commit: 9530f57129611ca33ca70dc96727466a082784e4 Author: John Helmert III <jchelmert3 <AT> posteo <DOT> net> AuthorDate: Tue Jul 7 01:19:02 2020 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jul 27 02:18:13 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9530f571
dev-cpp/yaml-cpp: Revbump to add security patch Bug: https://bugs.gentoo.org/719150 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net> Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/yaml-cpp-0.6.3-fix-overflows.patch | 149 +++++++++++++++++++++ dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild | 49 +++++++ 2 files changed, 198 insertions(+) diff --git a/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch new file mode 100644 index 00000000000..4c5418db22d --- /dev/null +++ b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch @@ -0,0 +1,149 @@ +This patch comes from the upstream commit here[1], slightly modified to +apply to 0.6.3. The pull request[2] mentions fixing CVE-2017-5950, +CVE-2018-{20573,20574}, and CVE-2019-6285. Note that CVE-2019-6292 appears to +be a duplicate of CVE-2019-6285 [3]. + +[1] https://github.com/jbeder/yaml-cpp/commit/4edff1fa5dbfca16fc72d89870841bee89f8ef89 +[2] https://github.com/jbeder/yaml-cpp/pull/807 +[3] https://github.com/jbeder/yaml-cpp/issues/660 + +diff --git a/include/yaml-cpp/depthguard.h b/include/yaml-cpp/depthguard.h +new file mode 100644 +index 00000000..8ca61ac6 +--- /dev/null ++++ b/include/yaml-cpp/depthguard.h +@@ -0,0 +1,77 @@ ++#ifndef DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000 ++#define DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000 ++ ++#if defined(_MSC_VER) || \ ++ (defined(__GNUC__) && (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) || \ ++ (__GNUC__ >= 4)) // GCC supports "pragma once" correctly since 3.4 ++#pragma once ++#endif ++ ++#include "exceptions.h" ++ ++namespace YAML { ++ ++/** ++ * @brief The DeepRecursion class ++ * An exception class which is thrown by DepthGuard. Ideally it should be ++ * a member of DepthGuard. However, DepthGuard is a templated class which means ++ * that any catch points would then need to know the template parameters. It is ++ * simpler for clients to not have to know at the catch point what was the ++ * maximum depth. ++ */ ++class DeepRecursion : public ParserException { ++public: ++ virtual ~DeepRecursion() = default; ++ ++ DeepRecursion(int depth, const Mark& mark_, const std::string& msg_); ++ ++ // Returns the recursion depth when the exception was thrown ++ int depth() const { ++ return m_depth; ++ } ++ ++private: ++ int m_depth = 0; ++}; ++ ++/** ++ * @brief The DepthGuard class ++ * DepthGuard takes a reference to an integer. It increments the integer upon ++ * construction of DepthGuard and decrements the integer upon destruction. ++ * ++ * If the integer would be incremented past max_depth, then an exception is ++ * thrown. This is ideally geared toward guarding against deep recursion. ++ * ++ * @param max_depth ++ * compile-time configurable maximum depth. ++ */ ++template <int max_depth = 2000> ++class DepthGuard final { ++public: ++ DepthGuard(int & depth_, const Mark& mark_, const std::string& msg_) : m_depth(depth_) { ++ ++m_depth; ++ if ( max_depth <= m_depth ) { ++ throw DeepRecursion{m_depth, mark_, msg_}; ++ } ++ } ++ ++ DepthGuard(const DepthGuard & copy_ctor) = delete; ++ DepthGuard(DepthGuard && move_ctor) = delete; ++ DepthGuard & operator=(const DepthGuard & copy_assign) = delete; ++ DepthGuard & operator=(DepthGuard && move_assign) = delete; ++ ++ ~DepthGuard() { ++ --m_depth; ++ } ++ ++ int current_depth() const { ++ return m_depth; ++ } ++ ++private: ++ int & m_depth; ++}; ++ ++} // namespace YAML ++ ++#endif // DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000 +diff --git a/src/depthguard.cpp b/src/depthguard.cpp +new file mode 100644 +index 00000000..b88cd340 +--- /dev/null ++++ b/src/depthguard.cpp +@@ -0,0 +1,10 @@ ++#include "yaml-cpp/depthguard.h" ++ ++namespace YAML { ++ ++DeepRecursion::DeepRecursion(int depth, const Mark& mark_, const std::string& msg_) ++ : ParserException(mark_, msg_), ++ m_depth(depth) { ++} ++ ++} // namespace YAML +diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp +index 47e9e047..3e5638be 100644 +--- a/src/singledocparser.cpp ++++ b/src/singledocparser.cpp +@@ -7,6 +7,7 @@ + #include "singledocparser.h" + #include "tag.h" + #include "token.h" ++#include "yaml-cpp/depthguard.h" + #include "yaml-cpp/emitterstyle.h" + #include "yaml-cpp/eventhandler.h" + #include "yaml-cpp/exceptions.h" // IWYU pragma: keep +@@ -47,6 +48,8 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) { + } + + void SingleDocParser::HandleNode(EventHandler& eventHandler) { ++ DepthGuard<2000> depthguard(depth, m_scanner.mark(), ErrorMsg::BAD_FILE); ++ + // an empty node *is* a possibility + if (m_scanner.empty()) { + eventHandler.OnNull(m_scanner.mark(), NullAnchor); +diff --git a/src/singledocparser.h b/src/singledocparser.h +index c8cfca9d..f484eb1f 100644 +--- a/src/singledocparser.h ++++ b/src/singledocparser.h +@@ -15,6 +15,7 @@ + + namespace YAML { + class CollectionStack; ++template <int> class DepthGuard; // depthguard.h + class EventHandler; + class Node; + class Scanner; +@@ -55,6 +56,7 @@ class SingleDocParser { + anchor_t LookupAnchor(const Mark& mark, const std::string& name) const; + + private: ++ int depth = 0; + Scanner& m_scanner; + const Directives& m_directives; + std::unique_ptr<CollectionStack> m_pCollectionStack; diff --git a/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild b/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild new file mode 100644 index 00000000000..8db7bca2434 --- /dev/null +++ b/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild @@ -0,0 +1,49 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +CMAKE_ECLASS="cmake" +inherit cmake-multilib + +DESCRIPTION="YAML parser and emitter in C++" +HOMEPAGE="https://github.com/jbeder/yaml-cpp"; +SRC_URI="https://github.com/jbeder/${PN}/archive/${P}.tar.gz"; + +LICENSE="MIT" +SLOT="0/0.6" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="test" + +# test breaks build +#RESTRICT="!test? ( test )" +RESTRICT+="test" + +DEPEND="test? ( dev-cpp/gtest )" + +S="${WORKDIR}/${PN}-${P}" + +PATCHES=( + "${FILESDIR}/${P}-abi-breakage.patch" + "${FILESDIR}/${P}-CVE-2017-11692.patch" + "${FILESDIR}/${P}-fix-overflows.patch" +) + +src_prepare() { + sed -i \ + -e 's:INCLUDE_INSTALL_ROOT_DIR:INCLUDE_INSTALL_DIR:g' \ + yaml-cpp.pc.cmake || die + + cmake_src_prepare +} + +src_configure() { + local mycmakeargs=( + -DBUILD_SHARED_LIBS=ON + -DYAML_BUILD_SHARED_LIBS=ON + -DYAML_CPP_BUILD_TOOLS=OFF # Don't have install rule + -DYAML_CPP_BUILD_TESTS=$(usex test) + ) + + cmake-multilib_src_configure +}
