Rebase 3.0 3.0.20260304

.github/workflows/check-static-glibc.yml

@@ -34,5 +34,13 @@ jobs:
       - name: Get Python dependencies
         run: python3 -m pip install -r toolkit/scripts/requirements.txt
 
+      - name: Copy Azure Linux rpm
+        run: |
+          echo ##########
+          echo "Copy Azure Linux rpm"
+          echo ##########
+          toolkit/scripts/toolchain/toolchain_update_git_submodule.sh
+        shell: bash
+
       - name: Verify .spec files
         run: python3 toolkit/scripts/check_static_glibc.py SPECS/**/*.spec SPECS-EXTENDED/**/*.spec SPECS-SIGNED/**/*.spec

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -22,9 +22,7 @@
         },
         "Ceph source": {
             "license": "[LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1)",
-            "specs": [
-                "ceph"
-            ]
+            "specs": []
         },
         "Debian": {
             "license": "[MIT](https://opensource.org/licenses/MIT)",
@@ -817,7 +815,6 @@
                 "libvirt-dbus",
                 "libvirt-glib",
                 "libvirt-java",
-                "libvirt-python",
                 "libvisio",
                 "libvisual",
                 "libvoikko",
@@ -2098,7 +2095,6 @@
                 "startup-notification",
                 "stress-ng",
                 "strongswan",
-                "stunnel",
                 "subscription-manager",
                 "subunit",
                 "suitesparse",
@@ -2334,7 +2330,6 @@
                 "cloud-hypervisor",
                 "cmake-fedora",
                 "containerd2",
-                "coredns",
                 "dasel",
                 "debugedit",
                 "dejavu-fonts",
@@ -2349,6 +2344,7 @@
                 "elixir",
                 "espeak-ng",
                 "espeakup",
+                "expat",
                 "flannel",
                 "fluent-bit",
                 "freefont",
@@ -2390,6 +2386,7 @@
                 "libutempter",
                 "libuv",
                 "libvirt",
+                "libvirt-python",
                 "libxml++",
                 "linuxptp",
                 "lld",
@@ -2523,6 +2520,7 @@
                 "skopeo",
                 "span-lite",
                 "sriov-network-device-plugin",
+                "stunnel",
                 "SymCrypt",
                 "SymCrypt-OpenSSL",
                 "systemd-boot-signed",
@@ -2531,6 +2529,7 @@
                 "tinyxml2",
                 "toml11",
                 "tracelogging",
+                "trident",
                 "umoci",
                 "usrsctp",
                 "vala",
@@ -2562,8 +2561,8 @@
                 "isert-signed",
                 "knem-modules-signed",
                 "libnvidia-container",
+                "libvma",
                 "mlnx-nfsrdma-signed",
-                "mlx-steering-dump",
                 "multiperf",
                 "nvidia-container-toolkit",
                 "ofed-docs",
@@ -2685,7 +2684,6 @@
                 "osgi-annotation",
                 "osgi-compendium",
                 "osgi-core",
-                "patterns-ceph-containers",
                 "plexus-classworlds",
                 "plexus-interpolation",
                 "plexus-utils",
@@ -2795,7 +2793,6 @@
                 "erlang",
                 "etcd",
                 "ethtool",
-                "expat",
                 "expect",
                 "fcgi",
                 "file",
@@ -2825,8 +2822,10 @@
                 "gnutls",
                 "gobject-introspection",
                 "golang",
+                "golang-1.22",
                 "golang-1.23",
                 "golang-1.24",
+                "golang-1.25",
                 "gperf",
                 "gperftools",
                 "gpgme",
@@ -2869,8 +2868,6 @@
                 "kernel",
                 "kernel-64k",
                 "kernel-headers",
-                "kernel-hwe",
-                "kernel-hwe-headers",
                 "kernel-ipe",
                 "kernel-lpg-innovate",
                 "kernel-uvm",
@@ -3011,6 +3008,7 @@
                 "perl-Crypt-SSLeay",
                 "perl-DBD-SQLite",
                 "perl-DBI",
+                "perl-DBIx-Simple",
                 "perl-Exporter-Tiny",
                 "perl-File-HomeDir",
                 "perl-File-Which",

SPECS/.gitignore

@@ -83,6 +83,7 @@ ccache
 cdrkit
 ceph
 cereal
+cert-manager
 check
 check-restart
 checkpolicy
@@ -98,6 +99,8 @@ cloud-hypervisor
 cloud-utils-growpart
 cmake
 cmocka
+cni
+cni-plugins
 collectd
 colm
 color-filesystem
@@ -106,7 +109,7 @@ compiler-rt
 conda
 conmon
 conntrack-tools
-coredns
+containerized-data-importer
 coreutils
 cpio
 cpprest
@@ -152,6 +155,7 @@ docbook-dtds
 docbook-style-xsl
 docbook5-schemas
 docker-buildx
+docker-compose
 dos2unix
 doxygen
 dpdk
@@ -163,6 +167,7 @@ dwz
 e2fsprogs
 ebtables
 ed
+edk2
 efivar
 egl-wayland
 eglexternalplatform
@@ -175,7 +180,6 @@ erofs-utils
 espeak-ng
 espeakup
 execstack
-expat
 expect
 expected
 extra-cmake-modules
@@ -220,10 +224,12 @@ geos
 gettext
 gflags
 gfs2-utils
+gh
 giflib
 git
 glib
 glib-networking
+glibc
 glibmm
 glslang
 glusterfs
@@ -331,13 +337,13 @@ kata-packages-uvm
 kbd
 kde-settings
 keepalived
+keda
 keras
 kernel-64k
 kernel-hwe
 kernel-hwe-headers
 kernel-srpm-macros
 kernel-uvm
-kexec-tools
 keyutils
 kf
 kf-kconfig
@@ -516,10 +522,10 @@ liburing
 libusb
 libuser
 libuv
+libvma
 libvirt-dbus
 libvirt-glib
 libvirt-java
-libvirt-python
 libvoikko
 libwacom
 libwebp
@@ -630,6 +636,7 @@ nlohmann-json
 nlopt
 nmap
 nodejs
+nodejs24
 npth
 nspr
 nss
@@ -712,6 +719,7 @@ orangefs
 ostree
 p11-kit
 p7zip
+packer
 pam
 pam_krb5
 pam_wrapper
@@ -1234,6 +1242,7 @@ rubygem-webhdfs
 rubygem-webrick
 rubygem-yajl-ruby
 rubygem-zip-zip
+runc
 rust
 sanlock
 scons
@@ -1247,6 +1256,7 @@ sg3_utils
 sgabios
 sgml-common
 sgx-backwards-compatibility
+skopeo
 shared-mime-info
 sharutils
 shim
@@ -1272,7 +1282,6 @@ squid
 sscg
 sshpass
 strongswan
-stunnel
 subunit
 subversion
 sudo
@@ -1310,6 +1319,7 @@ trace-cmd
 tracelogging
 traceroute
 tree
+trident
 ttembed
 tuna
 tuned

SPECS/alsa-lib/CVE-2026-25068.patch

@@ -0,0 +1,36 @@
+From 0bb8a3f223be367ec0db859577d15ad366f0fb48 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+Malicious binary topology file may cause heap corruption.
+
+CVE: CVE-2026-25068
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch
+---
+ src/topology/ctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/topology/ctl.c b/src/topology/ctl.c
+index dd05424..311dd05 100644
+--- a/src/topology/ctl.c
++++ b/src/topology/ctl.c
+@@ -1246,6 +1246,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
+ 	if (mc->num_channels > 0) {
+ 		map = tplg_calloc(heap, sizeof(*map));
+ 		map->num_channels = mc->num_channels;
++		if (map->num_channels > SND_TPLG_MAX_CHAN ||
++		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++		        SNDERR("mixer: unexpected channel count %d", map->num_channels);
++			return -EINVAL;
++		}
+ 		for (i = 0; i < map->num_channels; i++) {
+ 			map->channel[i].reg = mc->channel[i].reg;
+ 			map->channel[i].shift = mc->channel[i].shift;
+-- 
+2.45.4
+

SPECS/alsa-lib/alsa-lib.spec

@@ -3,14 +3,15 @@
 Summary:        ALSA library
 Name:           alsa-lib
 Version:        1.2.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
 Distribution:   Edge Microvisor Toolkit
 Vendor:         Intel Corporation
 Group:          Applications/Internet
 URL:            https://alsa-project.org
 Source0:        https://www.alsa-project.org/files/pub/lib/%{name}-%{version}.tar.bz2
 Source1:        https://www.alsa-project.org/files/pub/lib/alsa-topology-conf-%{version_alsa_tplg}.tar.bz2
+Patch0:         CVE-2026-25068.patch
 
 BuildRequires:  python3-devel
 BuildRequires:  python3-libs
@@ -37,7 +38,7 @@ The Advanced Linux Sound Architecture (ALSA) topology configuration
 contains alsa-lib configuration of SoC topology (widgets, mixers, pipelines).
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure
@@ -68,6 +69,10 @@ tar xvjf %{SOURCE1} -C %{buildroot}/%{_datadir}/alsa --strip-components=1 --wild
 %{_datadir}/alsa/topology/*
 
 %changelog
+* Mon Mar 16 2026 Lee Chee Yang <chee.yang.lee@intel.com> - 1.2.9-3
+- merge from Azure Linux 3.0.20260304-3.0 
+- Patch for CVE-2026-25068
+
 * Tue Aug 26 2025 Basavaraj unniche<basavarajx.unniche@intel.com> - 1.2.9-2
 - Generate alsa-topology, which is needed for alsa-sof-firmware
 - Initial Edge Microvisor Toolkit import from Azure Linux (license: MIT). License verified.