[dev] gmp: porting microsoft#1656 CVE-2021-43618 fix from 1.0-dev. (

microsoft#1666)
PawelWMS · Nov 23, 2021 · e8e45e7 · e8e45e7
1 parent 15c23fd
commit e8e45e7
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 47 deletions.
diff --git a/SPECS/gmp/CVE-2021-43618.patch b/SPECS/gmp/CVE-2021-43618.patch
@@ -0,0 +1,24 @@
+
+# HG changeset patch
+# User Marco Bodrato <bodrato@mail.dm.unipi.it>
+# Date 1634836009 -7200
+# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
+# Parent  e1fd9db13b475209a864577237ea4b9105b3e96e
+mpz/inp_raw.c: Avoid bit size overflows
+
+diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
+--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
+@@ -88,8 +88,11 @@
+
+   abs_csize = ABS (csize);
+
++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
++    return 0; /* Bit size overflows */
++
+   /* round up to a multiple of limbs */
+-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
+
+   if (abs_xsize != 0)
+     {
diff --git a/SPECS/gmp/gmp.spec b/SPECS/gmp/gmp.spec
@@ -1,28 +1,29 @@
-Summary:         Math libraries
-Name:            gmp
-Version:         6.2.1
-Release:         1%{?dist}
-License:         LGPLv3+
-URL:             http://www.gnu.org/software/gmp
-Group:           Applications/System
-Vendor:          Microsoft Corporation
-Distribution:    Mariner
-Source0:         http://ftp.gnu.org/gnu/gmp/%{name}-%{version}.tar.xz
+Summary:        Math libraries
+Name:           gmp
+Version:        6.2.1
+Release:        2%{?dist}
+License:        GPLv2+ AND GPLv3+ AND LGPLv3+
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Applications/System
+URL:            https://www.gnu.org/software/gmp
+Source0:        http://ftp.gnu.org/gnu/gmp/%{name}-%{version}.tar.xz
+Patch0:         CVE-2021-43618.patch
 
 %description
 The GMP package contains math libraries. These have useful functions
 for arbitrary precision arithmetic.
 
 %package    devel
-Summary:    Header and development files for gmp
-Requires:   %{name} = %{version}-%{release}
+Summary:        Header and development files for gmp
+Requires:       %{name} = %{version}-%{release}
 
 %description    devel
 It contains the libraries and header files to create applications
 for handling compiled objects.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 cp -v configfsf.guess config.guess
@@ -38,19 +39,18 @@ make %{?_smp_mflags}
 make DESTDIR=%{buildroot} install
 install -vdm 755 %{buildroot}%{_defaultdocdir}/%{name}-%{version}
 cp -v doc/{isa_abi_headache,configuration} doc/*.html %{buildroot}%{_defaultdocdir}/%{name}-%{version}
-find %{buildroot}%{_libdir} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 rm -rf %{buildroot}%{_infodir}
 
 %check
 make %{?_smp_mflags} check
 
 %post -p /sbin/ldconfig
-
 %postun -p /sbin/ldconfig
 
 %files
 %defattr(-,root,root)
-%license COPYING
+%license COPYING COPYING.LESSERv3 COPYINGv2 COPYINGv3
 %{_libdir}/libgmp.so.*
 
 %files devel
@@ -63,24 +63,38 @@ make %{?_smp_mflags} check
 %{_docdir}/%{name}-%{version}/isa_abi_headache
 
 %changelog
-*   Mon Oct 11 2021 Andrew Phelps <anphel@microsoft.com> 6.2.1-1
--   Update to version 6.2.1
--   License verified
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 6.1.2-5
--   Added %%license line automatically
-*   Fri Feb 14 2020 Andrew Phelps <anphel@microsoft.com> 6.1.2-4
--   Use generic config to help prevent illegal instruction errors
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.1.2-3
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Tue Apr 18 2017 Alexey Makhalov <amakhalov@vmware.com> 6.1.2-2
--   Disable cxx (do not build libgmpxx). Disable static.
-*   Mon Apr 17 2017 Danut Moraru <dmoraru@vmware.com> 6.1.2-1
--   Update to 6.1.2
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.0.0a-3
--   GA - Bump release of all rpms
-*   Thu Apr 14 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> 6.0.0a-2
--   Disable assembly and use generic C code
-*   Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> 6.0.0a-1
--   Updated to version 6.0.0
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 5.1.3-1
--   Initial build. First version
+* Fri Nov 19 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 6.2.1-2
+- Adding a patch to fix CVE-2021-43618.
+- Added missing licensing information.
+- Using HTTPS in the 'URL' and 'Source0' tags.
+
+* Mon Oct 11 2021 Andrew Phelps <anphel@microsoft.com> - 6.2.1-1
+- Update to version 6.2.1
+- License verified
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 6.1.2-5
+- Added %%license line automatically
+
+* Fri Feb 14 2020 Andrew Phelps <anphel@microsoft.com> - 6.1.2-4
+- Use generic config to help prevent illegal instruction errors
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 6.1.2-3
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Tue Apr 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 6.1.2-2
+- Disable cxx (do not build libgmpxx). Disable static.
+
+* Mon Apr 17 2017 Danut Moraru <dmoraru@vmware.com> - 6.1.2-1
+- Update to 6.1.2
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 6.0.0a-3
+- GA - Bump release of all rpms
+
+* Thu Apr 14 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> - 6.0.0a-2
+- Disable assembly and use generic C code
+
+* Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> - 6.0.0a-1
+- Updated to version 6.0.0
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 5.1.3-1
+- Initial build. First version
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -14,8 +14,8 @@ file-devel-5.40-1.cm2.aarch64.rpm
 file-libs-5.40-1.cm2.aarch64.rpm
 binutils-2.37-1.cm2.aarch64.rpm
 binutils-devel-2.37-1.cm2.aarch64.rpm
-gmp-6.2.1-1.cm2.aarch64.rpm
-gmp-devel-6.2.1-1.cm2.aarch64.rpm
+gmp-6.2.1-2.cm2.aarch64.rpm
+gmp-devel-6.2.1-2.cm2.aarch64.rpm
 mpfr-4.1.0-1.cm2.aarch64.rpm
 mpfr-devel-4.1.0-1.cm2.aarch64.rpm
 libmpc-1.2.1-1.cm2.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -14,8 +14,8 @@ file-devel-5.40-1.cm2.x86_64.rpm
 file-libs-5.40-1.cm2.x86_64.rpm
 binutils-2.37-1.cm2.x86_64.rpm
 binutils-devel-2.37-1.cm2.x86_64.rpm
-gmp-6.2.1-1.cm2.x86_64.rpm
-gmp-devel-6.2.1-1.cm2.x86_64.rpm
+gmp-6.2.1-2.cm2.x86_64.rpm
+gmp-devel-6.2.1-2.cm2.x86_64.rpm
 mpfr-4.1.0-1.cm2.x86_64.rpm
 mpfr-devel-4.1.0-1.cm2.x86_64.rpm
 libmpc-1.2.1-1.cm2.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -112,9 +112,9 @@ glibc-tools-2.34-2.cm2.aarch64.rpm
 gmock-1.8.1-5.cm2.aarch64.rpm
 gmock-devel-1.8.1-5.cm2.aarch64.rpm
 gmock-static-1.8.1-5.cm2.aarch64.rpm
-gmp-6.2.1-1.cm2.aarch64.rpm
-gmp-debuginfo-6.2.1-1.cm2.aarch64.rpm
-gmp-devel-6.2.1-1.cm2.aarch64.rpm
+gmp-6.2.1-2.cm2.aarch64.rpm
+gmp-debuginfo-6.2.1-2.cm2.aarch64.rpm
+gmp-devel-6.2.1-2.cm2.aarch64.rpm
 gnupg2-2.2.20-4.cm2.aarch64.rpm
 gnupg2-debuginfo-2.2.20-4.cm2.aarch64.rpm
 golang-1.17.1-1.cm2.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -112,9 +112,9 @@ glibc-tools-2.34-2.cm2.x86_64.rpm
 gmock-1.8.1-5.cm2.x86_64.rpm
 gmock-devel-1.8.1-5.cm2.x86_64.rpm
 gmock-static-1.8.1-5.cm2.x86_64.rpm
-gmp-6.2.1-1.cm2.x86_64.rpm
-gmp-debuginfo-6.2.1-1.cm2.x86_64.rpm
-gmp-devel-6.2.1-1.cm2.x86_64.rpm
+gmp-6.2.1-2.cm2.x86_64.rpm
+gmp-debuginfo-6.2.1-2.cm2.x86_64.rpm
+gmp-devel-6.2.1-2.cm2.x86_64.rpm
 gnupg2-2.2.20-4.cm2.x86_64.rpm
 gnupg2-debuginfo-2.2.20-4.cm2.x86_64.rpm
 golang-1.17.1-1.cm2.x86_64.rpm