!62 Add disable-hltools flag to fix CVE-2018-17433, CVE-2018-17436, CVE-2020-10809

From: @wk333 Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
2023-12-25 01:28:53 +00:00 · 2023-12-25 01:28:53 +00:00 · e7b9b674dd
commit e7b9b674dd
parent 502995c8ae 18c52f994c
2 changed files with 155 additions and 10 deletions
--- a/add-option-to-build-HL-tools.patch
+++ b/add-option-to-build-HL-tools.patch
@ -0,0 +1,149 @@
+From c9c85080e9c9ba2f98cd7bf0ca69775529e280e4 Mon Sep 17 00:00:00 2001
+From: Allen Byrne <50328838+byrnHDF@users.noreply.github.com>
+Date: Fri, 17 Sep 2021 11:01:26 -0500
+Subject: [PATCH] Merge HDFFV-11266 - add option to build HL tools #1018
+ (#1020)
+
+Origin: https://github.com/HDFGroup/hdf5/commit/c9c85080e9c9ba2f98cd7bf0ca69775529e280e4
+
+---
+ config/cmake/hdf5-config.cmake.in      |  1 +
+ config/cmake/libhdf5.settings.cmake.in |  1 +
+ configure.ac                           | 20 ++++++++++++++++++++
+ hl/CMakeLists.txt                      | 12 ++++++++++--
+ hl/Makefile.am                         |  4 ++++
+ release_docs/INSTALL_CMake.txt         |  1 +
+ release_docs/RELEASE.txt               |  8 ++++++++
+ 7 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/config/cmake/hdf5-config.cmake.in b/config/cmake/hdf5-config.cmake.in
+index 4d02c9c5ff2..8faa2fe2ba2 100644
+--- a/config/cmake/hdf5-config.cmake.in
+++ b/config/cmake/hdf5-config.cmake.in
+@@ -38,6 +38,7 @@ set (${HDF5_PACKAGE_NAME}_BUILD_CPP_LIB   @HDF5_BUILD_CPP_LIB@)
+ set (${HDF5_PACKAGE_NAME}_BUILD_JAVA      @HDF5_BUILD_JAVA@)
+ set (${HDF5_PACKAGE_NAME}_BUILD_TOOLS     @HDF5_BUILD_TOOLS@)
+ set (${HDF5_PACKAGE_NAME}_BUILD_HL_LIB    @HDF5_BUILD_HL_LIB@)
+set (${HDF5_PACKAGE_NAME}_BUILD_HL_TOOLS  @HDF5_BUILD_HL_TOOLS@)
+ set (${HDF5_PACKAGE_NAME}_ENABLE_THREADSAFE @HDF5_ENABLE_THREADSAFE@)
+ set (${HDF5_PACKAGE_NAME}_ENABLE_PLUGIN_SUPPORT @HDF5_ENABLE_PLUGIN_SUPPORT@)
+ set (${HDF5_PACKAGE_NAME}_ENABLE_Z_LIB_SUPPORT @HDF5_ENABLE_Z_LIB_SUPPORT@)
+diff --git a/config/cmake/libhdf5.settings.cmake.in b/config/cmake/libhdf5.settings.cmake.in
+index dd345b4cd5c..e5b150409c5 100644
+--- a/config/cmake/libhdf5.settings.cmake.in
+++ b/config/cmake/libhdf5.settings.cmake.in
+@@ -70,6 +70,7 @@ Parallel Filtered Dataset Writes: @PARALLEL_FILTERED_WRITES@
+               High-level library: @HDF5_BUILD_HL_LIB@
+                 Build HDF5 Tests: @BUILD_TESTING@
+                 Build HDF5 Tools: @HDF5_BUILD_TOOLS@
+     Build High-level HDF5 Tools: @HDF5_BUILD_HL_TOOLS@
+                     Threadsafety: @HDF5_ENABLE_THREADSAFE@ (recursive RW locks: @HDF5_USE_RECURSIVE_RW_LOCKS@) 
+              Default API mapping: @DEFAULT_API_VERSION@
+   With deprecated public symbols: @HDF5_ENABLE_DEPRECATED_SYMBOLS@
+diff --git a/configure.ac b/configure.ac
+index df0cec59fe5..7b4c3f56647 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -806,6 +806,7 @@ AC_LANG_POP(C++)
+ ## This needs to be exposed for the library info file even if the HL
+ ## library is disabled.
+ AC_SUBST([HDF5_HL])
+AC_SUBST([HDF5_HL_TOOLS])
+ 
+ ## The high-level library is enabled unless the build mode is clean.
+ if test "X-$BUILD_MODE" = "X-clean" ; then
+@@ -822,6 +823,9 @@ HL=""
+ ## Fortran high-level library
+ AC_SUBST(HL_FOR)
+ HL_FOR=""
+## Tools high-level library
+AC_SUBST(HL_TOOLS)
+HL_TOOLS=""
+ 
+ AC_MSG_CHECKING([if the high-level library is enabled])
+ AC_ARG_ENABLE([hl],
+@@ -840,6 +844,21 @@ else
+   AC_MSG_RESULT([no])
+ fi
+ 
+AC_MSG_CHECKING([if the high-level tools are enabled])
+AC_ARG_ENABLE([hltools],
+     [AS_HELP_STRING([--enable-hltools],
+                     [Enable the high-level tools.
+                     [default=yes)]
+                     ])],
+     [HDF5_HL_TOOLS=$enableval])
+
+if test "X${HDF5_HL}" = "Xyes" -a "X-$HDF5_HL_TOOLS" = "X-yes"; then
+ AC_MSG_RESULT([yes])
+ HL_TOOLS="tools"
+else
+  AC_MSG_RESULT([no])
+fi
+
+ 
+ ## ----------------------------------------------------------------------
+ ## Check which archiving tool to use. This needs to be done before
+@@ -3992,6 +4011,7 @@ AM_CONDITIONAL([BUILD_HDF5_HL_CONDITIONAL], [test "X$HDF5_HL" = "Xyes"])
+ AM_CONDITIONAL([BUILD_TESTS_CONDITIONAL], [test "X$HDF5_TESTS" = "Xyes"])
+ AM_CONDITIONAL([BUILD_TESTS_PARALLEL_CONDITIONAL], [test -n "$TESTPARALLEL"])
+ AM_CONDITIONAL([BUILD_TOOLS_CONDITIONAL], [test "X$HDF5_TOOLS" = "Xyes"])
+AM_CONDITIONAL([BUILD_TOOLS_HL_CONDITIONAL], [test "X$HDF5_HL_TOOLS" = "Xyes"])
+ AM_CONDITIONAL([BUILD_DOXYGEN_CONDITIONAL], [test "X$HDF5_DOXYGEN" = "Xyes"])
+ 
+ ## ----------------------------------------------------------------------
+diff --git a/hl/CMakeLists.txt b/hl/CMakeLists.txt
+index 083c60eb39e..5061c6c5a47 100644
+--- a/hl/CMakeLists.txt
+++ b/hl/CMakeLists.txt
+@@ -7,9 +7,17 @@ project (HDF5_HL C)
+ 
+ add_subdirectory (src)
+ 
+-#-- Build the High level Tools
+# Build HDF5 Tools
+ if (HDF5_BUILD_TOOLS)
+-  add_subdirectory (tools)
+  #-----------------------------------------------------------------------------
+  #-- Option to build the High level Tools
+  #-----------------------------------------------------------------------------
+  if (EXISTS "${HDF5_HL_SOURCE_DIR}/tools" AND IS_DIRECTORY "${HDF5_HL_SOURCE_DIR}/tools")
+    option (HDF5_BUILD_HL_TOOLS  "Build HDF5 HL Tools" ON)
+    if (HDF5_BUILD_HL_TOOLS)
+      add_subdirectory (tools)
+    endif ()
+  endif ()
+ endif ()
+ 
+ #-- Add High Level Examples
+diff --git a/hl/Makefile.am b/hl/Makefile.am
+index 80ef66a2a2c..ad035fe5073 100644
+--- a/hl/Makefile.am
+++ b/hl/Makefile.am
+@@ -37,10 +37,14 @@ else
+   TEST_DIR =
+ endif
+ if BUILD_TOOLS_CONDITIONAL
+if BUILD_TOOLS_HL_CONDITIONAL
+   TOOLS_DIR = tools
+ else
+   TOOLS_DIR =
+ endif
+else
+  TOOLS_DIR =
+endif
+ 
+ ## Don't recurse into any subdirectories if HDF5 is not configured to
+ ## use the HL library
+diff --git a/release_docs/INSTALL_CMake.txt b/release_docs/INSTALL_CMake.txt
+index 84044c7ee7e..adceb702aea 100644
+--- a/release_docs/INSTALL_CMake.txt
+++ b/release_docs/INSTALL_CMake.txt
+@@ -740,6 +740,7 @@ HDF5_BUILD_FORTRAN  "Build FORTRAN support"          OFF
+ HDF5_BUILD_JAVA     "Build JAVA support"             OFF
+ HDF5_BUILD_HL_LIB   "Build HIGH Level HDF5 Library"  ON
+ HDF5_BUILD_TOOLS    "Build HDF5 Tools"               ON
+HDF5_BUILD_HL_TOOLS "Build HIGH Level HDF5 Tools"    ON
+ 
+ ---------------- HDF5 Advanced Options ---------------------
+ ONLY_SHARED_LIBS               "Only Build Shared Libraries"                                  OFF
--- a/hdf5.spec
+++ b/hdf5.spec
@ -11,7 +11,7 @@

 Name: hdf5
 Version: 1.12.1
-Release: 5
+Release: 6
 Summary: A data model, library, and file format for storing and managing data
 License: GPL-2.0-or-later

@ -29,6 +29,7 @@ Patch6: CVE-2018-16438.patch
 Patch7: CVE-2019-8396.patch
 Patch8: CVE-2020-10812.patch
 Patch9: CVE-2021-37501.patch
+Patch10: add-option-to-build-HL-tools.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time
@ -124,6 +125,7 @@ sed -e 's|-O -finline-functions|-O3 -finline-functions|g' -i config/gnu-flags
 %build
 %global _configure ../configure
 %global configure_opts \\\
+  --disable-hltools \\\
  --disable-silent-rules \\\
  --enable-fortran \\\
  --enable-fortran2003 \\\
@ -228,8 +230,6 @@ make %{?_smp_mflags} -C build check
 %license COPYING
 %doc MANIFEST README.txt release_docs/RELEASE.txt
 %doc release_docs/HISTORY*.txt
-%{_bindir}/gif2h5
-%{_bindir}/h52gif
 %{_bindir}/h5clear
 %{_bindir}/h5copy
 %{_bindir}/h5debug
@ -245,7 +245,6 @@ make %{?_smp_mflags} -C build check
 %{_bindir}/h5repart
 %{_bindir}/h5stat
 %{_bindir}/h5unjam
-%{_bindir}/h5watch
 %{_bindir}/mirror_server
 %{_bindir}/mirror_server_stop
 %{_libdir}/libhdf5.so.%{so_version}*
@ -273,8 +272,6 @@ make %{?_smp_mflags} -C build check
 %license COPYING
 %doc MANIFEST README.txt release_docs/RELEASE.txt
 %doc release_docs/HISTORY*.txt
-%{_libdir}/mpich/bin/gif2h5
-%{_libdir}/mpich/bin/h52gif
 %{_libdir}/mpich/bin/h5clear
 %{_libdir}/mpich/bin/h5copy
 %{_libdir}/mpich/bin/h5debug
@ -292,7 +289,6 @@ make %{?_smp_mflags} -C build check
 %{_libdir}/mpich/bin/h5repart
 %{_libdir}/mpich/bin/h5stat
 %{_libdir}/mpich/bin/h5unjam
-%{_libdir}/mpich/bin/h5watch
 %{_libdir}/mpich/bin/mirror_server
 %{_libdir}/mpich/bin/mirror_server_stop
 %{_libdir}/mpich/bin/ph5diff
@ -316,8 +312,6 @@ make %{?_smp_mflags} -C build check
 %license COPYING
 %doc MANIFEST README.txt release_docs/RELEASE.txt
 %doc release_docs/HISTORY*.txt
-%{_libdir}/openmpi/bin/gif2h5
-%{_libdir}/openmpi/bin/h52gif
 %{_libdir}/openmpi/bin/h5clear
 %{_libdir}/openmpi/bin/h5copy
 %{_libdir}/openmpi/bin/h5debug
@ -335,7 +329,6 @@ make %{?_smp_mflags} -C build check
 %{_libdir}/openmpi/bin/h5repart
 %{_libdir}/openmpi/bin/h5stat
 %{_libdir}/openmpi/bin/h5unjam
-%{_libdir}/openmpi/bin/h5watch
 %{_libdir}/openmpi/bin/mirror_server
 %{_libdir}/openmpi/bin/mirror_server_stop
 %{_libdir}/openmpi/bin/ph5diff
@ -355,6 +348,9 @@ make %{?_smp_mflags} -C build check
 %endif

 %changelog
+* Wed Dec 20 2023 wangkai <13474090681@163.com> - 1.12.1-6
+- Add disable-hltools flag to fix CVE-2018-17433, CVE-2018-17436, CVE-2020-10809
+
 * Thu Aug 31 2023 xu_ping <707078654@qq.com> - 1.12.1-5
 - Add BuildRequires environment-modules