Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/dev-cpp
diff options
context:
space:
mode:
authorJohn Helmert III <jchelmert3@posteo.net>2020-07-06 20:19:02 -0500
committerSam James <sam@gentoo.org>2020-07-27 02:18:13 +0000
commit9530f57129611ca33ca70dc96727466a082784e4 (patch)
treeb80e2248a2c0159a4357b12ae7693a7b537bae07 /dev-cpp
parentapp-text/xmldiff: amd64 stable (bug #732080) (diff)
downloadgentoo-9530f57129611ca33ca70dc96727466a082784e4.tar.gz
gentoo-9530f57129611ca33ca70dc96727466a082784e4.tar.bz2
gentoo-9530f57129611ca33ca70dc96727466a082784e4.zip
dev-cpp/yaml-cpp: Revbump to add security patch
Bug: https://bugs.gentoo.org/719150 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'dev-cpp')
-rw-r--r--dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch149
-rw-r--r--dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild49
2 files changed, 198 insertions, 0 deletions
diff --git a/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch
new file mode 100644
index 000000000000..4c5418db22d3
--- /dev/null
+++ b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.3-fix-overflows.patch
@@ -0,0 +1,149 @@
+This patch comes from the upstream commit here[1], slightly modified to
+apply to 0.6.3. The pull request[2] mentions fixing CVE-2017-5950,
+CVE-2018-{20573,20574}, and CVE-2019-6285. Note that CVE-2019-6292 appears to
+be a duplicate of CVE-2019-6285 [3].
+
+[1] https://github.com/jbeder/yaml-cpp/commit/4edff1fa5dbfca16fc72d89870841bee89f8ef89
+[2] https://github.com/jbeder/yaml-cpp/pull/807
+[3] https://github.com/jbeder/yaml-cpp/issues/660
+
+diff --git a/include/yaml-cpp/depthguard.h b/include/yaml-cpp/depthguard.h
+new file mode 100644
+index 00000000..8ca61ac6
+--- /dev/null
++++ b/include/yaml-cpp/depthguard.h
+@@ -0,0 +1,77 @@
++#ifndef DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
++#define DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
++
++#if defined(_MSC_VER) || \
++ (defined(__GNUC__) && (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) || \
++ (__GNUC__ >= 4)) // GCC supports "pragma once" correctly since 3.4
++#pragma once
++#endif
++
++#include "exceptions.h"
++
++namespace YAML {
++
++/**
++ * @brief The DeepRecursion class
++ * An exception class which is thrown by DepthGuard. Ideally it should be
++ * a member of DepthGuard. However, DepthGuard is a templated class which means
++ * that any catch points would then need to know the template parameters. It is
++ * simpler for clients to not have to know at the catch point what was the
++ * maximum depth.
++ */
++class DeepRecursion : public ParserException {
++public:
++ virtual ~DeepRecursion() = default;
++
++ DeepRecursion(int depth, const Mark& mark_, const std::string& msg_);
++
++ // Returns the recursion depth when the exception was thrown
++ int depth() const {
++ return m_depth;
++ }
++
++private:
++ int m_depth = 0;
++};
++
++/**
++ * @brief The DepthGuard class
++ * DepthGuard takes a reference to an integer. It increments the integer upon
++ * construction of DepthGuard and decrements the integer upon destruction.
++ *
++ * If the integer would be incremented past max_depth, then an exception is
++ * thrown. This is ideally geared toward guarding against deep recursion.
++ *
++ * @param max_depth
++ * compile-time configurable maximum depth.
++ */
++template <int max_depth = 2000>
++class DepthGuard final {
++public:
++ DepthGuard(int & depth_, const Mark& mark_, const std::string& msg_) : m_depth(depth_) {
++ ++m_depth;
++ if ( max_depth <= m_depth ) {
++ throw DeepRecursion{m_depth, mark_, msg_};
++ }
++ }
++
++ DepthGuard(const DepthGuard & copy_ctor) = delete;
++ DepthGuard(DepthGuard && move_ctor) = delete;
++ DepthGuard & operator=(const DepthGuard & copy_assign) = delete;
++ DepthGuard & operator=(DepthGuard && move_assign) = delete;
++
++ ~DepthGuard() {
++ --m_depth;
++ }
++
++ int current_depth() const {
++ return m_depth;
++ }
++
++private:
++ int & m_depth;
++};
++
++} // namespace YAML
++
++#endif // DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
+diff --git a/src/depthguard.cpp b/src/depthguard.cpp
+new file mode 100644
+index 00000000..b88cd340
+--- /dev/null
++++ b/src/depthguard.cpp
+@@ -0,0 +1,10 @@
++#include "yaml-cpp/depthguard.h"
++
++namespace YAML {
++
++DeepRecursion::DeepRecursion(int depth, const Mark& mark_, const std::string& msg_)
++ : ParserException(mark_, msg_),
++ m_depth(depth) {
++}
++
++} // namespace YAML
+diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp
+index 47e9e047..3e5638be 100644
+--- a/src/singledocparser.cpp
++++ b/src/singledocparser.cpp
+@@ -7,6 +7,7 @@
+ #include "singledocparser.h"
+ #include "tag.h"
+ #include "token.h"
++#include "yaml-cpp/depthguard.h"
+ #include "yaml-cpp/emitterstyle.h"
+ #include "yaml-cpp/eventhandler.h"
+ #include "yaml-cpp/exceptions.h" // IWYU pragma: keep
+@@ -47,6 +48,8 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) {
+ }
+
+ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
++ DepthGuard<2000> depthguard(depth, m_scanner.mark(), ErrorMsg::BAD_FILE);
++
+ // an empty node *is* a possibility
+ if (m_scanner.empty()) {
+ eventHandler.OnNull(m_scanner.mark(), NullAnchor);
+diff --git a/src/singledocparser.h b/src/singledocparser.h
+index c8cfca9d..f484eb1f 100644
+--- a/src/singledocparser.h
++++ b/src/singledocparser.h
+@@ -15,6 +15,7 @@
+
+ namespace YAML {
+ class CollectionStack;
++template <int> class DepthGuard; // depthguard.h
+ class EventHandler;
+ class Node;
+ class Scanner;
+@@ -55,6 +56,7 @@ class SingleDocParser {
+ anchor_t LookupAnchor(const Mark& mark, const std::string& name) const;
+
+ private:
++ int depth = 0;
+ Scanner& m_scanner;
+ const Directives& m_directives;
+ std::unique_ptr<CollectionStack> m_pCollectionStack;
diff --git a/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild b/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild
new file mode 100644
index 000000000000..8db7bca2434f
--- /dev/null
+++ b/dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+CMAKE_ECLASS="cmake"
+inherit cmake-multilib
+
+DESCRIPTION="YAML parser and emitter in C++"
+HOMEPAGE="https://github.com/jbeder/yaml-cpp"
+SRC_URI="https://github.com/jbeder/${PN}/archive/${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0/0.6"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="test"
+
+# test breaks build
+#RESTRICT="!test? ( test )"
+RESTRICT+="test"
+
+DEPEND="test? ( dev-cpp/gtest )"
+
+S="${WORKDIR}/${PN}-${P}"
+
+PATCHES=(
+ "${FILESDIR}/${P}-abi-breakage.patch"
+ "${FILESDIR}/${P}-CVE-2017-11692.patch"
+ "${FILESDIR}/${P}-fix-overflows.patch"
+)
+
+src_prepare() {
+ sed -i \
+ -e 's:INCLUDE_INSTALL_ROOT_DIR:INCLUDE_INSTALL_DIR:g' \
+ yaml-cpp.pc.cmake || die
+
+ cmake_src_prepare
+}
+
+src_configure() {
+ local mycmakeargs=(
+ -DBUILD_SHARED_LIBS=ON
+ -DYAML_BUILD_SHARED_LIBS=ON
+ -DYAML_CPP_BUILD_TOOLS=OFF # Don't have install rule
+ -DYAML_CPP_BUILD_TESTS=$(usex test)
+ )
+
+ cmake-multilib_src_configure
+}