commit: 6402e212219a2e9faa61f02099c0455e84817b7e Author: Oliver Freyermuth <o.freyermuth <AT> googlemail <DOT> com> AuthorDate: Tue Jan 23 19:57:35 2024 +0000 Commit: Guilherme Amadio <amadio <AT> gentoo <DOT> org> CommitDate: Tue Jan 30 08:23:58 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6402e212
dev-cpp/scitokens-cpp: backport fix for invalid vector access Fixes tests on hardened systems and potential runtime errors. Closes: https://bugs.gentoo.org/922679 Closes: https://github.com/gentoo/gentoo/pull/34980 Signed-off-by: Oliver Freyermuth <o.freyermuth <AT> googlemail.com> Signed-off-by: Guilherme Amadio <amadio <AT> gentoo.org> ...scitokens-cpp-1.1.0-invalid-vector-access.patch | 24 +++++++++ .../scitokens-cpp/scitokens-cpp-1.0.2-r2.ebuild | 61 ++++++++++++++++++++++ .../scitokens-cpp/scitokens-cpp-1.1.0-r1.ebuild | 61 ++++++++++++++++++++++ 3 files changed, 146 insertions(+) diff --git a/dev-cpp/scitokens-cpp/files/scitokens-cpp-1.1.0-invalid-vector-access.patch b/dev-cpp/scitokens-cpp/files/scitokens-cpp-1.1.0-invalid-vector-access.patch new file mode 100644 index 000000000000..db524b4245d5 --- /dev/null +++ b/dev-cpp/scitokens-cpp/files/scitokens-cpp-1.1.0-invalid-vector-access.patch @@ -0,0 +1,24 @@ +Fix invalid std::vector access (visible with tests on hardened systems) + +From: Mattias Ellert <[email protected]> +Bug: https://github.com/scitokens/scitokens-cpp/pull/126 +Bug: https://bugs.gentoo.org/922679 + +--- + src/scitokens_internal.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/scitokens_internal.cpp ++++ b/src/scitokens_internal.cpp +@@ -978,9 +978,9 @@ bool scitokens::Validator::store_public_ec_key(const std::string &issuer, + auto x_num = BN_num_bytes(x_bignum.get()); + auto y_num = BN_num_bytes(y_bignum.get()); + std::vector<unsigned char> x_bin; +- x_bin.reserve(x_num); ++ x_bin.resize(x_num); + std::vector<unsigned char> y_bin; +- y_bin.reserve(y_num); ++ y_bin.resize(y_num); + BN_bn2bin(x_bignum.get(), &x_bin[0]); + BN_bn2bin(y_bignum.get(), &y_bin[0]); + std::string x_str(reinterpret_cast<char *>(&x_bin[0]), x_num); diff --git a/dev-cpp/scitokens-cpp/scitokens-cpp-1.0.2-r2.ebuild b/dev-cpp/scitokens-cpp/scitokens-cpp-1.0.2-r2.ebuild new file mode 100644 index 000000000000..9cc0a0384407 --- /dev/null +++ b/dev-cpp/scitokens-cpp/scitokens-cpp-1.0.2-r2.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit cmake + +if [[ ${PV} == *9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/scitokens/scitokens-cpp"; +else + SRC_URI="https://github.com/scitokens/${PN}/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~x86" +fi + +DESCRIPTION="C++ implementation of the SciTokens library with a C library interface" +HOMEPAGE="https://scitokens.org/"; + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="test" + +DEPEND=" + dev-cpp/jwt-cpp[picojson] + dev-db/sqlite + dev-libs/openssl:0= + net-misc/curl:0= + kernel_linux? ( sys-apps/util-linux ) +" +RDEPEND="${DEPEND}" +BDEPEND=" + virtual/pkgconfig + test? ( dev-cpp/gtest ) +" +RESTRICT="!test? ( test )" + +PATCHES=( + "${FILESDIR}"/${PN}-1.1.0-invalid-vector-access.patch +) + +src_prepare() { + # Unbundle dev-cpp/gtest, dev-cpp/jwt-cpp + rm -r vendor || die + # Fix include path for picojson. + find src/ \( -name '*.cpp' -o -name '*.h' \) -type f -print0 | \ + xargs -0 sed -r -e "s:picojson/picojson\.h:picojson.h:g" -i || die + # Disable network-based tests relying on external services. + if use test; then + sed -i -e '/^TEST_F/s#RefreshTest#DISABLED_RefreshTest#' \ + -e '/^TEST_F/s#RefreshExpiredTest#DISABLED_RefreshExpiredTest#' test/main.cpp || die + fi + cmake_src_prepare +} + +src_configure() { + local mycmakeargs=( + -DSCITOKENS_BUILD_UNITTESTS="$(usex test)" + -DSCITOKENS_EXTERNAL_GTEST=YES + ) + cmake_src_configure +} diff --git a/dev-cpp/scitokens-cpp/scitokens-cpp-1.1.0-r1.ebuild b/dev-cpp/scitokens-cpp/scitokens-cpp-1.1.0-r1.ebuild new file mode 100644 index 000000000000..9cc0a0384407 --- /dev/null +++ b/dev-cpp/scitokens-cpp/scitokens-cpp-1.1.0-r1.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit cmake + +if [[ ${PV} == *9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/scitokens/scitokens-cpp"; +else + SRC_URI="https://github.com/scitokens/${PN}/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~x86" +fi + +DESCRIPTION="C++ implementation of the SciTokens library with a C library interface" +HOMEPAGE="https://scitokens.org/"; + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="test" + +DEPEND=" + dev-cpp/jwt-cpp[picojson] + dev-db/sqlite + dev-libs/openssl:0= + net-misc/curl:0= + kernel_linux? ( sys-apps/util-linux ) +" +RDEPEND="${DEPEND}" +BDEPEND=" + virtual/pkgconfig + test? ( dev-cpp/gtest ) +" +RESTRICT="!test? ( test )" + +PATCHES=( + "${FILESDIR}"/${PN}-1.1.0-invalid-vector-access.patch +) + +src_prepare() { + # Unbundle dev-cpp/gtest, dev-cpp/jwt-cpp + rm -r vendor || die + # Fix include path for picojson. + find src/ \( -name '*.cpp' -o -name '*.h' \) -type f -print0 | \ + xargs -0 sed -r -e "s:picojson/picojson\.h:picojson.h:g" -i || die + # Disable network-based tests relying on external services. + if use test; then + sed -i -e '/^TEST_F/s#RefreshTest#DISABLED_RefreshTest#' \ + -e '/^TEST_F/s#RefreshExpiredTest#DISABLED_RefreshExpiredTest#' test/main.cpp || die + fi + cmake_src_prepare +} + +src_configure() { + local mycmakeargs=( + -DSCITOKENS_BUILD_UNITTESTS="$(usex test)" + -DSCITOKENS_EXTERNAL_GTEST=YES + ) + cmake_src_configure +}
