From 351eb8dea3703cd4e279ca6eb13dda37b8980c5f Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Fri, 22 Dec 2023 16:37:12 +0800 Subject: [PATCH] Add disable-hltools flag to fix CVE-2018-17433, CVE-2018-17436, CVE-2020-10809 --- add-option-to-build-HL-tools.patch | 149 +++++++++++++++++++++++++++++ hdf5.spec | 16 ++-- 2 files changed, 155 insertions(+), 10 deletions(-) create mode 100644 add-option-to-build-HL-tools.patch diff --git a/add-option-to-build-HL-tools.patch b/add-option-to-build-HL-tools.patch new file mode 100644 index 0000000..77c800e --- /dev/null +++ b/add-option-to-build-HL-tools.patch @@ -0,0 +1,149 @@ +From c9c85080e9c9ba2f98cd7bf0ca69775529e280e4 Mon Sep 17 00:00:00 2001 +From: Allen Byrne <50328838+byrnHDF@users.noreply.github.com> +Date: Fri, 17 Sep 2021 11:01:26 -0500 +Subject: [PATCH] Merge HDFFV-11266 - add option to build HL tools #1018 + (#1020) + +Origin: https://github.com/HDFGroup/hdf5/commit/c9c85080e9c9ba2f98cd7bf0ca69775529e280e4 + +--- + config/cmake/hdf5-config.cmake.in | 1 + + config/cmake/libhdf5.settings.cmake.in | 1 + + configure.ac | 20 ++++++++++++++++++++ + hl/CMakeLists.txt | 12 ++++++++++-- + hl/Makefile.am | 4 ++++ + release_docs/INSTALL_CMake.txt | 1 + + release_docs/RELEASE.txt | 8 ++++++++ + 7 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/config/cmake/hdf5-config.cmake.in b/config/cmake/hdf5-config.cmake.in +index 4d02c9c5ff2..8faa2fe2ba2 100644 +--- a/config/cmake/hdf5-config.cmake.in ++++ b/config/cmake/hdf5-config.cmake.in +@@ -38,6 +38,7 @@ set (${HDF5_PACKAGE_NAME}_BUILD_CPP_LIB @HDF5_BUILD_CPP_LIB@) + set (${HDF5_PACKAGE_NAME}_BUILD_JAVA @HDF5_BUILD_JAVA@) + set (${HDF5_PACKAGE_NAME}_BUILD_TOOLS @HDF5_BUILD_TOOLS@) + set (${HDF5_PACKAGE_NAME}_BUILD_HL_LIB @HDF5_BUILD_HL_LIB@) ++set (${HDF5_PACKAGE_NAME}_BUILD_HL_TOOLS @HDF5_BUILD_HL_TOOLS@) + set (${HDF5_PACKAGE_NAME}_ENABLE_THREADSAFE @HDF5_ENABLE_THREADSAFE@) + set (${HDF5_PACKAGE_NAME}_ENABLE_PLUGIN_SUPPORT @HDF5_ENABLE_PLUGIN_SUPPORT@) + set (${HDF5_PACKAGE_NAME}_ENABLE_Z_LIB_SUPPORT @HDF5_ENABLE_Z_LIB_SUPPORT@) +diff --git a/config/cmake/libhdf5.settings.cmake.in b/config/cmake/libhdf5.settings.cmake.in +index dd345b4cd5c..e5b150409c5 100644 +--- a/config/cmake/libhdf5.settings.cmake.in ++++ b/config/cmake/libhdf5.settings.cmake.in +@@ -70,6 +70,7 @@ Parallel Filtered Dataset Writes: @PARALLEL_FILTERED_WRITES@ + High-level library: @HDF5_BUILD_HL_LIB@ + Build HDF5 Tests: @BUILD_TESTING@ + Build HDF5 Tools: @HDF5_BUILD_TOOLS@ ++ Build High-level HDF5 Tools: @HDF5_BUILD_HL_TOOLS@ + Threadsafety: @HDF5_ENABLE_THREADSAFE@ (recursive RW locks: @HDF5_USE_RECURSIVE_RW_LOCKS@) + Default API mapping: @DEFAULT_API_VERSION@ + With deprecated public symbols: @HDF5_ENABLE_DEPRECATED_SYMBOLS@ +diff --git a/configure.ac b/configure.ac +index df0cec59fe5..7b4c3f56647 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -806,6 +806,7 @@ AC_LANG_POP(C++) + ## This needs to be exposed for the library info file even if the HL + ## library is disabled. + AC_SUBST([HDF5_HL]) ++AC_SUBST([HDF5_HL_TOOLS]) + + ## The high-level library is enabled unless the build mode is clean. + if test "X-$BUILD_MODE" = "X-clean" ; then +@@ -822,6 +823,9 @@ HL="" + ## Fortran high-level library + AC_SUBST(HL_FOR) + HL_FOR="" ++## Tools high-level library ++AC_SUBST(HL_TOOLS) ++HL_TOOLS="" + + AC_MSG_CHECKING([if the high-level library is enabled]) + AC_ARG_ENABLE([hl], +@@ -840,6 +844,21 @@ else + AC_MSG_RESULT([no]) + fi + ++AC_MSG_CHECKING([if the high-level tools are enabled]) ++AC_ARG_ENABLE([hltools], ++ [AS_HELP_STRING([--enable-hltools], ++ [Enable the high-level tools. ++ [default=yes)] ++ ])], ++ [HDF5_HL_TOOLS=$enableval]) ++ ++if test "X${HDF5_HL}" = "Xyes" -a "X-$HDF5_HL_TOOLS" = "X-yes"; then ++ AC_MSG_RESULT([yes]) ++ HL_TOOLS="tools" ++else ++ AC_MSG_RESULT([no]) ++fi ++ + + ## ---------------------------------------------------------------------- + ## Check which archiving tool to use. This needs to be done before +@@ -3992,6 +4011,7 @@ AM_CONDITIONAL([BUILD_HDF5_HL_CONDITIONAL], [test "X$HDF5_HL" = "Xyes"]) + AM_CONDITIONAL([BUILD_TESTS_CONDITIONAL], [test "X$HDF5_TESTS" = "Xyes"]) + AM_CONDITIONAL([BUILD_TESTS_PARALLEL_CONDITIONAL], [test -n "$TESTPARALLEL"]) + AM_CONDITIONAL([BUILD_TOOLS_CONDITIONAL], [test "X$HDF5_TOOLS" = "Xyes"]) ++AM_CONDITIONAL([BUILD_TOOLS_HL_CONDITIONAL], [test "X$HDF5_HL_TOOLS" = "Xyes"]) + AM_CONDITIONAL([BUILD_DOXYGEN_CONDITIONAL], [test "X$HDF5_DOXYGEN" = "Xyes"]) + + ## ---------------------------------------------------------------------- +diff --git a/hl/CMakeLists.txt b/hl/CMakeLists.txt +index 083c60eb39e..5061c6c5a47 100644 +--- a/hl/CMakeLists.txt ++++ b/hl/CMakeLists.txt +@@ -7,9 +7,17 @@ project (HDF5_HL C) + + add_subdirectory (src) + +-#-- Build the High level Tools ++# Build HDF5 Tools + if (HDF5_BUILD_TOOLS) +- add_subdirectory (tools) ++ #----------------------------------------------------------------------------- ++ #-- Option to build the High level Tools ++ #----------------------------------------------------------------------------- ++ if (EXISTS "${HDF5_HL_SOURCE_DIR}/tools" AND IS_DIRECTORY "${HDF5_HL_SOURCE_DIR}/tools") ++ option (HDF5_BUILD_HL_TOOLS "Build HDF5 HL Tools" ON) ++ if (HDF5_BUILD_HL_TOOLS) ++ add_subdirectory (tools) ++ endif () ++ endif () + endif () + + #-- Add High Level Examples +diff --git a/hl/Makefile.am b/hl/Makefile.am +index 80ef66a2a2c..ad035fe5073 100644 +--- a/hl/Makefile.am ++++ b/hl/Makefile.am +@@ -37,10 +37,14 @@ else + TEST_DIR = + endif + if BUILD_TOOLS_CONDITIONAL ++if BUILD_TOOLS_HL_CONDITIONAL + TOOLS_DIR = tools + else + TOOLS_DIR = + endif ++else ++ TOOLS_DIR = ++endif + + ## Don't recurse into any subdirectories if HDF5 is not configured to + ## use the HL library +diff --git a/release_docs/INSTALL_CMake.txt b/release_docs/INSTALL_CMake.txt +index 84044c7ee7e..adceb702aea 100644 +--- a/release_docs/INSTALL_CMake.txt ++++ b/release_docs/INSTALL_CMake.txt +@@ -740,6 +740,7 @@ HDF5_BUILD_FORTRAN "Build FORTRAN support" OFF + HDF5_BUILD_JAVA "Build JAVA support" OFF + HDF5_BUILD_HL_LIB "Build HIGH Level HDF5 Library" ON + HDF5_BUILD_TOOLS "Build HDF5 Tools" ON ++HDF5_BUILD_HL_TOOLS "Build HIGH Level HDF5 Tools" ON + + ---------------- HDF5 Advanced Options --------------------- + ONLY_SHARED_LIBS "Only Build Shared Libraries" OFF diff --git a/hdf5.spec b/hdf5.spec index 429edc7..0b1b0d1 100644 --- a/hdf5.spec +++ b/hdf5.spec @@ -11,7 +11,7 @@ Name: hdf5 Version: 1.12.1 -Release: 3 +Release: 4 Summary: A data model, library, and file format for storing and managing data License: GPL-2.0-or-later @@ -29,6 +29,7 @@ Patch6: CVE-2018-16438.patch Patch7: CVE-2019-8396.patch Patch8: CVE-2020-10812.patch Patch9: CVE-2021-37501.patch +Patch10: add-option-to-build-HL-tools.patch BuildRequires: gcc, gcc-c++ BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time @@ -123,6 +124,7 @@ sed -e 's|-O -finline-functions|-O3 -finline-functions|g' -i config/gnu-flags %build %global _configure ../configure %global configure_opts \\\ + --disable-hltools \\\ --disable-silent-rules \\\ --enable-fortran \\\ --enable-fortran2003 \\\ @@ -227,8 +229,6 @@ make %{?_smp_mflags} -C build check %license COPYING %doc MANIFEST README.txt release_docs/RELEASE.txt %doc release_docs/HISTORY*.txt -%{_bindir}/gif2h5 -%{_bindir}/h52gif %{_bindir}/h5clear %{_bindir}/h5copy %{_bindir}/h5debug @@ -244,7 +244,6 @@ make %{?_smp_mflags} -C build check %{_bindir}/h5repart %{_bindir}/h5stat %{_bindir}/h5unjam -%{_bindir}/h5watch %{_bindir}/mirror_server %{_bindir}/mirror_server_stop %{_libdir}/libhdf5.so.%{so_version}* @@ -272,8 +271,6 @@ make %{?_smp_mflags} -C build check %license COPYING %doc MANIFEST README.txt release_docs/RELEASE.txt %doc release_docs/HISTORY*.txt -%{_libdir}/mpich/bin/gif2h5 -%{_libdir}/mpich/bin/h52gif %{_libdir}/mpich/bin/h5clear %{_libdir}/mpich/bin/h5copy %{_libdir}/mpich/bin/h5debug @@ -291,7 +288,6 @@ make %{?_smp_mflags} -C build check %{_libdir}/mpich/bin/h5repart %{_libdir}/mpich/bin/h5stat %{_libdir}/mpich/bin/h5unjam -%{_libdir}/mpich/bin/h5watch %{_libdir}/mpich/bin/mirror_server %{_libdir}/mpich/bin/mirror_server_stop %{_libdir}/mpich/bin/ph5diff @@ -315,8 +311,6 @@ make %{?_smp_mflags} -C build check %license COPYING %doc MANIFEST README.txt release_docs/RELEASE.txt %doc release_docs/HISTORY*.txt -%{_libdir}/openmpi/bin/gif2h5 -%{_libdir}/openmpi/bin/h52gif %{_libdir}/openmpi/bin/h5clear %{_libdir}/openmpi/bin/h5copy %{_libdir}/openmpi/bin/h5debug @@ -334,7 +328,6 @@ make %{?_smp_mflags} -C build check %{_libdir}/openmpi/bin/h5repart %{_libdir}/openmpi/bin/h5stat %{_libdir}/openmpi/bin/h5unjam -%{_libdir}/openmpi/bin/h5watch %{_libdir}/openmpi/bin/mirror_server %{_libdir}/openmpi/bin/mirror_server_stop %{_libdir}/openmpi/bin/ph5diff @@ -354,6 +347,9 @@ make %{?_smp_mflags} -C build check %endif %changelog +* Wed Dec 20 2023 wangkai <13474090681@163.com> - 1.12.1-4 +- Add disable-hltools flag to fix CVE-2018-17433, CVE-2018-17436, CVE-2020-10809 + * Tue Apr 11 2023 liyanan - 1.12.1-3 - Preserve the rpath of the hdf5-openmpi and hdf5-mpich subpackages -- Gitee