!73 Fix trafficserver service error

From: @starlet-dx 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2024-38479.patch

@@ -0,0 +1,129 @@
+From b8861231702ac5df7d5de401e82440c1cf20b633 Mon Sep 17 00:00:00 2001
+From: Bryan Call <bcall@apache.org>
+Date: Tue, 12 Nov 2024 09:51:49 -0800
+Subject: [PATCH] Add matrix params to the cachekey in the cachekey plugin
+ (#11856)
+
+Origin: https://github.com/apache/trafficserver/commit/b8861231702ac5df7d5de401e82440c1cf20b633
+
+---
+ plugins/cachekey/cachekey.cc | 21 +++++++++++++++++++++
+ plugins/cachekey/cachekey.h  |  1 +
+ plugins/cachekey/configs.cc  | 14 ++++++++++++++
+ plugins/cachekey/configs.h   | 11 +++++++++++
+ plugins/cachekey/plugin.cc   |  4 ++++
+ 5 files changed, 51 insertions(+)
+
+diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
+index babc78cc999..38286e7eb28 100644
+--- a/plugins/cachekey/cachekey.cc
++++ b/plugins/cachekey/cachekey.cc
+@@ -673,6 +673,27 @@ CacheKey::appendQuery(const ConfigQuery &config)
+   }
+ }
+ 
++void
++CacheKey::appendMatrix(const ConfigMatrix &config)
++{
++  if (config.toBeRemoved()) {
++    return;
++  }
++
++  const char *matrix;
++  int length;
++
++  matrix = TSUrlHttpParamsGet(_buf, _url, &length);
++  if (matrix == nullptr || length == 0) {
++    return;
++  }
++
++  if (matrix && length) {
++    _key.append(";");
++    _key.append(matrix, length);
++  }
++}
++
+ /**
+  * @brief Append User-Agent header captures specified in the Pattern configuration object.
+  *
+diff --git a/plugins/cachekey/cachekey.h b/plugins/cachekey/cachekey.h
+index 0b47e85984d..dc208f93bb4 100644
+--- a/plugins/cachekey/cachekey.h
++++ b/plugins/cachekey/cachekey.h
+@@ -63,6 +63,7 @@ class CacheKey
+   void appendPath(Pattern &pathCapture, Pattern &pathCaptureUri);
+   void appendHeaders(const ConfigHeaders &config);
+   void appendQuery(const ConfigQuery &config);
++  void appendMatrix(const ConfigMatrix &config);
+   void appendCookies(const ConfigCookies &config);
+   void appendUaCaptures(Pattern &config);
+   bool appendUaClass(Classifier &classifier);
+diff --git a/plugins/cachekey/configs.cc b/plugins/cachekey/configs.cc
+index b2bc42d5e70..d6ef13aea68 100644
+--- a/plugins/cachekey/configs.cc
++++ b/plugins/cachekey/configs.cc
+@@ -208,6 +208,20 @@ ConfigQuery::name() const
+   return _NAME;
+ }
+ 
++bool
++ConfigMatrix::finalize()
++{
++  _remove = noIncludeExcludeRules();
++  return true;
++}
++
++const String ConfigMatrix::_NAME = "matrix parameter";
++inline const String &
++ConfigMatrix::name() const
++{
++  return _NAME;
++}
++
+ /**
+  * @briefs finalizes the headers related configuration.
+  *
+diff --git a/plugins/cachekey/configs.h b/plugins/cachekey/configs.h
+index e98b69afd48..f5d24bdbe3c 100644
+--- a/plugins/cachekey/configs.h
++++ b/plugins/cachekey/configs.h
+@@ -112,6 +112,16 @@ class ConfigQuery : public ConfigElements
+   static const String _NAME;
+ };
+ 
++class ConfigMatrix : public ConfigElements
++{
++public:
++  bool finalize() override;
++
++private:
++  const String &name() const override;
++  static const String _NAME;
++};
++
+ /**
+  * @brief Headers configuration class.
+  */
+@@ -210,6 +220,7 @@ class Configs
+   /* Make the following members public to avoid unnecessary accessors */
+   ConfigQuery _query;        /**< @brief query parameter related configuration */
+   ConfigHeaders _headers;    /**< @brief headers related configuration */
++  ConfigMatrix _matrix;      /**< @brief matrix parameter related configuration */
+   ConfigCookies _cookies;    /**< @brief cookies related configuration */
+   Pattern _uaCapture;        /**< @brief the capture groups and the replacement string used for the User-Agent header capture */
+   String _prefix;            /**< @brief cache key prefix string */
+diff --git a/plugins/cachekey/plugin.cc b/plugins/cachekey/plugin.cc
+index d92c079271a..b863b94a0d5 100644
+--- a/plugins/cachekey/plugin.cc
++++ b/plugins/cachekey/plugin.cc
+@@ -64,6 +64,10 @@ setCacheKey(TSHttpTxn txn, Configs *config, TSRemapRequestInfo *rri = nullptr)
+     if (!config->pathToBeRemoved()) {
+       cachekey.appendPath(config->_pathCapture, config->_pathCaptureUri);
+     }
++
++    /* Append the matrix parameters to the cache key. */
++    cachekey.appendMatrix(config->_matrix);
++
+     /* Append query parameters to the cache key. */
+     cachekey.appendQuery(config->_query);
+ 

CVE-2024-50305.patch

@@ -0,0 +1,72 @@
+From 5e39658f7c0bc91613468c9513ba22ede1739d7e Mon Sep 17 00:00:00 2001
+From: "Alan M. Carroll" <amc@apache.org>
+Date: Tue, 2 Nov 2021 11:47:09 -0500
+Subject: [PATCH] Tweak MimeHdr::get_host_port_values to not run over the end
+ of the TextView. (#8468)
+
+Origin: https://github.com/apache/trafficserver/commit/5e39658f7c0bc91613468c9513ba22ede1739d7e
+
+Fix for #8461
+
+(cherry picked from commit 055ca11c2842a64bf7df8d547515670e1a04afc1)
+---
+ proxy/hdrs/MIME.cc                         | 11 +++--------
+ src/tscpp/util/unit_tests/test_TextView.cc | 11 +++--------
+ 2 files changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc
+index 45c16c386dd..0a55dd06b4d 100644
+--- a/proxy/hdrs/MIME.cc
++++ b/proxy/hdrs/MIME.cc
+@@ -2284,20 +2284,15 @@ MIMEHdr::get_host_port_values(const char **host_ptr, ///< Pointer to host.
+     if (b) {
+       if ('[' == *b) {
+         auto idx = b.find(']');
+-        if (idx <= b.size() && b[idx + 1] == ':') {
++        if (idx < b.size() - 1 && b[idx + 1] == ':') {
+           host = b.take_prefix_at(idx + 1);
+           port = b;
+         } else {
+           host = b;
+         }
+       } else {
+-        auto x = b.split_prefix_at(':');
+-        if (x) {
+-          host = x;
+-          port = b;
+-        } else {
+-          host = b;
+-        }
++        host = b.take_prefix_at(':');
++        port = b;
+       }
+ 
+       if (host) {
+diff --git a/src/tscpp/util/unit_tests/test_TextView.cc b/src/tscpp/util/unit_tests/test_TextView.cc
+index 8f71e0aa39d..7f365369082 100644
+--- a/src/tscpp/util/unit_tests/test_TextView.cc
++++ b/src/tscpp/util/unit_tests/test_TextView.cc
+@@ -275,20 +275,15 @@ TEST_CASE("TextView Affixes", "[libts][TextView]")
+   auto f_host = [](TextView b, TextView &host, TextView &port) -> void {
+     if ('[' == *b) {
+       auto idx = b.find(']');
+-      if (idx <= b.size() && b[idx + 1] == ':') {
++      if (idx < b.size() - 1 && b[idx + 1] == ':') {
+         host = b.take_prefix_at(idx + 1);
+         port = b;
+       } else {
+         host = b;
+       }
+     } else {
+-      auto x = b.split_prefix_at(':');
+-      if (x) {
+-        host = x;
+-        port = b;
+-      } else {
+-        host = b;
+-      }
++      host = b.take_prefix_at(':');
++      port = b;
+     }
+   };
+ 

CVE-2024-50306.patch

@@ -0,0 +1,37 @@
+From 27f504883547502b1f5e4e389edd7f26e3ab246f Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Tue, 12 Nov 2024 11:13:59 -0700
+Subject: [PATCH] Fix unchecked return value of initgroups() (#11855)
+
+Origin: https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f
+
+* Fix unchecked return value of initgroups()
+
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+
+* clang-format
+
+---------
+
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Co-authored-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+(cherry picked from commit ae638096e259121d92d46a9f57026a5ff5bc328b)
+---
+ src/tscore/ink_cap.cc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
+index b4f0ecace5d..8a95d4b1329 100644
+--- a/src/tscore/ink_cap.cc
++++ b/src/tscore/ink_cap.cc
+@@ -160,7 +160,9 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
+ #endif
+ 
+   // Always repopulate the supplementary group list for the new user.
+-  initgroups(pwd->pw_name, pwd->pw_gid);
++  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
++  }
+ 
+   switch (level) {
+   case IMPERSONATE_PERMANENT:

Invoke-initgroups-iff-we-got-enough-privileges.patch

@@ -0,0 +1,28 @@
+From d4dda9b5583d19e2eee268fec59aa487d61fc079 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valent=C3=ADn=20Guti=C3=A9rrez?= <vgutierrez@wikimedia.org>
+Date: Thu, 21 Nov 2024 03:54:03 +0100
+Subject: [PATCH] Invoke initgroups() iff we got enough privileges (#11869)
+ (#11872)
+
+Follow up of #11855, that rendered unusable ATS as root when spawned via traffic_manager.
+---
+ src/tscore/ink_cap.cc | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
+index 0f0d6f869e2..f464daad3b1 100644
+--- a/src/tscore/ink_cap.cc
++++ b/src/tscore/ink_cap.cc
+@@ -156,8 +156,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
+ #endif
+ 
+   // Always repopulate the supplementary group list for the new user.
+-  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+-    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
++  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
++    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
++    }
+   }
+ 
+   switch (level) {

add-loong64-support.patch

@@ -0,0 +1,39 @@
+From d52504bbf8673d1f33f9926933eece1eaf0b31c5 Mon Sep 17 00:00:00 2001
+From: Wenlong Zhang <zhangwenlong@loongson.cn>
+Date: Fri, 12 Jul 2024 07:23:25 +0000
+Subject: [PATCH] add loong64 support for trafficserver
+
+---
+ include/tscore/ink_queue.h               | 2 +-
+ iocore/eventsystem/UnixEventProcessor.cc | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/tscore/ink_queue.h b/include/tscore/ink_queue.h
+index ef79752..a9fb1b5 100644
+--- a/include/tscore/ink_queue.h
++++ b/include/tscore/ink_queue.h
+@@ -139,7 +139,7 @@ union head_p {
+ #define SET_FREELIST_POINTER_VERSION(_x, _p, _v) \
+   (_x).s.pointer = _p;                           \
+   (_x).s.version = _v
+-#elif defined(__x86_64__) || defined(__ia64__) || defined(__powerpc64__) || defined(__mips64) || defined(__riscv)
++#elif defined(__x86_64__) || defined(__ia64__) || defined(__powerpc64__) || defined(__mips64) || defined(__riscv) || defined(__loongarch64)
+ /* Layout of FREELIST_POINTER
+  *
+  *  0 ~ 47 bits : 48 bits, Virtual Address
+diff --git a/iocore/eventsystem/UnixEventProcessor.cc b/iocore/eventsystem/UnixEventProcessor.cc
+index 0c123c1..3fb27cb 100644
+--- a/iocore/eventsystem/UnixEventProcessor.cc
++++ b/iocore/eventsystem/UnixEventProcessor.cc
+@@ -141,7 +141,7 @@ void
+ ThreadAffinityInitializer::setup_stack_guard(void *stack, int stackguard_pages)
+ {
+ #if !(defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__arm64__) || defined(__aarch64__) || \
+-      defined(__mips__) || defined(__powerpc64__) || defined(__riscv))
++      defined(__mips__) || defined(__powerpc64__) || defined(__riscv) || defined(__loongarch64))
+ #error Unknown stack growth direction.  Determine the stack growth direction of your platform.
+ // If your stack grows upwards, you need to change this function and the calculation of stack_begin in do_alloc_stack.
+ #endif
+-- 
+2.43.0
+

add-riscv-support.patch

@@ -23,3 +23,16 @@ diff -Nur a/include/tscore/ink_queue.h b/include/tscore/ink_queue.h
  /* Layout of FREELIST_POINTER
   *
   *  0 ~ 47 bits : 48 bits, Virtual Address
+diff --git a/iocore/eventsystem/UnixEventProcessor.cc b/iocore/eventsystem/UnixEventProcessor.cc
+index 7980f08..1f9f30d 100644
+--- a/iocore/eventsystem/UnixEventProcessor.cc
++++ b/iocore/eventsystem/UnixEventProcessor.cc
+@@ -141,7 +141,7 @@ void
+ ThreadAffinityInitializer::setup_stack_guard(void *stack, int stackguard_pages)
+ {
+ #if !(defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__arm64__) || defined(__aarch64__) || \
+-      defined(__mips__) || defined(__powerpc64__))
++      defined(__mips__) || defined(__powerpc64__) || defined(__riscv))
+ #error Unknown stack growth direction.  Determine the stack growth direction of your platform.
+ // If your stack grows upwards, you need to change this function and the calculation of stack_begin in do_alloc_stack.
+ #endif

trafficserver.spec

@@ -1,7 +1,8 @@
 %define _hardened_build 1
+%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Name:                trafficserver
-Version:             9.2.3
-Release:             1
+Version:             9.2.5
+Release:             3
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@@ -12,6 +13,11 @@ Patch0002:           Fix-log-in-debug-mode.patch
 Patch0003:           config-layout-openEuler.patch
 Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
 Patch0005:           add-riscv-support.patch
+Patch0006:           add-loong64-support.patch
+Patch0007:           CVE-2024-38479.patch
+Patch0008:           CVE-2024-50305.patch
+Patch0009:           CVE-2024-50306.patch
+Patch0010:           Invoke-initgroups-iff-we-got-enough-privileges.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake chrpath
@@ -40,7 +46,7 @@ This package contains some Perl APIs for talking to the ATS management port.
 %build
 autoreconf
 ./configure \
-  --enable-layout=openEuler \
+  --enable-layout=%{vendor} \
   --libdir=%{_libdir}/trafficserver \
   --libexecdir=%{_libdir}/trafficserver/plugins \
   --enable-experimental-plugins \
@@ -132,6 +138,25 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc
 
 %changelog
+* Tue Dec 03 2024 yaoxin <yao_xin001@hoperun.com> - 9.2.5-3
+- Fix trafficserver service error
+
+* Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2
+- Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305
+- Replace openEuler with vendor
+
+* Mon Jul 29 2024 wangkai <13474090681@163.com> - 9.2.5-1
+- Update to 9.2.5 for fix CVE-2023-38522, CVE-2024-35161, CVE-2024-35296
+
+* Fri Jul 12 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 9.2.3-4
+- add loong64 support for trafficserver
+
+* Thu May 30 2024 laokz <zhangkai@iscas.ac.cn> - 9.2.3-3
+- Update riscv64 patch
+
+* Sun Apr 07 2024 wangkai <13474090681@163.com> - 9.2.3-2
+- Fix CVE-2024-31309
+
 * Thu Oct 26 2023 wulei <wu_lei@hoperun.com> - 9.2.3-1
 - Update to 9.2.3