diff options
author | Ryan Egesdahl <ryan.egesdahl@mongodb.com> | 2020-05-15 20:26:18 -0700 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-05-20 20:26:44 +0000 |
commit | 1845ea31140161354ff6308296bde3436d0bd5f9 (patch) | |
tree | a30365cc9ceed67015c5613fd1dd7705ebb083f0 /src/third_party/scripts | |
parent | 675884128ee61da36b910050153861278f42e8cb (diff) | |
download | mongo-1845ea31140161354ff6308296bde3436d0bd5f9.tar.gz |
SERVER-48273 SERVER-48273 Backport yaml-cpp CVE fixes from 0.6.3 to 0.6.2
Backport the following yaml-cpp CVE fixes from version 0.6.3 to version 0.6.2:
* CVE-2019-6292
* CVE-2019-6285
Also, backport one fix from 0.6.3 for failing VS2017 builds.
We were previously downloading a source archive for yaml-cpp. To support
easily backporting fixes, it's changed to use git instead.
Diffstat (limited to 'src/third_party/scripts')
-rwxr-xr-x | src/third_party/scripts/yaml-cpp_get_sources.sh | 137 |
1 files changed, 113 insertions, 24 deletions
diff --git a/src/third_party/scripts/yaml-cpp_get_sources.sh b/src/third_party/scripts/yaml-cpp_get_sources.sh index 63e8fe13e65..4b06f88244f 100755 --- a/src/third_party/scripts/yaml-cpp_get_sources.sh +++ b/src/third_party/scripts/yaml-cpp_get_sources.sh @@ -1,38 +1,127 @@ #!/bin/bash +# This script downloads and imports yaml-cpp +# It can be run on Linux, Mac OS X or Windows WSL. +# Actual integration into the build system is not done by this script. -set -o verbose -set -o errexit +set -xeuo pipefail -# This script downloads and import yaml-cpp -# Yaml-cpp does not use any autotools/cmake/config system to it is a simple import. -# This script is designed to run on Linux or Mac OS X -# -# Yaml-cpp tarballs use the name "yaml-cpp-yaml-cpp-$VERSION" so we need to rename it -# - -VERSION=0.6.2 NAME=yaml-cpp -TARBALL=$NAME-$VERSION.tar.gz -TARBALL_DEST_DIR=$NAME-$NAME-$VERSION -DEST_DIR=`git rev-parse --show-toplevel`/src/third_party/$NAME-$VERSION +VERSION=0.6.2 +BRANCH="${NAME}-${VERSION}" +GIT_REPO=https://github.com/jbeder/yaml-cpp.git + +GIT_EXE=git +if grep -q Microsoft /proc/version; then + GIT_EXE=git.exe +fi + +DEST_DIR="$("${GIT_EXE}" rev-parse --show-toplevel)/src/third_party/${NAME}-${VERSION}" +if grep -q Microsoft /proc/version; then + DEST_DIR=$(wslpath -u "${DEST_DIR}") +fi -if [ ! -f $TARBALL ]; then - echo "Get tarball" - wget https://github.com/jbeder/yaml-cpp/archive/$TARBALL +CLONE_DEST="${DEST_DIR}/${NAME}" +if grep -q Microsoft /proc/version; then + CLONE_DEST=$(wslpath -m "${CLONE_DEST}") fi -tar -zxvf $TARBALL +echo "dest: ${DEST_DIR}" + +[[ -d ${CLONE_DEST} ]] && mv "${CLONE_DEST}" "${CLONE_DEST}.old" +"${GIT_EXE}" clone --branch="${BRANCH}" "${GIT_REPO}" "${CLONE_DEST}" + + +# Apply patches + +# These patches are backports for CVE and compile fixes, so we need to remove +# them when we finally upgrade to a version that has them. +# TODO: https://jira.mongodb.org/browse/SERVER-48258 + +# Patch CVE-2019-6292 and CVE-2019-6285 +# We're using diff-tree here because the commit includes a change to a test +# which doesn't exist in this version, so we exclude it from the patch that +# gets generated. +git -C "${CLONE_DEST}" diff-tree -p 4edff1fa5dbfca16fc72d89870841bee89f8ef89 -- \ + include/yaml-cpp/depthguard.h \ + src/depthguard.cpp \ + src/singledocparser.h \ +| git -C "${CLONE_DEST}" apply -rm -rf $DEST_DIR +# Fix error C3646 on VS2017 due to _NOEXCEPT override specifier +git -C "${CLONE_DEST}" cherry-pick -x 0f9a586ca1dc29c2ecb8dd715a315b93e3f40f79 -mv $TARBALL_DEST_DIR $DEST_DIR # Prune sources + echo "Prune tree" -rm -rf $DEST_DIR/test -rm -rf $DEST_DIR/util -rm -f $DEST_DIR/CMakeLists.txt -rm -f $DEST_DIR/*.cmake* +rm -rf "${CLONE_DEST}/.git" +rm -rf "${CLONE_DEST}/test" +rm -rf "${CLONE_DEST}/util" +rm -rf "${CLONE_DEST}/docs" +rm -f "${CLONE_DEST}/BUILD.bazel" +rm -f "${CLONE_DEST}/WORKSPACE" +rm -f "${CLONE_DEST}/CMakeLists.txt" +rm -f "${CLONE_DEST}/"*.cmake* +rm -f "${CLONE_DEST}/yaml-cpp.pc.in" + +[[ -d ${CLONE_DEST}.old ]] && rm -rf "${CLONE_DEST}.old" + + +# Generate the SConscript + +( cat > "${DEST_DIR}/SConscript" ) << ___EOF___ +# -*- mode: python; -*- +# NOTE: This file is auto-generated by "$(basename $0)" - DO NOT EDIT + +Import("env") + +# Create a new environment since this one doesn't build without errors when using -Wno-virtual-dtor +env = env.Clone() + +try: + env['CXXFLAGS'].remove('-Wnon-virtual-dtor') + env['CCFLAGS'].remove('-Wall') +except ValueError: + pass + +env.InjectThirdParty('yaml', 'CPPDEFINES') + +env.Library( + target="yaml", + source=[ + "yaml-cpp/src/binary.cpp", + "yaml-cpp/src/contrib/graphbuilder.cpp", + "yaml-cpp/src/contrib/graphbuilderadapter.cpp", + "yaml-cpp/src/convert.cpp", + "yaml-cpp/src/depthguard.cpp", + "yaml-cpp/src/directives.cpp", + "yaml-cpp/src/emit.cpp", + "yaml-cpp/src/emitfromevents.cpp", + "yaml-cpp/src/emitter.cpp", + "yaml-cpp/src/emitterstate.cpp", + "yaml-cpp/src/emitterutils.cpp", + "yaml-cpp/src/exceptions.cpp", + "yaml-cpp/src/exp.cpp", + "yaml-cpp/src/memory.cpp", + "yaml-cpp/src/node.cpp", + "yaml-cpp/src/node_data.cpp", + "yaml-cpp/src/nodebuilder.cpp", + "yaml-cpp/src/nodeevents.cpp", + "yaml-cpp/src/null.cpp", + "yaml-cpp/src/ostream_wrapper.cpp", + "yaml-cpp/src/parse.cpp", + "yaml-cpp/src/parser.cpp", + "yaml-cpp/src/regex_yaml.cpp", + "yaml-cpp/src/scanner.cpp", + "yaml-cpp/src/scanscalar.cpp", + "yaml-cpp/src/scantag.cpp", + "yaml-cpp/src/scantoken.cpp", + "yaml-cpp/src/simplekey.cpp", + "yaml-cpp/src/singledocparser.cpp", + "yaml-cpp/src/stream.cpp", + "yaml-cpp/src/tag.cpp", + ]) +___EOF___ -# Note: There are no config.h or other build artifacts to generate echo "Done" + |