handle ++ // because between getting the handle and using it we could get ++ // interrupted by the Go runtime and hit the case where the underlying ++ // thread is swapped out and the original thread is killed, resulting ++ // in pull-your-hair-out-hard-to-debug issues in the caller. ++ runtime.LockOSThread() ++ defer func() { ++ if Err != nil { ++ runtime.UnlockOSThread() ++ closer = nil ++ } ++ }() ++ ++ file, err := proc.lookup(subpath) ++ return file, runtime.UnlockOSThread, err ++ } ++ // should never be reached ++ return nil, nil, fmt.Errorf("[internal error] invalid procfs base %q", base) ++} ++ ++// OpenThreadSelf returns a handle to "/proc/thread-self/" (or an ++// equivalent handle on older kernels where "/proc/thread-self" doesn't exist). ++// Once finished with the handle, you must call the returned closer function ++// (runtime.UnlockOSThread). You must not pass the returned *os.File to other ++// Go threads or use the handle after calling the closer. ++func (proc *Handle) OpenThreadSelf(subpath string) (_ *os.File, _ ProcThreadSelfCloser, Err error) { ++ return proc.open(ProcThreadSelf, subpath) ++} ++ ++// OpenSelf returns a handle to /proc/self/. ++func (proc *Handle) OpenSelf(subpath string) (*os.File, error) { ++ file, closer, err := proc.open(ProcSelf, subpath) ++ assert.Assert(closer == nil, "closer for ProcSelf must be nil") ++ return file, err ++} ++ ++// OpenRoot returns a handle to /proc/. ++func (proc *Handle) OpenRoot(subpath string) (*os.File, error) { ++ file, closer, err := proc.open(ProcRoot, subpath) ++ assert.Assert(closer == nil, "closer for ProcRoot must be nil") ++ return file, err ++} ++ ++// OpenPid returns a handle to /proc/$pid/ (pid can be a pid or tid). ++// This is mainly intended for usage when operating on other processes. ++func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) { ++ return proc.OpenRoot(strconv.Itoa(pid) + "/" + subpath) ++} ++ ++// checkSubpathOvermount checks if the dirfd and path combination is on the ++// same mount as the given root. ++func checkSubpathOvermount(root, dir fd.Fd, path string) error { ++ // Get the mntID of our procfs handle. ++ expectedMountID, err := fd.GetMountID(root, "") ++ if err != nil { ++ return fmt.Errorf("get root mount id: %w", err) ++ } ++ // Get the mntID of the target magic-link. ++ gotMountID, err := fd.GetMountID(dir, path) ++ if err != nil { ++ return fmt.Errorf("get subpath mount id: %w", err) ++ } ++ // As long as the directory mount is alive, even with wrapping mount IDs, ++ // we would expect to see a different mount ID here. (Of course, if we're ++ // using unsafeHostProcRoot() then an attaker could change this after we ++ // did this check.) ++ if expectedMountID != gotMountID { ++ return fmt.Errorf("%w: subpath %s/%s has an overmount obscuring the real path (mount ids do not match %d != %d)", ++ errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID) ++ } ++ return nil ++} ++ ++// Readlink performs a readlink operation on "/proc//" in a way ++// that should be free from race attacks. This is most commonly used to get the ++// real path of a file by looking at "/proc/self/fd/$n", with the same safety ++// protections as [Open] (as well as some additional checks against ++// overmounts). ++func (proc *Handle) Readlink(base procfsBase, subpath string) (string, error) { ++ link, closer, err := proc.open(base, subpath) ++ if closer != nil { ++ defer closer() ++ } ++ if err != nil { ++ return "", fmt.Errorf("get safe %s/%s handle: %w", base, subpath, err) ++ } ++ defer link.Close() //nolint:errcheck // close failures aren't critical here ++ ++ // Try to detect if there is a mount on top of the magic-link. This should ++ // be safe in general (a mount on top of the path afterwards would not ++ // affect the handle itself) and will definitely be safe if we are using ++ // privateProcRoot() (at least since Linux 5.12[1], when anonymous mount ++ // namespaces were completely isolated from external mounts including mount ++ // propagation events). ++ // ++ // [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts ++ // onto targets that reside on shared mounts"). ++ if err := checkSubpathOvermount(proc.Inner, link, ""); err != nil { ++ return "", fmt.Errorf("check safety of %s/%s magiclink: %w", base, subpath, err) ++ } ++ ++ // readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit ++ // 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty ++ // relative pathnames"). ++ return fd.Readlinkat(link, "") ++} ++ ++// ProcSelfFdReadlink gets the real path of the given file by looking at ++// readlink(/proc/thread-self/fd/$n). ++// ++// This is just a wrapper around [Handle.Readlink]. ++func ProcSelfFdReadlink(fd fd.Fd) (string, error) { ++ procRoot, err := OpenProcRoot() // subset=pid ++ if err != nil { ++ return "", err ++ } ++ defer procRoot.Close() //nolint:errcheck // close failures aren't critical here ++ ++ fdPath := "fd/" + strconv.Itoa(int(fd.Fd())) ++ return procRoot.Readlink(ProcThreadSelf, fdPath) ++} ++ ++// CheckProcSelfFdPath returns whether the given file handle matches the ++// expected path. (This is inherently racy.) ++func CheckProcSelfFdPath(path string, file fd.Fd) error { ++ if err := fd.IsDeadInode(file); err != nil { ++ return err ++ } ++ actualPath, err := ProcSelfFdReadlink(file) ++ if err != nil { ++ return fmt.Errorf("get path of handle: %w", err) ++ } ++ if actualPath != path { ++ return fmt.Errorf("%w: handle path %q doesn't match expected path %q", internal.ErrPossibleBreakout, actualPath, path) ++ } ++ return nil ++} ++ ++// ReopenFd takes an existing file descriptor and "re-opens" it through ++// /proc/thread-self/fd/. This allows for O_PATH file descriptors to be ++// upgraded to regular file descriptors, as well as changing the open mode of a ++// regular file descriptor. Some filesystems have unique handling of open(2) ++// which make this incredibly useful (such as /dev/ptmx). ++func ReopenFd(handle fd.Fd, flags int) (*os.File, error) { ++ procRoot, err := OpenProcRoot() // subset=pid ++ if err != nil { ++ return nil, err ++ } ++ defer procRoot.Close() //nolint:errcheck // close failures aren't critical here ++ ++ // We can't operate on /proc/thread-self/fd/$n directly when doing a ++ // re-open, so we need to open /proc/thread-self/fd and then open a single ++ // final component. ++ procFdDir, closer, err := procRoot.OpenThreadSelf("fd/") ++ if err != nil { ++ return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err) ++ } ++ defer procFdDir.Close() //nolint:errcheck // close failures aren't critical here ++ defer closer() ++ ++ // Try to detect if there is a mount on top of the magic-link we are about ++ // to open. If we are using unsafeHostProcRoot(), this could change after ++ // we check it (and there's nothing we can do about that) but for ++ // privateProcRoot() this should be guaranteed to be safe (at least since ++ // Linux 5.12[1], when anonymous mount namespaces were completely isolated ++ // from external mounts including mount propagation events). ++ // ++ // [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts ++ // onto targets that reside on shared mounts"). ++ fdStr := strconv.Itoa(int(handle.Fd())) ++ if err := checkSubpathOvermount(procRoot.Inner, procFdDir, fdStr); err != nil { ++ return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err) ++ } ++ ++ flags |= unix.O_CLOEXEC ++ // Rather than just wrapping fd.Openat, open-code it so we can copy ++ // handle.Name(). ++ reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0) ++ if err != nil { ++ return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err) ++ } ++ return os.NewFile(uintptr(reopenFd), handle.Name()), nil ++} ++ ++// Test hooks used in the procfs tests to verify that the fallback logic works. ++// See testing_mocks_linux_test.go and procfs_linux_test.go for more details. ++var ( ++ hookForcePrivateProcRootOpenTree = hookDummyFile ++ hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile ++ hookForceGetProcRootUnsafe = hookDummy ++ ++ hookForceProcSelfTask = hookDummy ++ hookForceProcSelf = hookDummy ++) ++ ++func hookDummy() bool { return false } ++func hookDummyFile(_ io.Closer) bool { return false } +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go +new file mode 100644 +index 00000000..1ad1f18e +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go +@@ -0,0 +1,222 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// This code is adapted to be a minimal version of the libpathrs proc resolver ++// . ++// As we only need O_PATH|O_NOFOLLOW support, this is not too much to port. ++ ++package procfs ++ ++import ( ++ "fmt" ++ "os" ++ "path" ++ "path/filepath" ++ "strings" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/internal/consts" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux" ++) ++ ++// procfsLookupInRoot is a stripped down version of completeLookupInRoot, ++// entirely designed to support the very small set of features necessary to ++// make procfs handling work. Unlike completeLookupInRoot, we always have ++// O_PATH|O_NOFOLLOW behaviour for trailing symlinks. ++// ++// The main restrictions are: ++// ++// - ".." is not supported (as it requires either os.Root-style replays, ++// which is more bug-prone; or procfs verification, which is not possible ++// due to re-entrancy issues). ++// - Absolute symlinks for the same reason (and all absolute symlinks in ++// procfs are magic-links, which we want to skip anyway). ++// - If statx is supported (checkSymlinkOvermount), any mount-point crossings ++// (which is the main attack of concern against /proc). ++// - Partial lookups are not supported, so the symlink stack is not needed. ++// - Trailing slash special handling is not necessary in most cases (if we ++// operating on procfs, it's usually with programmer-controlled strings ++// that will then be re-opened), so we skip it since whatever re-opens it ++// can deal with it. It's a creature comfort anyway. ++// ++// If the system supports openat2(), this is implemented using equivalent flags ++// (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS). ++func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ error) { ++ unsafePath = filepath.ToSlash(unsafePath) // noop ++ ++ // Make sure that an empty unsafe path still returns something sane, even ++ // with openat2 (which doesn't have AT_EMPTY_PATH semantics yet). ++ if unsafePath == "" { ++ unsafePath = "." ++ } ++ ++ // This is already checked by getProcRoot, but make sure here since the ++ // core security of this lookup is based on this assumption. ++ if err := verifyProcRoot(procRoot); err != nil { ++ return nil, err ++ } ++ ++ if linux.HasOpenat2() { ++ // We prefer being able to use RESOLVE_NO_XDEV if we can, to be ++ // absolutely sure we are operating on a clean /proc handle that ++ // doesn't have any cheeky overmounts that could trick us (including ++ // symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't ++ // strictly needed, but just use it since we have it. ++ // ++ // NOTE: /proc/self is technically a magic-link (the contents of the ++ // symlink are generated dynamically), but it doesn't use ++ // nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it. ++ // ++ // TODO: It would be nice to have RESOLVE_NO_DOTDOT, purely for ++ // self-consistency with the backup O_PATH resolver. ++ handle, err := fd.Openat2(procRoot, unsafePath, &unix.OpenHow{ ++ Flags: unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC, ++ Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS, ++ }) ++ if err != nil { ++ // TODO: Once we bump the minimum Go version to 1.20, we can use ++ // multiple %w verbs for this wrapping. For now we need to use a ++ // compatibility shim for older Go versions. ++ // err = fmt.Errorf("%w: %w", errUnsafeProcfs, err) ++ return nil, gocompat.WrapBaseError(err, errUnsafeProcfs) ++ } ++ return handle, nil ++ } ++ ++ // To mirror openat2(RESOLVE_BENEATH), we need to return an error if the ++ // path is absolute. ++ if path.IsAbs(unsafePath) { ++ return nil, fmt.Errorf("%w: cannot resolve absolute paths in procfs resolver", internal.ErrPossibleBreakout) ++ } ++ ++ currentDir, err := fd.Dup(procRoot) ++ if err != nil { ++ return nil, fmt.Errorf("clone root fd: %w", err) ++ } ++ defer func() { ++ // If a handle is not returned, close the internal handle. ++ if Handle == nil { ++ _ = currentDir.Close() ++ } ++ }() ++ ++ var ( ++ linksWalked int ++ currentPath string ++ remainingPath = unsafePath ++ ) ++ for remainingPath != "" { ++ // Get the next path component. ++ var part string ++ if i := strings.IndexByte(remainingPath, '/'); i == -1 { ++ part, remainingPath = remainingPath, "" ++ } else { ++ part, remainingPath = remainingPath[:i], remainingPath[i+1:] ++ } ++ if part == "" { ++ // no-op component, but treat it the same as "." ++ part = "." ++ } ++ if part == ".." { ++ // not permitted ++ return nil, fmt.Errorf("%w: cannot walk into '..' in procfs resolver", internal.ErrPossibleBreakout) ++ } ++ ++ // Apply the component lexically to the path we are building. ++ // currentPath does not contain any symlinks, and we are lexically ++ // dealing with a single component, so it's okay to do a filepath.Clean ++ // here. (Not to mention that ".." isn't allowed.) ++ nextPath := path.Join("/", currentPath, part) ++ // If we logically hit the root, just clone the root rather than ++ // opening the part and doing all of the other checks. ++ if nextPath == "/" { ++ // Jump to root. ++ rootClone, err := fd.Dup(procRoot) ++ if err != nil { ++ return nil, fmt.Errorf("clone root fd: %w", err) ++ } ++ _ = currentDir.Close() ++ currentDir = rootClone ++ currentPath = nextPath ++ continue ++ } ++ ++ // Try to open the next component. ++ nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) ++ if err != nil { ++ return nil, err ++ } ++ ++ // Make sure we are still on procfs and haven't crossed mounts. ++ if err := verifyProcHandle(nextDir); err != nil { ++ _ = nextDir.Close() ++ return nil, fmt.Errorf("check %q component is on procfs: %w", part, err) ++ } ++ if err := checkSubpathOvermount(procRoot, nextDir, ""); err != nil { ++ _ = nextDir.Close() ++ return nil, fmt.Errorf("check %q component is not overmounted: %w", part, err) ++ } ++ ++ // We are emulating O_PATH|O_NOFOLLOW, so we only need to traverse into ++ // trailing symlinks if we are not the final component. Otherwise we ++ // can just return the currentDir. ++ if remainingPath != "" { ++ st, err := nextDir.Stat() ++ if err != nil { ++ _ = nextDir.Close() ++ return nil, fmt.Errorf("stat component %q: %w", part, err) ++ } ++ ++ if st.Mode()&os.ModeType == os.ModeSymlink { ++ // readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See ++ // Linux commit 65cfc6722361 ("readlinkat(), fchownat() and ++ // fstatat() with empty relative pathnames"). ++ linkDest, err := fd.Readlinkat(nextDir, "") ++ // We don't need the handle anymore. ++ _ = nextDir.Close() ++ if err != nil { ++ return nil, err ++ } ++ ++ linksWalked++ ++ if linksWalked > consts.MaxSymlinkLimit { ++ return nil, &os.PathError{Op: "securejoin.procfsLookupInRoot", Path: "/proc/" + unsafePath, Err: unix.ELOOP} ++ } ++ ++ // Update our logical remaining path. ++ remainingPath = linkDest + "/" + remainingPath ++ // Absolute symlinks are probably magiclinks, we reject them. ++ if path.IsAbs(linkDest) { ++ return nil, fmt.Errorf("%w: cannot jump to / in procfs resolver -- possible magiclink", internal.ErrPossibleBreakout) ++ } ++ continue ++ } ++ } ++ ++ // Walk into the next component. ++ _ = currentDir.Close() ++ currentDir = nextDir ++ currentPath = nextPath ++ } ++ ++ // One final sanity-check. ++ if err := verifyProcHandle(currentDir); err != nil { ++ return nil, fmt.Errorf("check final handle is on procfs: %w", err) ++ } ++ if err := checkSubpathOvermount(procRoot, currentDir, ""); err != nil { ++ return nil, fmt.Errorf("check final handle is not overmounted: %w", err) ++ } ++ return currentDir, nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go +new file mode 100644 +index 00000000..f47504e6 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go +@@ -0,0 +1,399 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package pathrs ++ ++import ( ++ "errors" ++ "fmt" ++ "os" ++ "path" ++ "path/filepath" ++ "strings" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/internal/consts" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs" ++) ++ ++type symlinkStackEntry struct { ++ // (dir, remainingPath) is what we would've returned if the link didn't ++ // exist. This matches what openat2(RESOLVE_IN_ROOT) would return in ++ // this case. ++ dir *os.File ++ remainingPath string ++ // linkUnwalked is the remaining path components from the original ++ // Readlink which we have yet to walk. When this slice is empty, we ++ // drop the link from the stack. ++ linkUnwalked []string ++} ++ ++func (se symlinkStackEntry) String() string { ++ return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/")) ++} ++ ++func (se symlinkStackEntry) Close() { ++ _ = se.dir.Close() ++} ++ ++type symlinkStack []*symlinkStackEntry ++ ++func (s *symlinkStack) IsEmpty() bool { ++ return s == nil || len(*s) == 0 ++} ++ ++func (s *symlinkStack) Close() { ++ if s != nil { ++ for _, link := range *s { ++ link.Close() ++ } ++ // TODO: Switch to clear once we switch to Go 1.21. ++ *s = nil ++ } ++} ++ ++var ( ++ errEmptyStack = errors.New("[internal] stack is empty") ++ errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack") ++) ++ ++func (s *symlinkStack) popPart(part string) error { ++ if s == nil || s.IsEmpty() { ++ // If there is nothing in the symlink stack, then the part was from the ++ // real path provided by the user, and this is a no-op. ++ return errEmptyStack ++ } ++ if part == "." { ++ // "." components are no-ops -- we drop them when doing SwapLink. ++ return nil ++ } ++ ++ tailEntry := (*s)[len(*s)-1] ++ ++ // Double-check that we are popping the component we expect. ++ if len(tailEntry.linkUnwalked) == 0 { ++ return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry) ++ } ++ headPart := tailEntry.linkUnwalked[0] ++ if headPart != part { ++ return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart) ++ } ++ ++ // Drop the component, but keep the entry around in case we are dealing ++ // with a "tail-chained" symlink. ++ tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:] ++ return nil ++} ++ ++func (s *symlinkStack) PopPart(part string) error { ++ if err := s.popPart(part); err != nil { ++ if errors.Is(err, errEmptyStack) { ++ // Skip empty stacks. ++ err = nil ++ } ++ return err ++ } ++ ++ // Clean up any of the trailing stack entries that are empty. ++ for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- { ++ entry := (*s)[lastGood] ++ if len(entry.linkUnwalked) > 0 { ++ break ++ } ++ entry.Close() ++ (*s) = (*s)[:lastGood] ++ } ++ return nil ++} ++ ++func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error { ++ if s == nil { ++ return nil ++ } ++ // Split the link target and clean up any "" parts. ++ linkTargetParts := gocompat.SlicesDeleteFunc( ++ strings.Split(linkTarget, "/"), ++ func(part string) bool { return part == "" || part == "." }) ++ ++ // Copy the directory so the caller doesn't close our copy. ++ dirCopy, err := fd.Dup(dir) ++ if err != nil { ++ return err ++ } ++ ++ // Add to the stack. ++ *s = append(*s, &symlinkStackEntry{ ++ dir: dirCopy, ++ remainingPath: remainingPath, ++ linkUnwalked: linkTargetParts, ++ }) ++ return nil ++} ++ ++func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error { ++ // If we are currently inside a symlink resolution, remove the symlink ++ // component from the last symlink entry, but don't remove the entry even ++ // if it's empty. If we are a "tail-chained" symlink (a trailing symlink we ++ // hit during a symlink resolution) we need to keep the old symlink until ++ // we finish the resolution. ++ if err := s.popPart(linkPart); err != nil { ++ if !errors.Is(err, errEmptyStack) { ++ return err ++ } ++ // Push the component regardless of whether the stack was empty. ++ } ++ return s.push(dir, remainingPath, linkTarget) ++} ++ ++func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) { ++ if s == nil || s.IsEmpty() { ++ return nil, "", false ++ } ++ tailEntry := (*s)[0] ++ *s = (*s)[1:] ++ return tailEntry.dir, tailEntry.remainingPath, true ++} ++ ++// partialLookupInRoot tries to lookup as much of the request path as possible ++// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing ++// component of the requested path, returning a file handle to the final ++// existing component and a string containing the remaining path components. ++func partialLookupInRoot(root fd.Fd, unsafePath string) (*os.File, string, error) { ++ return lookupInRoot(root, unsafePath, true) ++} ++ ++func completeLookupInRoot(root fd.Fd, unsafePath string) (*os.File, error) { ++ handle, remainingPath, err := lookupInRoot(root, unsafePath, false) ++ if remainingPath != "" && err == nil { ++ // should never happen ++ err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath) ++ } ++ // lookupInRoot(partial=false) will always close the handle if an error is ++ // returned, so no need to double-check here. ++ return handle, err ++} ++ ++func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) { ++ unsafePath = filepath.ToSlash(unsafePath) // noop ++ ++ // This is very similar to SecureJoin, except that we operate on the ++ // components using file descriptors. We then return the last component we ++ // managed open, along with the remaining path components not opened. ++ ++ // Try to use openat2 if possible. ++ if linux.HasOpenat2() { ++ return lookupOpenat2(root, unsafePath, partial) ++ } ++ ++ // Get the "actual" root path from /proc/self/fd. This is necessary if the ++ // root is some magic-link like /proc/$pid/root, in which case we want to ++ // make sure when we do procfs.CheckProcSelfFdPath that we are using the ++ // correct root path. ++ logicalRootPath, err := procfs.ProcSelfFdReadlink(root) ++ if err != nil { ++ return nil, "", fmt.Errorf("get real root path: %w", err) ++ } ++ ++ currentDir, err := fd.Dup(root) ++ if err != nil { ++ return nil, "", fmt.Errorf("clone root fd: %w", err) ++ } ++ defer func() { ++ // If a handle is not returned, close the internal handle. ++ if Handle == nil { ++ _ = currentDir.Close() ++ } ++ }() ++ ++ // symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats ++ // dangling symlinks. If we hit a non-existent path while resolving a ++ // symlink, we need to return the (dir, remainingPath) that we had when we ++ // hit the symlink (treating the symlink as though it were a regular file). ++ // The set of (dir, remainingPath) sets is stored within the symlinkStack ++ // and we add and remove parts when we hit symlink and non-symlink ++ // components respectively. We need a stack because of recursive symlinks ++ // (symlinks that contain symlink components in their target). ++ // ++ // Note that the stack is ONLY used for book-keeping. All of the actual ++ // path walking logic is still based on currentPath/remainingPath and ++ // currentDir (as in SecureJoin). ++ var symStack *symlinkStack ++ if partial { ++ symStack = new(symlinkStack) ++ defer symStack.Close() ++ } ++ ++ var ( ++ linksWalked int ++ currentPath string ++ remainingPath = unsafePath ++ ) ++ for remainingPath != "" { ++ // Save the current remaining path so if the part is not real we can ++ // return the path including the component. ++ oldRemainingPath := remainingPath ++ ++ // Get the next path component. ++ var part string ++ if i := strings.IndexByte(remainingPath, '/'); i == -1 { ++ part, remainingPath = remainingPath, "" ++ } else { ++ part, remainingPath = remainingPath[:i], remainingPath[i+1:] ++ } ++ // If we hit an empty component, we need to treat it as though it is ++ // "." so that trailing "/" and "//" components on a non-directory ++ // correctly return the right error code. ++ if part == "" { ++ part = "." ++ } ++ ++ // Apply the component lexically to the path we are building. ++ // currentPath does not contain any symlinks, and we are lexically ++ // dealing with a single component, so it's okay to do a filepath.Clean ++ // here. ++ nextPath := path.Join("/", currentPath, part) ++ // If we logically hit the root, just clone the root rather than ++ // opening the part and doing all of the other checks. ++ if nextPath == "/" { ++ if err := symStack.PopPart(part); err != nil { ++ return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err) ++ } ++ // Jump to root. ++ rootClone, err := fd.Dup(root) ++ if err != nil { ++ return nil, "", fmt.Errorf("clone root fd: %w", err) ++ } ++ _ = currentDir.Close() ++ currentDir = rootClone ++ currentPath = nextPath ++ continue ++ } ++ ++ // Try to open the next component. ++ nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) ++ switch err { ++ case nil: ++ st, err := nextDir.Stat() ++ if err != nil { ++ _ = nextDir.Close() ++ return nil, "", fmt.Errorf("stat component %q: %w", part, err) ++ } ++ ++ switch st.Mode() & os.ModeType { //nolint:exhaustive // just a glorified if statement ++ case os.ModeSymlink: ++ // readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See ++ // Linux commit 65cfc6722361 ("readlinkat(), fchownat() and ++ // fstatat() with empty relative pathnames"). ++ linkDest, err := fd.Readlinkat(nextDir, "") ++ // We don't need the handle anymore. ++ _ = nextDir.Close() ++ if err != nil { ++ return nil, "", err ++ } ++ ++ linksWalked++ ++ if linksWalked > consts.MaxSymlinkLimit { ++ return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP} ++ } ++ ++ // Swap out the symlink's component for the link entry itself. ++ if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil { ++ return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err) ++ } ++ ++ // Update our logical remaining path. ++ remainingPath = linkDest + "/" + remainingPath ++ // Absolute symlinks reset any work we've already done. ++ if path.IsAbs(linkDest) { ++ // Jump to root. ++ rootClone, err := fd.Dup(root) ++ if err != nil { ++ return nil, "", fmt.Errorf("clone root fd: %w", err) ++ } ++ _ = currentDir.Close() ++ currentDir = rootClone ++ currentPath = "/" ++ } ++ ++ default: ++ // If we are dealing with a directory, simply walk into it. ++ _ = currentDir.Close() ++ currentDir = nextDir ++ currentPath = nextPath ++ ++ // The part was real, so drop it from the symlink stack. ++ if err := symStack.PopPart(part); err != nil { ++ return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err) ++ } ++ ++ // If we are operating on a .., make sure we haven't escaped. ++ // We only have to check for ".." here because walking down ++ // into a regular component component cannot cause you to ++ // escape. This mirrors the logic in RESOLVE_IN_ROOT, except we ++ // have to check every ".." rather than only checking after a ++ // rename or mount on the system. ++ if part == ".." { ++ // Make sure the root hasn't moved. ++ if err := procfs.CheckProcSelfFdPath(logicalRootPath, root); err != nil { ++ return nil, "", fmt.Errorf("root path moved during lookup: %w", err) ++ } ++ // Make sure the path is what we expect. ++ fullPath := logicalRootPath + nextPath ++ if err := procfs.CheckProcSelfFdPath(fullPath, currentDir); err != nil { ++ return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err) ++ } ++ } ++ } ++ ++ default: ++ if !partial { ++ return nil, "", err ++ } ++ // If there are any remaining components in the symlink stack, we ++ // are still within a symlink resolution and thus we hit a dangling ++ // symlink. So pretend that the first symlink in the stack we hit ++ // was an ENOENT (to match openat2). ++ if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok { ++ _ = currentDir.Close() ++ return oldDir, remainingPath, err ++ } ++ // We have hit a final component that doesn't exist, so we have our ++ // partial open result. Note that we have to use the OLD remaining ++ // path, since the lookup failed. ++ return currentDir, oldRemainingPath, err ++ } ++ } ++ ++ // If the unsafePath had a trailing slash, we need to make sure we try to ++ // do a relative "." open so that we will correctly return an error when ++ // the final component is a non-directory (to match openat2). In the ++ // context of openat2, a trailing slash and a trailing "/." are completely ++ // equivalent. ++ if strings.HasSuffix(unsafePath, "/") { ++ nextDir, err := fd.Openat(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) ++ if err != nil { ++ if !partial { ++ _ = currentDir.Close() ++ currentDir = nil ++ } ++ return currentDir, "", err ++ } ++ _ = currentDir.Close() ++ currentDir = nextDir ++ } ++ ++ // All of the components existed! ++ return currentDir, "", nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go +new file mode 100644 +index 00000000..c3122a61 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go +@@ -0,0 +1,209 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package pathrs ++ ++import ( ++ "errors" ++ "fmt" ++ "os" ++ "path/filepath" ++ "strings" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux" ++) ++ ++var errInvalidMode = errors.New("invalid permission mode") ++ ++// modePermExt is like os.ModePerm except that it also includes the set[ug]id ++// and sticky bits. ++const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky ++ ++//nolint:cyclop // this function needs to handle a lot of cases ++func toUnixMode(mode os.FileMode) (uint32, error) { ++ sysMode := uint32(mode.Perm()) ++ if mode&os.ModeSetuid != 0 { ++ sysMode |= unix.S_ISUID ++ } ++ if mode&os.ModeSetgid != 0 { ++ sysMode |= unix.S_ISGID ++ } ++ if mode&os.ModeSticky != 0 { ++ sysMode |= unix.S_ISVTX ++ } ++ // We don't allow file type bits. ++ if mode&os.ModeType != 0 { ++ return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", errInvalidMode, mode, mode) ++ } ++ // We don't allow other unknown modes. ++ if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 { ++ return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", errInvalidMode, mode, mode) ++ } ++ return sysMode, nil ++} ++ ++// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use ++// in two respects: ++// ++// - The caller provides the root directory as an *[os.File] (preferably O_PATH) ++// handle. This means that the caller can be sure which root directory is ++// being used. Note that this can be emulated by using /proc/self/fd/... as ++// the root path with [os.MkdirAll]. ++// ++// - Once all of the directories have been created, an *[os.File] O_PATH handle ++// to the directory at unsafePath is returned to the caller. This is done in ++// an effectively-race-free way (an attacker would only be able to swap the ++// final directory component), which is not possible to emulate with ++// [MkdirAll]. ++// ++// In addition, the returned handle is obtained far more efficiently than doing ++// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after ++// doing [MkdirAll]. If you intend to open the directory after creating it, you ++// should use MkdirAllHandle. ++// ++// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin ++func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) { ++ unixMode, err := toUnixMode(mode) ++ if err != nil { ++ return nil, err ++ } ++ // On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid ++ // bits. We could also silently ignore them but since we have very few ++ // users it seems more prudent to return an error so users notice that ++ // these bits will not be set. ++ if unixMode&^0o1777 != 0 { ++ return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode) ++ } ++ ++ // Try to open as much of the path as possible. ++ currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath) ++ defer func() { ++ if Err != nil { ++ _ = currentDir.Close() ++ } ++ }() ++ if err != nil && !errors.Is(err, unix.ENOENT) { ++ return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err) ++ } ++ ++ // If there is an attacker deleting directories as we walk into them, ++ // detect this proactively. Note this is guaranteed to detect if the ++ // attacker deleted any part of the tree up to currentDir. ++ // ++ // Once we walk into a dead directory, partialLookupInRoot would not be ++ // able to walk further down the tree (directories must be empty before ++ // they are deleted), and if the attacker has removed the entire tree we ++ // can be sure that anything that was originally inside a dead directory ++ // must also be deleted and thus is a dead directory in its own right. ++ // ++ // This is mostly a quality-of-life check, because mkdir will simply fail ++ // later if the attacker deletes the tree after this check. ++ if err := fd.IsDeadInode(currentDir); err != nil { ++ return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err) ++ } ++ ++ // Re-open the path to match the O_DIRECTORY reopen loop later (so that we ++ // always return a non-O_PATH handle). We also check that we actually got a ++ // directory. ++ if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) { ++ return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR) ++ } else if err != nil { ++ return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err) ++ } else { //nolint:revive // indent-error-flow lint doesn't make sense here ++ _ = currentDir.Close() ++ currentDir = reopenDir ++ } ++ ++ remainingParts := strings.Split(remainingPath, string(filepath.Separator)) ++ if gocompat.SlicesContains(remainingParts, "..") { ++ // The path contained ".." components after the end of the "real" ++ // components. We could try to safely resolve ".." here but that would ++ // add a bunch of extra logic for something that it's not clear even ++ // needs to be supported. So just return an error. ++ // ++ // If we do filepath.Clean(remainingPath) then we end up with the ++ // problem that ".." can erase a trailing dangling symlink and produce ++ // a path that doesn't quite match what the user asked for. ++ return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath) ++ } ++ ++ // Create the remaining components. ++ for _, part := range remainingParts { ++ switch part { ++ case "", ".": ++ // Skip over no-op paths. ++ continue ++ } ++ ++ // NOTE: mkdir(2) will not follow trailing symlinks, so we can safely ++ // create the final component without worrying about symlink-exchange ++ // attacks. ++ // ++ // If we get -EEXIST, it's possible that another program created the ++ // directory at the same time as us. In that case, just continue on as ++ // if we created it (if the created inode is not a directory, the ++ // following open call will fail). ++ if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) { ++ err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err} ++ // Make the error a bit nicer if the directory is dead. ++ if deadErr := fd.IsDeadInode(currentDir); deadErr != nil { ++ // TODO: Once we bump the minimum Go version to 1.20, we can use ++ // multiple %w verbs for this wrapping. For now we need to use a ++ // compatibility shim for older Go versions. ++ // err = fmt.Errorf("%w (%w)", err, deadErr) ++ err = gocompat.WrapBaseError(err, deadErr) ++ } ++ return nil, err ++ } ++ ++ // Get a handle to the next component. O_DIRECTORY means we don't need ++ // to use O_PATH. ++ var nextDir *os.File ++ if linux.HasOpenat2() { ++ nextDir, err = openat2(currentDir, part, &unix.OpenHow{ ++ Flags: unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC, ++ Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV, ++ }) ++ } else { ++ nextDir, err = fd.Openat(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) ++ } ++ if err != nil { ++ return nil, err ++ } ++ _ = currentDir.Close() ++ currentDir = nextDir ++ ++ // It's possible that the directory we just opened was swapped by an ++ // attacker. Unfortunately there isn't much we can do to protect ++ // against this, and MkdirAll's behaviour is that we will reuse ++ // existing directories anyway so the need to protect against this is ++ // incredibly limited (and arguably doesn't even deserve mention here). ++ // ++ // Ideally we might want to check that the owner and mode match what we ++ // would've created -- unfortunately, it is non-trivial to verify that ++ // the owner and mode of the created directory match. While plain Unix ++ // DAC rules seem simple enough to emulate, there are a bunch of other ++ // factors that can change the mode or owner of created directories ++ // (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on ++ // filesystems like vfat, etc etc). We used to try to verify this but ++ // it just lead to a series of spurious errors. ++ // ++ // We could also check that the directory is non-empty, but ++ // unfortunately some pseduofilesystems (like cgroupfs) create ++ // non-empty directories, which would result in different spurious ++ // errors. ++ } ++ return currentDir, nil ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go +new file mode 100644 +index 00000000..5f58807e +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go +@@ -0,0 +1,35 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package pathrs ++ ++import ( ++ "os" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs" ++) ++ ++// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd. ++// Reopen(file, flags) is effectively equivalent to ++// ++// fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd()) ++// os.OpenFile(fdPath, flags|unix.O_CLOEXEC) ++// ++// But with some extra hardenings to ensure that we are not tricked by a ++// maliciously-configured /proc mount. While this attack scenario is not ++// common, in container runtimes it is possible for higher-level runtimes to be ++// tricked into configuring an unsafe /proc that can be used to attack file ++// operations. See [CVE-2019-19921] for more details. ++// ++// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw ++func Reopen(handle *os.File, flags int) (*os.File, error) { ++ return procfs.ReopenFd(handle, flags) ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go +new file mode 100644 +index 00000000..937bc435 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go +@@ -0,0 +1,101 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++package pathrs ++ ++import ( ++ "errors" ++ "fmt" ++ "os" ++ "path/filepath" ++ "strings" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/procfs" ++) ++ ++func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) { ++ file, err := fd.Openat2(dir, path, how) ++ if err != nil { ++ return nil, err ++ } ++ // If we are using RESOLVE_IN_ROOT, the name we generated may be wrong. ++ if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT { ++ if actualPath, err := procfs.ProcSelfFdReadlink(file); err == nil { ++ // TODO: Ideally we would not need to dup the fd, but you cannot ++ // easily just swap an *os.File with one from the same fd ++ // (the GC will close the old one, and you cannot clear the ++ // finaliser easily because it is associated with an internal ++ // field of *os.File not *os.File itself). ++ newFile, err := fd.DupWithName(file, actualPath) ++ if err != nil { ++ return nil, err ++ } ++ file = newFile ++ } ++ } ++ return file, nil ++} ++ ++func lookupOpenat2(root fd.Fd, unsafePath string, partial bool) (*os.File, string, error) { ++ if !partial { ++ file, err := openat2(root, unsafePath, &unix.OpenHow{ ++ Flags: unix.O_PATH | unix.O_CLOEXEC, ++ Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS, ++ }) ++ return file, "", err ++ } ++ return partialLookupOpenat2(root, unsafePath) ++} ++ ++// partialLookupOpenat2 is an alternative implementation of ++// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a ++// handle to the deepest existing child of the requested path within the root. ++func partialLookupOpenat2(root fd.Fd, unsafePath string) (*os.File, string, error) { ++ // TODO: Implement this as a git-bisect-like binary search. ++ ++ unsafePath = filepath.ToSlash(unsafePath) // noop ++ endIdx := len(unsafePath) ++ var lastError error ++ for endIdx > 0 { ++ subpath := unsafePath[:endIdx] ++ ++ handle, err := openat2(root, subpath, &unix.OpenHow{ ++ Flags: unix.O_PATH | unix.O_CLOEXEC, ++ Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS, ++ }) ++ if err == nil { ++ // Jump over the slash if we have a non-"" remainingPath. ++ if endIdx < len(unsafePath) { ++ endIdx++ ++ } ++ // We found a subpath! ++ return handle, unsafePath[endIdx:], lastError ++ } ++ if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) { ++ // That path doesn't exist, let's try the next directory up. ++ endIdx = strings.LastIndexByte(subpath, '/') ++ lastError = err ++ continue ++ } ++ return nil, "", fmt.Errorf("open subpath: %w", err) ++ } ++ // If we couldn't open anything, the whole subpath is missing. Return a ++ // copy of the root fd so that the caller doesn't close this one by ++ // accident. ++ rootClone, err := fd.Dup(root) ++ if err != nil { ++ return nil, "", err ++ } ++ return rootClone, unsafePath, lastError ++} +diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go +new file mode 100644 +index 00000000..ec187a41 +--- /dev/null ++++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go +@@ -0,0 +1,157 @@ ++// SPDX-License-Identifier: MPL-2.0 ++ ++//go:build linux ++ ++// Copyright (C) 2024-2025 Aleksa Sarai ++// Copyright (C) 2024-2025 SUSE LLC ++// ++// This Source Code Form is subject to the terms of the Mozilla Public ++// License, v. 2.0. If a copy of the MPL was not distributed with this ++// file, You can obtain one at https://mozilla.org/MPL/2.0/. ++ ++// Package procfs provides a safe API for operating on /proc on Linux. ++package procfs ++ ++import ( ++ "os" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs" ++) ++ ++// This package mostly just wraps internal/procfs APIs. This is necessary ++// because we are forced to export some things from internal/procfs in order to ++// avoid some dependency cycle issues, but we don't want users to see or use ++// them. ++ ++// ProcThreadSelfCloser is a callback that needs to be called when you are done ++// operating on an [os.File] fetched using [Handle.OpenThreadSelf]. ++// ++// [os.File]: https://pkg.go.dev/os#File ++type ProcThreadSelfCloser = procfs.ProcThreadSelfCloser ++ ++// Handle is a wrapper around an *os.File handle to "/proc", which can be used ++// to do further procfs-related operations in a safe way. ++type Handle struct { ++ inner *procfs.Handle ++} ++ ++// Close close the resources associated with this [Handle]. Note that if this ++// [Handle] was created with [OpenProcRoot], on some kernels the underlying ++// procfs handle is cached and so this Close operation may be a no-op. However, ++// you should always call Close on [Handle]s once you are done with them. ++func (proc *Handle) Close() error { return proc.inner.Close() } ++ ++// OpenProcRoot tries to open a "safer" handle to "/proc" (i.e., one with the ++// "subset=pid" mount option applied, available from Linux 5.8). Unless you ++// plan to do many [Handle.OpenRoot] operations, users should prefer to use ++// this over [OpenUnsafeProcRoot] which is far more dangerous to keep open. ++// ++// If a safe handle cannot be opened, OpenProcRoot will fall back to opening a ++// regular "/proc" handle. ++// ++// Note that using [Handle.OpenRoot] will still work with handles returned by ++// this function. If a subpath cannot be operated on with a safe "/proc" ++// handle, then [OpenUnsafeProcRoot] will be called internally and a temporary ++// unsafe handle will be used. ++func OpenProcRoot() (*Handle, error) { ++ proc, err := procfs.OpenProcRoot() ++ if err != nil { ++ return nil, err ++ } ++ return &Handle{inner: proc}, nil ++} ++ ++// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or ++// masked paths. You must be extremely careful to make sure this handle is ++// never leaked to a container and that you program cannot be tricked into ++// writing to arbitrary paths within it. ++// ++// This is not necessary if you just wish to use [Handle.OpenRoot], as handles ++// returned by [OpenProcRoot] will fall back to using a *temporary* unsafe ++// handle in that case. You should only really use this if you need to do many ++// operations with [Handle.OpenRoot] and the performance overhead of making ++// many procfs handles is an issue. If you do use OpenUnsafeProcRoot, you ++// should make sure to close the handle as soon as possible to avoid ++// known-fd-number attacks. ++func OpenUnsafeProcRoot() (*Handle, error) { ++ proc, err := procfs.OpenUnsafeProcRoot() ++ if err != nil { ++ return nil, err ++ } ++ return &Handle{inner: proc}, nil ++} ++ ++// OpenThreadSelf returns a handle to "/proc/thread-self/" (or an ++// equivalent handle on older kernels where "/proc/thread-self" doesn't exist). ++// Once finished with the handle, you must call the returned closer function ++// ([runtime.UnlockOSThread]). You must not pass the returned *os.File to other ++// Go threads or use the handle after calling the closer. ++// ++// [runtime.UnlockOSThread]: https://pkg.go.dev/runtime#UnlockOSThread ++func (proc *Handle) OpenThreadSelf(subpath string) (*os.File, ProcThreadSelfCloser, error) { ++ return proc.inner.OpenThreadSelf(subpath) ++} ++ ++// OpenSelf returns a handle to /proc/self/. ++// ++// Note that in Go programs with non-homogenous threads, this may result in ++// spurious errors. If you are monkeying around with APIs that are ++// thread-specific, you probably want to use [Handle.OpenThreadSelf] instead ++// which will guarantee that the handle refers to the same thread as the caller ++// is executing on. ++func (proc *Handle) OpenSelf(subpath string) (*os.File, error) { ++ return proc.inner.OpenSelf(subpath) ++} ++ ++// OpenRoot returns a handle to /proc/. ++// ++// You should only use this when you need to operate on global procfs files ++// (such as sysctls in /proc/sys). Unlike [Handle.OpenThreadSelf], ++// [Handle.OpenSelf], and [Handle.OpenPid], the procfs handle used internally ++// for this operation will never use "subset=pid", which makes it a more juicy ++// target for [CVE-2024-21626]-style attacks (and doing something like opening ++// a directory with OpenRoot effectively leaks [OpenUnsafeProcRoot] as long as ++// the file descriptor is open). ++// ++// [CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv ++func (proc *Handle) OpenRoot(subpath string) (*os.File, error) { ++ return proc.inner.OpenRoot(subpath) ++} ++ ++// OpenPid returns a handle to /proc/$pid/ (pid can be a pid or tid). ++// This is mainly intended for usage when operating on other processes. ++// ++// You should not use this for the current thread, as special handling is ++// needed for /proc/thread-self (or /proc/self/task/) when dealing with ++// goroutine scheduling -- use [Handle.OpenThreadSelf] instead. ++// ++// To refer to the current thread-group, you should use prefer ++// [Handle.OpenSelf] to passing os.Getpid as the pid argument. ++func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) { ++ return proc.inner.OpenPid(pid, subpath) ++} ++ ++// ProcSelfFdReadlink gets the real path of the given file by looking at ++// /proc/self/fd/ with [readlink]. It is effectively just shorthand for ++// something along the lines of: ++// ++// proc, err := procfs.OpenProcRoot() ++// if err != nil { ++// return err ++// } ++// link, err := proc.OpenThreadSelf(fmt.Sprintf("fd/%d", f.Fd())) ++// if err != nil { ++// return err ++// } ++// defer link.Close() ++// var buf [4096]byte ++// n, err := unix.Readlinkat(int(link.Fd()), "", buf[:]) ++// if err != nil { ++// return err ++// } ++// pathname := buf[:n] ++// ++// [readlink]: https://pkg.go.dev/golang.org/x/sys/unix#Readlinkat ++func ProcSelfFdReadlink(f *os.File) (string, error) { ++ return procfs.ProcSelfFdReadlink(f) ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go +new file mode 100644 +index 00000000..a9a0157c +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go +@@ -0,0 +1,99 @@ ++// SPDX-License-Identifier: Apache-2.0 ++/* ++ * Copyright (C) 2024-2025 Aleksa Sarai ++ * Copyright (C) 2024-2025 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package pathrs ++ ++import ( ++ "fmt" ++ "os" ++ "path/filepath" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite" ++ "github.com/sirupsen/logrus" ++ "golang.org/x/sys/unix" ++) ++ ++// MkdirAllInRootOpen attempts to make ++// ++// path, _ := securejoin.SecureJoin(root, unsafePath) ++// os.MkdirAll(path, mode) ++// os.Open(path) ++// ++// safer against attacks where components in the path are changed between ++// SecureJoin returning and MkdirAll (or Open) being called. In particular, we ++// try to detect any symlink components in the path while we are doing the ++// MkdirAll. ++// ++// NOTE: If unsafePath is a subpath of root, we assume that you have already ++// called SecureJoin and so we use the provided path verbatim without resolving ++// any symlinks (this is done in a way that avoids symlink-exchange races). ++// This means that the path also must not contain ".." elements, otherwise an ++// error will occur. ++// ++// This uses (pathrs-lite).MkdirAllHandle under the hood, but it has special ++// handling if unsafePath has already been scoped within the rootfs (this is ++// needed for a lot of runc callers and fixing this would require reworking a ++// lot of path logic). ++func MkdirAllInRootOpen(root, unsafePath string, mode os.FileMode) (*os.File, error) { ++ // If the path is already "within" the root, get the path relative to the ++ // root and use that as the unsafe path. This is necessary because a lot of ++ // MkdirAllInRootOpen callers have already done SecureJoin, and refactoring ++ // all of them to stop using these SecureJoin'd paths would require a fair ++ // amount of work. ++ // TODO(cyphar): Do the refactor to libpathrs once it's ready. ++ if IsLexicallyInRoot(root, unsafePath) { ++ subPath, err := filepath.Rel(root, unsafePath) ++ if err != nil { ++ return nil, err ++ } ++ unsafePath = subPath ++ } ++ ++ // Check for any silly mode bits. ++ if mode&^0o7777 != 0 { ++ return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode) ++ } ++ // Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if ++ // passed. While it would make sense to return an error in that case (since ++ // the user has asked for a mode that won't be applied), for compatibility ++ // reasons we have to ignore these bits. ++ if ignoredBits := mode &^ 0o1777; ignoredBits != 0 { ++ logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits) ++ mode &= 0o1777 ++ } ++ ++ rootDir, err := os.OpenFile(root, unix.O_DIRECTORY|unix.O_CLOEXEC, 0) ++ if err != nil { ++ return nil, fmt.Errorf("open root handle: %w", err) ++ } ++ defer rootDir.Close() ++ ++ return retryEAGAIN(func() (*os.File, error) { ++ return pathrs.MkdirAllHandle(rootDir, unsafePath, mode) ++ }) ++} ++ ++// MkdirAllInRoot is a wrapper around MkdirAllInRootOpen which closes the ++// returned handle, for callers that don't need to use it. ++func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) error { ++ f, err := MkdirAllInRootOpen(root, unsafePath, mode) ++ if err == nil { ++ _ = f.Close() ++ } ++ return err ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/path.go b/vendor/github.com/opencontainers/runc/internal/pathrs/path.go +new file mode 100644 +index 00000000..1ee7c795 +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/pathrs/path.go +@@ -0,0 +1,34 @@ ++// SPDX-License-Identifier: Apache-2.0 ++/* ++ * Copyright (C) 2024-2025 Aleksa Sarai ++ * Copyright (C) 2024-2025 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package pathrs ++ ++import ( ++ "strings" ++) ++ ++// IsLexicallyInRoot is shorthand for strings.HasPrefix(path+"/", root+"/"), ++// but properly handling the case where path or root have a "/" suffix. ++// ++// NOTE: The return value only make sense if the path is already mostly cleaned ++// (i.e., doesn't contain "..", ".", nor unneeded "/"s). ++func IsLexicallyInRoot(root, path string) bool { ++ root = strings.TrimRight(root, "/") ++ path = strings.TrimRight(path, "/") ++ return strings.HasPrefix(path+"/", root+"/") ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/procfs_pathrslite.go b/vendor/github.com/opencontainers/runc/internal/pathrs/procfs_pathrslite.go +new file mode 100644 +index 00000000..37450a0e +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/pathrs/procfs_pathrslite.go +@@ -0,0 +1,108 @@ ++// SPDX-License-Identifier: Apache-2.0 ++/* ++ * Copyright (C) 2025 Aleksa Sarai ++ * Copyright (C) 2025 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package pathrs ++ ++import ( ++ "fmt" ++ "os" ++ ++ "github.com/cyphar/filepath-securejoin/pathrs-lite" ++ "github.com/cyphar/filepath-securejoin/pathrs-lite/procfs" ++) ++ ++func procOpenReopen(openFn func(subpath string) (*os.File, error), subpath string, flags int) (*os.File, error) { ++ handle, err := retryEAGAIN(func() (*os.File, error) { ++ return openFn(subpath) ++ }) ++ if err != nil { ++ return nil, err ++ } ++ defer handle.Close() ++ ++ f, err := Reopen(handle, flags) ++ if err != nil { ++ return nil, fmt.Errorf("reopen %s: %w", handle.Name(), err) ++ } ++ return f, nil ++} ++ ++// ProcSelfOpen is a wrapper around [procfs.Handle.OpenSelf] and ++// [pathrs.Reopen], to let you one-shot open a procfs file with the given ++// flags. ++func ProcSelfOpen(subpath string, flags int) (*os.File, error) { ++ proc, err := retryEAGAIN(procfs.OpenProcRoot) ++ if err != nil { ++ return nil, err ++ } ++ defer proc.Close() ++ return procOpenReopen(proc.OpenSelf, subpath, flags) ++} ++ ++// ProcPidOpen is a wrapper around [procfs.Handle.OpenPid] and [pathrs.Reopen], ++// to let you one-shot open a procfs file with the given flags. ++func ProcPidOpen(pid int, subpath string, flags int) (*os.File, error) { ++ proc, err := retryEAGAIN(procfs.OpenProcRoot) ++ if err != nil { ++ return nil, err ++ } ++ defer proc.Close() ++ return procOpenReopen(func(subpath string) (*os.File, error) { ++ return proc.OpenPid(pid, subpath) ++ }, subpath, flags) ++} ++ ++// ProcThreadSelfOpen is a wrapper around [procfs.Handle.OpenThreadSelf] and ++// [pathrs.Reopen], to let you one-shot open a procfs file with the given ++// flags. The returned [procfs.ProcThreadSelfCloser] needs the same handling as ++// when using pathrs-lite. ++func ProcThreadSelfOpen(subpath string, flags int) (_ *os.File, _ procfs.ProcThreadSelfCloser, Err error) { ++ proc, err := retryEAGAIN(procfs.OpenProcRoot) ++ if err != nil { ++ return nil, nil, err ++ } ++ defer proc.Close() ++ ++ handle, closer, err := retryEAGAIN2(func() (*os.File, procfs.ProcThreadSelfCloser, error) { ++ return proc.OpenThreadSelf(subpath) ++ }) ++ if err != nil { ++ return nil, nil, err ++ } ++ if closer != nil { ++ defer func() { ++ if Err != nil { ++ closer() ++ } ++ }() ++ } ++ defer handle.Close() ++ ++ f, err := Reopen(handle, flags) ++ if err != nil { ++ return nil, nil, fmt.Errorf("reopen %s: %w", handle.Name(), err) ++ } ++ return f, closer, nil ++} ++ ++// Reopen is a wrapper around pathrs.Reopen. ++func Reopen(file *os.File, flags int) (*os.File, error) { ++ return retryEAGAIN(func() (*os.File, error) { ++ return pathrs.Reopen(file, flags) ++ }) ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/retry.go b/vendor/github.com/opencontainers/runc/internal/pathrs/retry.go +new file mode 100644 +index 00000000..a51d335c +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/pathrs/retry.go +@@ -0,0 +1,66 @@ ++// SPDX-License-Identifier: Apache-2.0 ++/* ++ * Copyright (C) 2024-2025 Aleksa Sarai ++ * Copyright (C) 2024-2025 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package pathrs ++ ++import ( ++ "errors" ++ "fmt" ++ "time" ++ ++ "golang.org/x/sys/unix" ++) ++ ++// Based on >50k tests running "runc run" on a 16-core system with very heavy ++// rename(2) load, the single longest latency caused by -EAGAIN retries was ++// ~800us (with the vast majority being closer to 400us). So, a 2ms limit ++// should give more than enough headroom for any real system in practice. ++const retryDeadline = 2 * time.Millisecond ++ ++// retryEAGAIN is a top-level retry loop for pathrs to try to returning ++// spurious errors in most normal user cases when using openat2 (libpathrs ++// itself does up to 128 retries already, but this method takes a ++// wallclock-deadline approach to simply retry until a timer elapses). ++func retryEAGAIN[T any](fn func() (T, error)) (T, error) { ++ deadline := time.After(retryDeadline) ++ for { ++ v, err := fn() ++ if !errors.Is(err, unix.EAGAIN) { ++ return v, err ++ } ++ select { ++ case <-deadline: ++ return *new(T), fmt.Errorf("%v retry deadline exceeded: %w", retryDeadline, err) ++ default: ++ // retry ++ } ++ } ++} ++ ++// retryEAGAIN2 is like retryEAGAIN except it returns two values. ++func retryEAGAIN2[T1, T2 any](fn func() (T1, T2, error)) (T1, T2, error) { ++ type ret struct { ++ v1 T1 ++ v2 T2 ++ } ++ v, err := retryEAGAIN(func() (ret, error) { ++ v1, v2, err := fn() ++ return ret{v1: v1, v2: v2}, err ++ }) ++ return v.v1, v.v2, err ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go b/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go +new file mode 100644 +index 00000000..17a216bc +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go +@@ -0,0 +1,53 @@ ++package sys ++ ++import ( ++ "fmt" ++ "os" ++ "runtime" ++ "strconv" ++ ++ "golang.org/x/sys/unix" ++ ++ "github.com/opencontainers/runc/internal/pathrs" ++) ++ ++// FchmodFile is a wrapper around fchmodat2(AT_EMPTY_PATH) with fallbacks for ++// older kernels. This is distinct from [File.Chmod] and [unix.Fchmod] in that ++// it works on O_PATH file descriptors. ++func FchmodFile(f *os.File, mode uint32) error { ++ err := unix.Fchmodat(int(f.Fd()), "", mode, unix.AT_EMPTY_PATH) ++ // If fchmodat2(2) is not available at all, golang.org/x/unix (probably ++ // in order to mirror glibc) returns EOPNOTSUPP rather than EINVAL ++ // (what the kernel actually returns for invalid flags, which is being ++ // emulated) or ENOSYS (which is what glibc actually sees). ++ if err != unix.EINVAL && err != unix.EOPNOTSUPP { //nolint:errorlint // unix errors are bare ++ // err == nil is implicitly handled ++ return os.NewSyscallError("fchmodat2 AT_EMPTY_PATH", err) ++ } ++ ++ // AT_EMPTY_PATH support was added to fchmodat2 in Linux 6.6 ++ // (5daeb41a6fc9d0d81cb2291884b7410e062d8fa1). The alternative for ++ // older kernels is to go through /proc. ++ fdDir, closer, err2 := pathrs.ProcThreadSelfOpen("fd/", unix.O_DIRECTORY) ++ if err2 != nil { ++ return fmt.Errorf("fchmodat2 AT_EMPTY_PATH fallback: %w", err2) ++ } ++ defer closer() ++ defer fdDir.Close() ++ ++ err = unix.Fchmodat(int(fdDir.Fd()), strconv.Itoa(int(f.Fd())), mode, 0) ++ if err != nil { ++ err = fmt.Errorf("fchmodat /proc/self/fd/%d: %w", f.Fd(), err) ++ } ++ runtime.KeepAlive(f) ++ return err ++} ++ ++// FchownFile is a wrapper around fchownat(AT_EMPTY_PATH). This is distinct ++// from [File.Chown] and [unix.Fchown] in that it works on O_PATH file ++// descriptors. ++func FchownFile(f *os.File, uid, gid int) error { ++ err := unix.Fchownat(int(f.Fd()), "", uid, gid, unix.AT_EMPTY_PATH) ++ runtime.KeepAlive(f) ++ return os.NewSyscallError("fchownat AT_EMPTY_PATH", err) ++} +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +index b48c387d..70ef9e60 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +@@ -8,6 +8,7 @@ import ( + "os/exec" + "path" + "path/filepath" ++ "runtime" + "strconv" + "strings" + "time" +@@ -22,6 +23,7 @@ import ( + "github.com/opencontainers/runc/libcontainer/userns" + "github.com/opencontainers/runc/libcontainer/utils" + "github.com/opencontainers/runc/internal/sys" ++ "github.com/opencontainers/runc/internal/pathrs" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -703,17 +705,18 @@ func createDevices(config *configs.Config) error { + return nil + } + +-func bindMountDeviceNode(rootfs, dest string, node *devices.Device) error { +- f, err := os.Create(dest) +- if err != nil && !os.IsExist(err) { +- return err +- } +- if f != nil { +- _ = f.Close() ++func bindMountDeviceNode(destDir *os.File, destName string, node *devices.Device) error { ++ dstFile, err := utils.Openat(destDir, destName, unix.O_CREAT|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0o000) ++ if err != nil { ++ return fmt.Errorf("create device inode %s: %w", node.Path, err) + } +- return utils.WithProcfd(rootfs, dest, func(procfd string) error { +- return mount(node.Path, dest, procfd, "bind", unix.MS_BIND, "") +- }) ++ defer dstFile.Close() ++ ++ dstFd, closer := utils.ProcThreadSelfFd(dstFile.Fd()) ++ defer closer() ++ ++ dstPath := filepath.Join(destDir.Name(), destName) ++ return mountViaFds(node.Path, nil, dstPath, dstFd, "bind", unix.MS_BIND, "") + } + + // Creates the device node in the rootfs of the container. +@@ -722,28 +725,30 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error { + // The node only exists for cgroup reasons, ignore it here. + return nil + } +- dest, err := securejoin.SecureJoin(rootfs, node.Path) ++ destPath, err := securejoin.SecureJoin(rootfs, node.Path) + if err != nil { + return err + } +- if err := os.MkdirAll(filepath.Dir(dest), 0o755); err != nil { +- return err ++ destDirPath, destName := filepath.Split(destPath) ++ destDir, err := pathrs.MkdirAllInRootOpen(rootfs, destDirPath, 0o755) ++ if err != nil { ++ return fmt.Errorf("mkdir parent of device inode %q: %w", node.Path, err) + } + if bind { +- return bindMountDeviceNode(rootfs, dest, node) ++ return bindMountDeviceNode(destDir, destName, node) + } +- if err := mknodDevice(dest, node); err != nil { ++ if err := mknodDevice(destDir, destName, node); err != nil { + if errors.Is(err, os.ErrExist) { + return nil + } else if errors.Is(err, os.ErrPermission) { +- return bindMountDeviceNode(rootfs, dest, node) ++ return bindMountDeviceNode(destDir, destName, node) + } + return err + } + return nil + } + +-func mknodDevice(dest string, node *devices.Device) error { ++func mknodDevice(destDir *os.File, destName string, node *devices.Device) error { + fileMode := node.FileMode + switch node.Type { + case devices.BlockDevice: +@@ -759,10 +764,44 @@ func mknodDevice(dest string, node *devices.Device) error { + if err != nil { + return err + } +- if err := unix.Mknod(dest, uint32(fileMode), int(dev)); err != nil { +- return &os.PathError{Op: "mknod", Path: dest, Err: err} ++ if err := unix.Mknodat(int(destDir.Fd()), destName, uint32(fileMode), int(dev)); err != nil { ++ return &os.PathError{Op: "mknodat", Path: filepath.Join(destDir.Name(), destName), Err: err} ++ } ++ ++ // Get a handle and verify that it matches the expected inode type and ++ // major:minor before we operate on it. ++ devFile, err := utils.Openat(destDir, destName, unix.O_NOFOLLOW|unix.O_PATH, 0) ++ if err != nil { ++ return fmt.Errorf("open new %c device inode %s: %w", node.Type, node.Path, err) ++ } ++ defer devFile.Close() ++ ++ if err := sys.VerifyInode(devFile, func(stat *unix.Stat_t, _ *unix.Statfs_t) error { ++ if stat.Mode&unix.S_IFMT != uint32(fileMode)&unix.S_IFMT { ++ return fmt.Errorf("new %c device inode %s has incorrect ftype: %#x doesn't match expected %#v", ++ node.Type, node.Path, ++ stat.Mode&unix.S_IFMT, fileMode&unix.S_IFMT) ++ } ++ if stat.Rdev != dev { ++ return fmt.Errorf("new %c device inode %s has incorrect major:minor: %d:%d doesn't match expected %d:%d", ++ node.Type, node.Path, ++ unix.Major(stat.Rdev), unix.Minor(stat.Rdev), ++ unix.Major(dev), unix.Minor(dev)) ++ } ++ return nil ++ }); err != nil { ++ return err ++ } ++ ++ // Ensure permission bits (can be different because of umask). ++ if err := sys.FchmodFile(devFile, uint32(fileMode)); err != nil { ++ return fmt.Errorf("update new %c device inode %s file mode: %w", node.Type, node.Path, err) + } +- return os.Chown(dest, int(node.Uid), int(node.Gid)) ++ if err := sys.FchownFile(devFile, int(node.Uid), int(node.Gid)); err != nil { ++ return fmt.Errorf("update new %c device inode %s owner: %w", node.Type, node.Path, err) ++ } ++ runtime.KeepAlive(devFile) ++ return nil + } + + // Get the parent mount point of directory passed in as argument. Also return +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index 2bc9c422..e163af51 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -188,3 +188,18 @@ func ProcThreadSelf(subpath string) (string, ProcThreadSelfCloser) { + func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) { + return ProcThreadSelf("fd/" + strconv.FormatUint(uint64(fd), 10)) + } ++ ++// Openat is a Go-friendly openat(2) wrapper. ++func Openat(dir *os.File, path string, flags int, mode uint32) (*os.File, error) { ++ dirFd := unix.AT_FDCWD ++ if dir != nil { ++ dirFd = int(dir.Fd()) ++ } ++ flags |= unix.O_CLOEXEC ++ ++ fd, err := unix.Openat(dirFd, path, flags, mode) ++ if err != nil { ++ return nil, &os.PathError{Op: "openat", Path: path, Err: err} ++ } ++ return os.NewFile(uintptr(fd), dir.Name()+"/"+path), nil ++} +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 949bf3c3f84..2af25d7cd75 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,8 @@ Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch +Patch9: CVE-2025-31133.patch +Patch10: CVE-2025-52565.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-16%{?dist} BuildRequires: golang < 1.25 @@ -278,16 +280,20 @@ fi %{_exec_prefix}/local/bin/pause %changelog -* Mon Nov 10 2025 Andrew Phelps - 1.30.10-15 + +* Mon Dec 1 2025 Andrew Phelps - 1.30.10-16 - Bump to rebuild with updated glibc +* Mon Nov 24 2025 Aditya Singh - 1.30.10-15 +- Address CVE-2025-31133, CVE-2025-52565 + * Thu Oct 23 2025 Kanishk Bansal - 1.30.10-14 - Bump to rebuild with updated glibc * Wed Oct 08 2025 Andrew Phelps - 1.30.10-13 - Bump to rebuild with updated glibc -* Fri Sep 17 2025 Kanishk Bansal - 1.30.10-12 +* Wed Sep 17 2025 Kanishk Bansal - 1.30.10-12 - Bump to rebuild with updated glibc * Fri Sep 05 2025 Andrew Phelps - 1.30.10-11 From 05e26b5a2cac79fd7eba9579a0091e3343ef4c76 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 1 Dec 2025 17:25:16 -0800 Subject: [PATCH 27/43] [AUTOPATCHER-kernel] Kernel upgrade to version 6.6.117.1 - branch 3.0-dev (#15169) --- SPECS-EXTENDED/kernel-ipe/config | 2 +- SPECS-EXTENDED/kernel-ipe/config_aarch64 | 2 +- .../kernel-ipe/kernel-ipe.signatures.json | 6 +++--- SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec | 7 +++++-- .../kernel-64k-signed/kernel-64k-signed.spec | 7 +++++-- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 7 +++++-- .../kernel-uki-signed/kernel-uki-signed.spec | 7 +++++-- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- SPECS/kernel-64k/config_aarch64 | 2 +- SPECS/kernel-64k/kernel-64k.signatures.json | 4 ++-- SPECS/kernel-64k/kernel-64k.spec | 7 +++++-- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 7 +++++-- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel-uki.spec | 7 +++++-- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 7 +++++-- cgmanifest.json | 20 +++++++++---------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 4 ++-- .../toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_temp_tools.sh | 2 +- 26 files changed, 76 insertions(+), 49 deletions(-) diff --git a/SPECS-EXTENDED/kernel-ipe/config b/SPECS-EXTENDED/kernel-ipe/config index eaecd4c9d11..ac2579594bf 100644 --- a/SPECS-EXTENDED/kernel-ipe/config +++ b/SPECS-EXTENDED/kernel-ipe/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.116.1 Kernel Configuration +# Linux/x86_64 6.6.117.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS-EXTENDED/kernel-ipe/config_aarch64 b/SPECS-EXTENDED/kernel-ipe/config_aarch64 index bf33c3c916a..57521d161aa 100644 --- a/SPECS-EXTENDED/kernel-ipe/config_aarch64 +++ b/SPECS-EXTENDED/kernel-ipe/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.116.1 Kernel Configuration +# Linux/arm64 6.6.117.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json index d60810cd840..b136a0efd60 100644 --- a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json +++ b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json @@ -1,14 +1,14 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config": "016870d1d2950ca92b2d0e27e58c686cf1568cf273547688c224f11da9f34533", - "config_aarch64": "b19c332d4d504021738f1a9b2177297fa5c73f4f748740c9044c7849a79d897f", + "config": "f9b4a11f5f16da83111766e1af913b77103a6dc872b848bb25d41a5be68cb032", + "config_aarch64": "d4207f14d92b0b873856ed4d26ee7c340ed8fe77e0beea9e5047d632c48189b3", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", "azl-ipe-boot-policy.pol": "f2b7941bd3b721aadc8e937d0472c36fe5e140221f7bb54af6ef905884e0372c", "Makefile": "1c2e740407215ed9b9cbbc09f9102bc99c08b370bbe2cbb0490aefdc9eb70455", "tarfs.c": "066084e1ca2c1e7ba83e76a6696cf17928e7efb46a2b1670a7a1f597c2d9bc51", - "kernel-6.6.116.1.tar.gz": "068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3" + "kernel-6.6.117.1.tar.gz": "bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3" } } diff --git a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec index 76ae0b7ec17..7a527d3cd7f 100644 --- a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec +++ b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec @@ -32,8 +32,8 @@ Summary: Linux Kernel Name: kernel-ipe -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -460,6 +460,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Enable dm-cache diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index 547ca82f9c3..453924f74b0 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -6,8 +6,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Bump release to match kernel,kernel-ipe,kernel-64k diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 32de8d14778..03ed23b5519 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Bump release to match kernel,kernel-ipe,kernel-64k diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index f6f79f7ab67..18dc4a88a70 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -5,8 +5,8 @@ %define kernelver %{version}-%{release} Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Bump release to match kernel,kernel-ipe,kernel-64k diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 95b69791982..5defa2a862a 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-6.6.116.1.tar.gz": "068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3" + "kernel-6.6.117.1.tar.gz": "bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 87fb4847b7a..7f43ccbd750 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -10,7 +10,7 @@ Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 6.6.116.1 +Version: 6.6.117.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Mon Nov 10 2025 CBL-Mariner Servicing Account - 6.6.116.1-1 - Auto-upgrade to 6.6.116.1 diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64 index 648c563e4fd..f059d47405e 100644 --- a/SPECS/kernel-64k/config_aarch64 +++ b/SPECS/kernel-64k/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.116.1 Kernel Configuration +# Linux/arm64 6.6.117.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json index 7a7b7521dde..e32e6266779 100644 --- a/SPECS/kernel-64k/kernel-64k.signatures.json +++ b/SPECS/kernel-64k/kernel-64k.signatures.json @@ -1,10 +1,10 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config_aarch64": "2fc2d677906ae356257f7e2e246fd98752c9c953d75f40e815e141718b568467", + "config_aarch64": "8bd37170ab5799efa800cf3207492f1d413b1fa148f5a6e8bd1baa8a979d7fc5", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.116.1.tar.gz": "068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3" + "kernel-6.6.117.1.tar.gz": "bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3" } } diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 25771a308c1..0fab00ce160 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -26,8 +26,8 @@ Summary: Linux Kernel Name: kernel-64k -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -380,6 +380,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Enable dm-cache diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 4d55761b9fa..69b3cd22497 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-6.6.116.1.tar.gz": "068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3" + "kernel-6.6.117.1.tar.gz": "bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 9eca8bdef2e..6dccedd0b47 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -13,8 +13,8 @@ Summary: Linux API header files Name: kernel-headers -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Bump release to match kernel,kernel-ipe,kernel-64k diff --git a/SPECS/kernel/config b/SPECS/kernel/config index eaecd4c9d11..ac2579594bf 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.116.1 Kernel Configuration +# Linux/x86_64 6.6.117.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index bf33c3c916a..57521d161aa 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.116.1 Kernel Configuration +# Linux/arm64 6.6.117.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 2a83e38a0c0..533d14f4780 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -12,8 +12,8 @@ Summary: Unified Kernel Image Name: kernel-uki -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Bump release to match kernel,kernel-ipe,kernel-64k diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 0658cfbd41b..3ba93ebd51e 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,11 +1,11 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config": "016870d1d2950ca92b2d0e27e58c686cf1568cf273547688c224f11da9f34533", - "config_aarch64": "b19c332d4d504021738f1a9b2177297fa5c73f4f748740c9044c7849a79d897f", + "config": "f9b4a11f5f16da83111766e1af913b77103a6dc872b848bb25d41a5be68cb032", + "config_aarch64": "d4207f14d92b0b873856ed4d26ee7c340ed8fe77e0beea9e5047d632c48189b3", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.116.1.tar.gz": "068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3" + "kernel-6.6.117.1.tar.gz": "bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 690107469bc..81e138427c3 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -31,8 +31,8 @@ Summary: Linux Kernel Name: kernel -Version: 6.6.116.1 -Release: 2%{?dist} +Version: 6.6.117.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -440,6 +440,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Nov 26 2025 CBL-Mariner Servicing Account - 6.6.117.1-1 +- Auto-upgrade to 6.6.117.1 + * Tue Nov 18 2025 Rachel Menge - 6.6.116.1-2 - Enable dm-cache diff --git a/cgmanifest.json b/cgmanifest.json index bf1c76a6f8f..3696f0ae65f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -6610,8 +6610,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "6.6.116.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.116.1.tar.gz" + "version": "6.6.117.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.117.1.tar.gz" } } }, @@ -8261,8 +8261,8 @@ "type": "other", "other": { "name": "kernel", - "version": "6.6.116.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.116.1.tar.gz" + "version": "6.6.117.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.117.1.tar.gz" } } }, @@ -8271,8 +8271,8 @@ "type": "other", "other": { "name": "kernel-64k", - "version": "6.6.116.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.116.1.tar.gz" + "version": "6.6.117.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.117.1.tar.gz" } } }, @@ -8291,8 +8291,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "6.6.116.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.116.1.tar.gz" + "version": "6.6.117.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.117.1.tar.gz" } } }, @@ -8311,8 +8311,8 @@ "type": "other", "other": { "name": "kernel-ipe", - "version": "6.6.116.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.116.1.tar.gz" + "version": "6.6.117.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.117.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index eba28e50ecf..f0105d540bf 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.116.1-2.azl3.noarch.rpm +kernel-headers-6.6.117.1-1.azl3.noarch.rpm glibc-2.38-16.azl3.aarch64.rpm glibc-devel-2.38-16.azl3.aarch64.rpm glibc-i18n-2.38-16.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 067c568ee8e..295e631618c 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.116.1-2.azl3.noarch.rpm +kernel-headers-6.6.117.1-1.azl3.noarch.rpm glibc-2.38-16.azl3.x86_64.rpm glibc-devel-2.38-16.azl3.x86_64.rpm glibc-i18n-2.38-16.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 09e8dddb2d3..640e4ac4800 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -158,7 +158,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.116.1-2.azl3.noarch.rpm +kernel-headers-6.6.117.1-1.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index e92d1d28b33..25a4b8dd6d2 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -165,8 +165,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.116.1-2.azl3.noarch.rpm -kernel-headers-6.6.116.1-2.azl3.noarch.rpm +kernel-cross-headers-6.6.117.1-1.azl3.noarch.rpm +kernel-headers-6.6.117.1-1.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 61a8e14b83f..1ce65592377 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898 gmp-6.3.0.tar. 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab grep-3.11.tar.xz 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13 groff-1.23.0.tar.gz 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057 gzip-1.13.tar.xz -068b9bca1d25ed7b7bd856b68287f7a30ad46f72f6653fefbebb4110e3863bf3 kernel-6.6.116.1.tar.gz +bfbbeba626396e2bab9bd520a46943e68d228a91e8f11cd662bf4fb3996443d3 kernel-6.6.117.1.tar.gz 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0 libarchive-3.7.1.tar.gz f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb libcap-2.69.tar.xz b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0 libpipeline-1.5.7.tar.gz diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 30fd9c8ffeb..a54ef9acf92 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -86,7 +86,7 @@ rm -rf gcc-13.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="6.6.116.1" +KERNEL_VERSION="6.6.117.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-3-${KERNEL_VERSION} From a29b32dfb97bf1dc38e17af0ee53527b8096ad5d Mon Sep 17 00:00:00 2001 From: Archana Shettigar Date: Tue, 2 Dec 2025 10:24:33 +0530 Subject: [PATCH 28/43] Removal of xpp2 version 2.1.10 from SPECS_EXTENDED (#15031) --- LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md | 2 +- LICENSES-AND-NOTICES/SPECS/data/licenses.json | 1 - SPECS-EXTENDED/jlex/jlex.spec | 4 + SPECS-EXTENDED/regexp/regexp.spec | 2 +- SPECS-EXTENDED/servletapi4/servletapi4.spec | 4 + SPECS-EXTENDED/xalan-j2/xalan-j2.spec | 6 +- SPECS-EXTENDED/xerces-j2/xerces-j2.spec | 16 +- SPECS-EXTENDED/xpp2/xpp2-build_xml.patch | 199 ------------------ SPECS-EXTENDED/xpp2/xpp2-enum.patch | 76 ------- SPECS-EXTENDED/xpp2/xpp2.signatures.json | 5 - SPECS-EXTENDED/xpp2/xpp2.spec | 168 --------------- cgmanifest.json | 10 - 12 files changed, 27 insertions(+), 466 deletions(-) delete mode 100644 SPECS-EXTENDED/xpp2/xpp2-build_xml.patch delete mode 100644 SPECS-EXTENDED/xpp2/xpp2-enum.patch delete mode 100644 SPECS-EXTENDED/xpp2/xpp2.signatures.json delete mode 100644 SPECS-EXTENDED/xpp2/xpp2.spec diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md index b3bbdeb529d..840d57465d4 100644 --- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md +++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md @@ -16,7 +16,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic | NVIDIA (BSD) | [BSD](https://github.com/Mellanox/sockperf/blob/sockperf_v2/copying) | sockperf | | OpenEuler | [BSD-3 License](https://github.com/pytorch/pytorch/blob/master/LICENSE) | pytorch | | OpenMamba | [Openmamba GPLv2 License](https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt) | bash-completion | -| OpenSUSE | Following [openSUSE guidelines](https://en.opensuse.org/openSUSE:Specfile_guidelines#Specfile_Licensing) | ant
ant-junit
antlr
aopalliance
apache-commons-beanutils
apache-commons-cli
apache-commons-codec
apache-commons-collections
apache-commons-collections4
apache-commons-compress
apache-commons-daemon
apache-commons-dbcp
apache-commons-digester
apache-commons-httpclient
apache-commons-io
apache-commons-jexl
apache-commons-lang3
apache-commons-logging
apache-commons-net
apache-commons-pool
apache-commons-pool2
apache-commons-validator
apache-commons-vfs2
apache-parent
args4j
atinject
base64coder
bcel
bea-stax
beust-jcommander
bsf
byaccj
cal10n
cdparanoia
cglib
cni
containerized-data-importer
cpulimit
cri-o
ecj
fillup
flux
gd
geronimo-specs
glassfish-annotation-api
gnu-getopt
gnu-regexp
golang-packaging
guava
hamcrest
hawtjni-runtime
httpcomponents-core
influx-cli
influxdb
jakarta-taglibs-standard
jansi
jarjar
java-cup
java-cup-bootstrap
javacc
javacc-bootstrap
javassist
jboss-interceptors-1.2-api
jdepend
jflex
jflex-bootstrap
jlex
jline
jna
jsch
jsoup
jsr-305
jtidy
junit
junitperf
jzlib
kubevirt
kured
libcontainers-common
libtheora
libva
libvdpau
lynx
multus
objectweb-anttask
objectweb-asm
objenesis
oro
osgi-annotation
osgi-compendium
osgi-core
patterns-ceph-containers
plexus-classworlds
plexus-interpolation
plexus-utils
proj
psl-make-dafsa
publicsuffix
qdox
regexp
relaxngDatatype
rhino
ripgrep
servletapi4
servletapi5
shapelib
slf4j
trilead-ssh2
virtiofsd
xalan-j2
xbean
xcursor-themes
xerces-j2
xml-commons-apis
xml-commons-resolver
xmldb-api
xmlrpc-c
xmlunit
xpp2
xz-java | +| OpenSUSE | Following [openSUSE guidelines](https://en.opensuse.org/openSUSE:Specfile_guidelines#Specfile_Licensing) | ant
ant-junit
antlr
aopalliance
apache-commons-beanutils
apache-commons-cli
apache-commons-codec
apache-commons-collections
apache-commons-collections4
apache-commons-compress
apache-commons-daemon
apache-commons-dbcp
apache-commons-digester
apache-commons-httpclient
apache-commons-io
apache-commons-jexl
apache-commons-lang3
apache-commons-logging
apache-commons-net
apache-commons-pool
apache-commons-pool2
apache-commons-validator
apache-commons-vfs2
apache-parent
args4j
atinject
base64coder
bcel
bea-stax
beust-jcommander
bsf
byaccj
cal10n
cdparanoia
cglib
cni
containerized-data-importer
cpulimit
cri-o
ecj
fillup
flux
gd
geronimo-specs
glassfish-annotation-api
gnu-getopt
gnu-regexp
golang-packaging
guava
hamcrest
hawtjni-runtime
httpcomponents-core
influx-cli
influxdb
jakarta-taglibs-standard
jansi
jarjar
java-cup
java-cup-bootstrap
javacc
javacc-bootstrap
javassist
jboss-interceptors-1.2-api
jdepend
jflex
jflex-bootstrap
jlex
jline
jna
jsch
jsoup
jsr-305
jtidy
junit
junitperf
jzlib
kubevirt
kured
libcontainers-common
libtheora
libva
libvdpau
lynx
multus
objectweb-anttask
objectweb-asm
objenesis
oro
osgi-annotation
osgi-compendium
osgi-core
patterns-ceph-containers
plexus-classworlds
plexus-interpolation
plexus-utils
proj
psl-make-dafsa
publicsuffix
qdox
regexp
relaxngDatatype
rhino
ripgrep
servletapi4
servletapi5
shapelib
slf4j
trilead-ssh2
virtiofsd
xalan-j2
xbean
xcursor-themes
xerces-j2
xml-commons-apis
xml-commons-resolver
xmldb-api
xmlrpc-c
xmlunit
xz-java | | Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
cairo
cassandra
cassandra-driver
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni-plugins
core-packages
coreutils
cpio
cppunit
cqlsh
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
curl
cyrus-sasl
cyrus-sasl-bootstrap
dbus
dbus-glib
dejagnu
device-mapper-multipath
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
emacs
erlang
etcd
ethtool
expat
expect
fcgi
file
filesystem
findutils
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
git-lfs
glib
glib-networking
glibc
glibmm
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang
golang-1.23
golang-1.24
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-64k
kernel-headers
kernel-hwe
kernel-hwe-headers
kernel-ipe
kernel-lpg-innovate
kernel-mshv
kernel-rt
kernel-uvm
keyutils
kmod
krb5
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++30
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
nvme-cli
oniguruma
OpenIPMI
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
polkit
popt
postgresql
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pyOpenSSL
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-bcrypt
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-geomet
python-gevent
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-requests
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx-theme-alabaster
python-twisted
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-event
python-zope-interface
python3
pytz
PyYAML
rapidjson
readline
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rust
rust-1.75
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd-bootstrap
systemtap
tar
tboot
tcl
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-pkcs11
tpm2-pytss
tpm2-tools
tpm2-tss
traceroute
tree
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
which
wpa_supplicant
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | | RPM software management source | [GPLv2+ License](https://github.com/rpm-software-management/dnf5/blob/main/COPYING.md) | dnf5 | | Source project | Same as the source project. | python-nocaselist | diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json index bc9738eeaba..47c9763382b 100644 --- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json +++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json @@ -2667,7 +2667,6 @@ "xmldb-api", "xmlrpc-c", "xmlunit", - "xpp2", "xz-java" ] }, diff --git a/SPECS-EXTENDED/jlex/jlex.spec b/SPECS-EXTENDED/jlex/jlex.spec index 3a8243c0440..9b2d6e990b9 100644 --- a/SPECS-EXTENDED/jlex/jlex.spec +++ b/SPECS-EXTENDED/jlex/jlex.spec @@ -82,6 +82,8 @@ install -pD -T dist/lib/%{name}.jar \ # javadoc install -d -m 755 %{buildroot}%{_javadocdir}/%{name} cp -pr dist/docs/api/* %{buildroot}%{_javadocdir}/%{name} +mv %{buildroot}%{_javadocdir}/%{name}/legal/ADDITIONAL_LICENSE_INFO . +mv %{buildroot}%{_javadocdir}/%{name}/legal/LICENSE . %pre javadoc # workaround for rpm bug, can be removed in F-17 @@ -96,6 +98,8 @@ rm -rf $(readlink -f %{_javadocdir}/%{name}) %{_javadocdir}/%{name} || : %files javadoc %defattr(-,root,root,-) %{_javadocdir}/%{name} +%license ADDITIONAL_LICENSE_INFO +%license LICENSE %changelog * Mon Feb 24 2025 Sumit Jena - 1.2.6-286 diff --git a/SPECS-EXTENDED/regexp/regexp.spec b/SPECS-EXTENDED/regexp/regexp.spec index 3107b196ff0..826c52eb2c8 100644 --- a/SPECS-EXTENDED/regexp/regexp.spec +++ b/SPECS-EXTENDED/regexp/regexp.spec @@ -73,7 +73,7 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom %files %defattr(0644,root,root,0755) -%doc LICENSE +%license LICENSE %{_javadir}/*.jar %{_mavenpomdir}/* %{_datadir}/maven-metadata/%{name}.xml* diff --git a/SPECS-EXTENDED/servletapi4/servletapi4.spec b/SPECS-EXTENDED/servletapi4/servletapi4.spec index 779f531b8df..4125891a078 100644 --- a/SPECS-EXTENDED/servletapi4/servletapi4.spec +++ b/SPECS-EXTENDED/servletapi4/servletapi4.spec @@ -70,6 +70,8 @@ install -m 644 dist/lib/servlet.jar %{buildroot}%{_javadir}/%{name}-%{version}.j # javadoc install -d -m 755 %{buildroot}%{_javadocdir}/%{name} cp -pr build/docs/api/* %{buildroot}%{_javadocdir}/%{name} +mv %{buildroot}%{_javadocdir}/%{name}/legal/ADDITIONAL_LICENSE_INFO . +mv %{buildroot}%{_javadocdir}/%{name}/legal/LICENSE . # alternatives mkdir -p %{buildroot}%{_sysconfdir}/alternatives/ ln -sf %{_sysconfdir}/alternatives/servlet.jar %{buildroot}%{_javadir}/servlet.jar @@ -93,6 +95,8 @@ fi %files javadoc %defattr(-,root,root) %{_javadocdir}/%{name} +%license ADDITIONAL_LICENSE_INFO +%license LICENSE %changelog * Thu Feb 22 2024 Pawel Winogrodzki - 4.0.4-302 diff --git a/SPECS-EXTENDED/xalan-j2/xalan-j2.spec b/SPECS-EXTENDED/xalan-j2/xalan-j2.spec index 86bf73cd49c..2b44421e51e 100644 --- a/SPECS-EXTENDED/xalan-j2/xalan-j2.spec +++ b/SPECS-EXTENDED/xalan-j2/xalan-j2.spec @@ -228,7 +228,8 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \ %files %defattr(0644,root,root,0755) -%doc KEYS LICENSE.txt NOTICE.txt +%doc KEYS +%license LICENSE.txt NOTICE.txt %{_javadir}/%{name}-%{version}.jar %{_javadir}/%{name}.jar %{_javadir}/%{name}-serializer-%{version}.jar @@ -245,7 +246,8 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \ %files bootstrap %defattr(0644,root,root,0755) -%doc KEYS LICENSE.txt NOTICE.txt +%doc KEYS +%license LICENSE.txt NOTICE.txt %{_javadir}/%{name}-%{version}.jar %{_javadir}/%{name}.jar %{_javadir}/%{name}-serializer-%{version}.jar diff --git a/SPECS-EXTENDED/xerces-j2/xerces-j2.spec b/SPECS-EXTENDED/xerces-j2/xerces-j2.spec index a3e58a804a1..6411c3b22d3 100644 --- a/SPECS-EXTENDED/xerces-j2/xerces-j2.spec +++ b/SPECS-EXTENDED/xerces-j2/xerces-j2.spec @@ -143,6 +143,8 @@ install -pD -m755 -T %{SOURCE2} %{buildroot}%{_bindir}/%{name}-constants install -d -m 755 %{buildroot}%{_mandir}/man1 install -p -m 644 %{SOURCE3} %{buildroot}%{_mandir}/man1 install -p -m 644 %{SOURCE4} %{buildroot}%{_mandir}/man1 +mv %{buildroot}%{_javadocdir}/%{name}/other/legal/ADDITIONAL_LICENSE_INFO . +mv %{buildroot}%{_javadocdir}/%{name}/other/legal/LICENSE . # demo install -pD -T build/xercesSamples.jar %{buildroot}%{_datadir}/%{name}/%{name}-samples.jar @@ -154,8 +156,8 @@ update-alternatives --remove jaxp_parser_impl %{_javadir}/%{name}.jar >/dev/null ln -sf %{name}.jar %{_javadir}/jaxp_parser_impl.jar %files -%license LICENSE LICENSE.DOM-documentation.html LICENSE.DOM-software.html LICENSE.resolver.txt LICENSE-SAX.html LICENSE.DOM-documentation.html LICENSE.serializer.txt -%doc NOTICE README +%license NOTICE LICENSE LICENSE.DOM-software.html LICENSE.resolver.txt LICENSE-SAX.html LICENSE.DOM-documentation.html LICENSE.serializer.txt +%doc README %{_bindir}/* %{_javadir}/* %{_mandir}/*/* @@ -167,7 +169,15 @@ ln -sf %{name}.jar %{_javadir}/jaxp_parser_impl.jar %endif %files javadoc -%{_javadocdir}/%{name} +%license LICENSE +%license ADDITIONAL_LICENSE_INFO +%exclude /usr/share/javadoc/xerces-j2/xni/legal/ADDITIONAL_LICENSE_INFO +%exclude /usr/share/javadoc/xerces-j2/xni/legal/LICENSE +%exclude /usr/share/javadoc/xerces-j2/xs/legal/ADDITIONAL_LICENSE_INFO +%exclude /usr/share/javadoc/xerces-j2/xs/legal/LICENSE + +# Other javadoc files +%{_javadocdir}/%{name}/* %files demo %{_datadir}/%{name} diff --git a/SPECS-EXTENDED/xpp2/xpp2-build_xml.patch b/SPECS-EXTENDED/xpp2/xpp2-build_xml.patch deleted file mode 100644 index 94749b9673e..00000000000 --- a/SPECS-EXTENDED/xpp2/xpp2-build_xml.patch +++ /dev/null @@ -1,199 +0,0 @@ ---- build.xml.sav 2003-11-15 06:42:11.000000000 +0100 -+++ build.xml 2005-08-10 11:58:48.000000000 +0200 -@@ -9,7 +9,8 @@ - - - -- -+ -+ - - - -@@ -165,7 +166,7 @@ - - - -- -+ - - - -@@ -175,7 +176,7 @@ - - - -- - -@@ -185,7 +186,7 @@ - - - -- - -@@ -195,7 +196,7 @@ - - - -- - -@@ -205,7 +206,7 @@ - - - -- - -@@ -215,7 +216,7 @@ - - - -- - -@@ -247,7 +248,7 @@ - - - -- - -@@ -271,7 +272,7 @@ - - - -- - -@@ -279,7 +280,7 @@ - - - -- -@@ -304,7 +305,7 @@ - - - -- -@@ -319,7 +320,7 @@ - - - -- - -@@ -327,7 +328,7 @@ - - - -- -@@ -336,7 +337,7 @@ - - - -- -@@ -350,7 +351,7 @@ - -- -@@ -385,7 +386,7 @@ - - - -- - - -- -@@ -443,7 +444,7 @@ - - - -- - -- - - -@@ -537,7 +538,7 @@ - - - -- - - -@@ -580,6 +581,7 @@ - 0) { -- Enumeration enum = children.elements(); -- while (enum.hasMoreElements()) { -- Object child = enum.nextElement(); -+ Enumeration emun = children.elements(); -+ while (emun.hasMoreElements()) { -+ Object child = emun.nextElement(); - if(child instanceof XmlNode) { - ((XmlNode)child).setParentNode(null); - } -@@ -373,11 +373,11 @@ - if(declaredNs != null) { - System.arraycopy(declaredNs, 0, uris, off, len); - } -- // Enumeration enum = prefix2Ns.keys(); -+ // Enumeration emun = prefix2Ns.keys(); - // int i = off; -- // while (enum.hasMoreElements() && i < off + len) -+ // while (emun.hasMoreElements() && i < off + len) - // { -- // uris[i++] = (String) prefix2Ns.get( enum.nextElement() ); -+ // uris[i++] = (String) prefix2Ns.get( emun.nextElement() ); - // } - } - -@@ -512,10 +512,10 @@ - buf.append(declaredNs[i]); - buf.append("'"); - } -- // Enumeration enum = prefix2Ns.keys(); -- // while (enum.hasMoreElements()) -+ // Enumeration emun = prefix2Ns.keys(); -+ // while (emun.hasMoreElements()) - // { -- // Object key = enum.nextElement(); -+ // Object key = emun.nextElement(); - // buf.append("xmlns:"); - // buf.append(key); - // buf.append("='"); ---- PullParser2.1.10/src/java/tests/node/NodeTest.java 2017-09-11 18:39:27.109544537 +0200 -+++ PullParser2.1.10/src/java/tests/node/NodeTest.java 2017-09-11 18:43:53.211362957 +0200 -@@ -386,20 +386,20 @@ - assertEquals("", t1.getDefaultNamespaceUri()); - - // check enumeration stuff... -- Enumeration enum = t1.children(); -+ Enumeration emun = t1.children(); - assertEquals(0, t1.getChildrenCountSoFar()); - //child1, child2... -- assertTrue(enum.hasMoreElements()); -- child1 = (XmlPullNode) enum.nextElement(); -+ assertTrue(emun.hasMoreElements()); -+ child1 = (XmlPullNode) emun.nextElement(); - assertEquals("child1", child1.getLocalName()); -- assertNotNull(enum.nextElement()); -- child3 = (XmlPullNode) enum.nextElement(); -+ assertNotNull(emun.nextElement()); -+ child3 = (XmlPullNode) emun.nextElement(); - assertEquals("child3", child3.getLocalName()); -- assertNotNull(enum.nextElement()); -+ assertNotNull(emun.nextElement()); - assertEquals(4, t1.getChildrenCountSoFar()); -- assertEquals(true, enum.hasMoreElements()); -- assertNotNull(enum.nextElement()); -- assertEquals(false, enum.hasMoreElements()); -+ assertEquals(true, emun.hasMoreElements()); -+ assertNotNull(emun.nextElement()); -+ assertEquals(false, emun.hasMoreElements()); - - XmlPullNode t2 = (XmlPullNode) node.getChildAt(1); - assertEquals("t2", t2.getLocalName()); diff --git a/SPECS-EXTENDED/xpp2/xpp2.signatures.json b/SPECS-EXTENDED/xpp2/xpp2.signatures.json deleted file mode 100644 index 840151ddbd3..00000000000 --- a/SPECS-EXTENDED/xpp2/xpp2.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "PullParser2.1.10.tar.bz2": "8490c4c729362130a610d1b07c749a53160fec1422f2123ce65b43ca49f5067f" - } -} diff --git a/SPECS-EXTENDED/xpp2/xpp2.spec b/SPECS-EXTENDED/xpp2/xpp2.spec deleted file mode 100644 index 613cfe98d1e..00000000000 --- a/SPECS-EXTENDED/xpp2/xpp2.spec +++ /dev/null @@ -1,168 +0,0 @@ -Vendor: Microsoft Corporation -Distribution: Azure Linux -# -# spec file for package xpp2 -# -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via https://bugs.opensuse.org/ -# - - -%define originalname PullParser -Name: xpp2 -Version: 2.1.10 -Release: 29%{?dist} -Summary: XML Pull Parser -License: Apache-1.1 -Group: Development/Libraries/Java -Url: http://www.extreme.indiana.edu/xgws/xsoap/xpp/ -Source0: http://www.extreme.indiana.edu/xgws/xsoap/xpp/download/PullParser2/PullParser2.1.10.tar.bz2 -Patch0: xpp2-build_xml.patch -Patch1: xpp2-enum.patch -BuildRequires: ant >= 1.6 -BuildRequires: ant-junit >= 1.6 -BuildRequires: fdupes -BuildRequires: javapackages-tools -BuildRequires: junit -BuildRequires: xerces-j2 -BuildRequires: xml-commons-apis -Requires: xml-commons-apis -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch - -%description -XML Pull Parser 2 (XPP2) is a simple and fast incremental XML parser. -NOTE: XPP2 is no longer developed and is on maintenance mode. All -active development concentrates on its successor XPP3/MXP1 - -%package javadoc -Summary: XML Pull Parser -Group: Development/Libraries/Java - -%description javadoc -XML Pull Parser 2 (XPP2) is a simple and fast incremental XML parser. -NOTE: XPP2 is no longer developed and is on maintenance mode. All -active development concentrates on its successor XPP3/MXP1 - -%package manual -Summary: XML Pull Parser -Group: Development/Libraries/Java - -%description manual -XML Pull Parser 2 (XPP2) is a simple and fast incremental XML parser. -NOTE: XPP2 is no longer developed and is on maintenance mode. All -active development concentrates on its successor XPP3/MXP1 - -%package demo -Summary: XML Pull Parser -Group: Development/Libraries/Java -Requires: %{name} = %{version} - -%description demo -XML Pull Parser 2 (XPP2) is a simple and fast incremental XML parser. -NOTE: XPP2 is no longer developed and is on maintenance mode. All -active development concentrates on its successor XPP3/MXP1 - -%prep -%setup -q -n %{originalname}%{version} -# remove all binary libs -find . -name "*.jar" -exec rm -f {} \; -%patch 0 -b .sav -%patch 1 -p1 - -%build -export OPT_JAR_LIST="ant/ant-junit junit" -export CLASSPATH=$(build-classpath xml-commons-apis xerces-j2) -ant all api api.impl -CLASSPATH=$CLASSPATH:$(build-classpath junit):build/tests:build/lib/PullParser-2.1.10.jar -java AllTests - -%install -# jars -mkdir -p %{buildroot}%{_javadir} -cp -p build/lib/%{originalname}-intf-%{version}.jar \ - %{buildroot}%{_javadir}/%{name}-intf-%{version}.jar -cp -p build/lib/%{originalname}-standard-%{version}.jar \ - %{buildroot}%{_javadir}/%{name}-standard-%{version}.jar -cp -p build/lib/%{originalname}-%{version}.jar \ - %{buildroot}%{_javadir}/%{name}-%{version}.jar -cp -p build/lib/%{originalname}-x2-%{version}.jar \ - %{buildroot}%{_javadir}/%{name}-x2-%{version}.jar -(cd %{buildroot}%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar} `echo $jar| sed "s|-%{version}||g"`; done) -# javadoc -mkdir -p %{buildroot}%{_javadocdir}/%{name}/api -mkdir -p %{buildroot}%{_javadocdir}/%{name}/api_impl -cp -pr doc/api/* %{buildroot}%{_javadocdir}/%{name}/api -cp -pr doc/api_impl/* %{buildroot}%{_javadocdir}/%{name}/api_impl -rm -rf doc/{build.txt,api,api_impl} -# manual -mkdir -p %{buildroot}%{_datadir}/doc/%{name} -cp -pr doc/* %{buildroot}%{_datadir}/doc/%{name} -cp -p README.html %{buildroot}%{_datadir}/doc/%{name} -# demo -mkdir -p %{buildroot}%{_datadir}/%{name} -cp -pr src/java/samples/* %{buildroot}%{_datadir}/%{name} -%fdupes -s %{buildroot}/%{_javadocdir}/%{name} - -%files -%defattr(0644,root,root,0755) -%license LICENSE.txt -%{_datadir}/doc/%{name}/README.html -%{_javadir}/%{name}.jar -%{_javadir}/%{name}-%{version}.jar -%{_javadir}/%{name}-intf.jar -%{_javadir}/%{name}-intf-%{version}.jar -%{_javadir}/%{name}-standard.jar -%{_javadir}/%{name}-standard-%{version}.jar -%{_javadir}/%{name}-x2.jar -%{_javadir}/%{name}-x2-%{version}.jar - -%files javadoc -%defattr(0644,root,root,0755) -%license LICENSE.txt -%{_javadocdir}/%{name} - -%files manual -%defattr(0644,root,root,0755) -%license LICENSE.txt -%{_datadir}/doc/%{name} -%exclude %{_datadir}/doc/%{name}/README.html - -%files demo -%defattr(0644,root,root,0755) -%{_datadir}/%{name} - -%changelog -* Thu Oct 14 2021 Pawel Winogrodzki - 2.1.10-29 -- Initial CBL-Mariner import from openSUSE Tumbleweed (license: same as "License" tag). -- Converting the 'Release' tag to the '[number].[distribution]' format. - -* Fri Nov 8 2019 Fridrich Strba -- BuildRequire xerces-j2, because it is not automatically pulled - by ant anymore -* Mon Sep 11 2017 fstrba@suse.com -- Modified patch: - * xpp2-build_xml.patch - + Specify java source and target level 1.6 in order to allow - building with jdk9 - * xpp2-enum.patch - + Rename variables "enum" to "emun" in order to avoid clash - with a reserved word in java >= 1.5 -* Fri Jul 11 2014 tchvatal@suse.com -- Cleanup with spec-cleaner and do not version javadoc dir. -* Mon Sep 9 2013 tchvatal@suse.com -- Move from jpackage-utils to javapackage-tools -* Tue Jan 31 2012 mvyskocil@suse.cz -- remove file conflict between xpp2 and xpp2-manual -* Tue May 12 2009 mvyskocil@suse.cz -- Initial packaging of xpp2 2.1.10 (from jpackage.org) diff --git a/cgmanifest.json b/cgmanifest.json index 3696f0ae65f..014e5ac6ea3 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -30953,16 +30953,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "xpp2", - "version": "2.1.10", - "downloadUrl": "http://www.extreme.indiana.edu/xgws/xsoap/xpp/download/PullParser2/PullParser2.1.10.tar.bz2" - } - } - }, { "component": { "type": "other", From 7707c0984e09eafe770d0c883b049136222b1104 Mon Sep 17 00:00:00 2001 From: Archana Shettigar Date: Tue, 2 Dec 2025 15:33:21 +0530 Subject: [PATCH 29/43] Upgrade: xmlunit version to 1.6 (#15158) --- .../{xmlunit-1.5.pom => xmlunit-1.6.pom} | 12 ++++----- .../xmlunit/xmlunit.signatures.json | 4 +-- SPECS-EXTENDED/xmlunit/xmlunit.spec | 25 ++++++++++++------- cgmanifest.json | 4 +-- 4 files changed, 26 insertions(+), 19 deletions(-) rename SPECS-EXTENDED/xmlunit/{xmlunit-1.5.pom => xmlunit-1.6.pom} (86%) diff --git a/SPECS-EXTENDED/xmlunit/xmlunit-1.5.pom b/SPECS-EXTENDED/xmlunit/xmlunit-1.6.pom similarity index 86% rename from SPECS-EXTENDED/xmlunit/xmlunit-1.5.pom rename to SPECS-EXTENDED/xmlunit/xmlunit-1.6.pom index bbd6adc5313..e0ccca76f18 100644 --- a/SPECS-EXTENDED/xmlunit/xmlunit-1.5.pom +++ b/SPECS-EXTENDED/xmlunit/xmlunit-1.6.pom @@ -1,6 +1,6 @@