From a6c01c636921d5d7b7dd91f02756569b67225658 Mon Sep 17 00:00:00 2001 From: zhouganqing Date: Mon, 13 Feb 2023 17:23:41 +0800 Subject: [PATCH] Import Debian changes 1.3.3-ok1 protobuf-c (1.3.3-ok1) yangtze; urgency=medium * Build for openKylin. --- debian/changelog | 5 ++ debian/control | 72 ++++++++++++++++ debian/copyright | 69 +++++++++++++++ debian/libprotobuf-c-dev.install | 5 ++ debian/libprotobuf-c1.install | 1 + debian/libprotobuf-c1.symbols | 23 +++++ debian/patches/CVE-2022-33070.patch | 84 +++++++++++++++++++ debian/patches/misc-2022-null-deref.patch | 23 +++++ .../patches/misc-2022-unsigned-integer.patch | 30 +++++++ debian/patches/series | 3 + debian/protobuf-c-compiler.install | 1 + debian/rules | 6 ++ debian/source/format | 1 + debian/tests/build-test | 29 +++++++ debian/tests/control | 6 ++ debian/watch | 3 + 16 files changed, 361 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/libprotobuf-c-dev.install create mode 100644 debian/libprotobuf-c1.install create mode 100644 debian/libprotobuf-c1.symbols create mode 100644 debian/patches/CVE-2022-33070.patch create mode 100644 debian/patches/misc-2022-null-deref.patch create mode 100644 debian/patches/misc-2022-unsigned-integer.patch create mode 100644 debian/patches/series create mode 100644 debian/protobuf-c-compiler.install create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/tests/build-test create mode 100644 debian/tests/control create mode 100644 debian/watch diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..c75160a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +protobuf-c (1.3.3-ok1) yangtze; urgency=medium + + * Build for openKylin. + + -- zhouganqing Mon, 13 Feb 2023 17:23:41 +0800 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..e0e6909 --- /dev/null +++ b/debian/control @@ -0,0 +1,72 @@ +Source: protobuf-c +Section: devel +Priority: optional +Maintainer: OpenKylin Developers +Build-Depends: + debhelper-compat (= 12), + libprotobuf-dev (>= 2.6.0~), + libprotoc-dev (>= 2.6.0~), + pkg-config, + protobuf-compiler (>= 2.6.0~), +Standards-Version: 4.5.0 +Homepage: https://github.com/protobuf-c/protobuf-c +Vcs-Browser: https://gitee.com/openkylin/protobuf-c +Vcs-Git: https://gitee.com/openkylin/protobuf-c.git + +Package: libprotobuf-c-dev +Architecture: any +Section: libdevel +Depends: libprotobuf-c1 (= ${binary:Version}), ${misc:Depends} +Breaks: protobuf-c-compiler (<< 1.0.0~) +Multi-Arch: same +Description: Protocol Buffers C static library and headers (protobuf-c) + Protocol Buffers are a flexible, efficient, automated mechanism for + serializing structured data - similar to XML, but smaller, faster, and + simpler. You define how you want your data to be structured once, then you can + use special generated source code to easily write and read your structured + data to and from a variety of data streams and using a variety of languages. + You can even update your data structure without breaking deployed programs + that are compiled against the "old" format. + . + This is the "protobuf-c" implementation of Protocol Buffers in C. + . + This package contains the static library and development headers. + +Package: libprotobuf-c1 +Architecture: any +Section: libs +Depends: ${misc:Depends}, ${shlibs:Depends} +Multi-Arch: same +Description: Protocol Buffers C shared library (protobuf-c) + Protocol Buffers are a flexible, efficient, automated mechanism for + serializing structured data - similar to XML, but smaller, faster, and + simpler. You define how you want your data to be structured once, then you can + use special generated source code to easily write and read your structured + data to and from a variety of data streams and using a variety of languages. + You can even update your data structure without breaking deployed programs + that are compiled against the "old" format. + . + This is the "protobuf-c" implementation of Protocol Buffers in C. + . + This package contains the shared library. + +Package: protobuf-c-compiler +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Multi-Arch: foreign +Description: Protocol Buffers C compiler (protobuf-c) + Protocol Buffers are a flexible, efficient, automated mechanism for + serializing structured data - similar to XML, but smaller, faster, and + simpler. You define how you want your data to be structured once, then you can + use special generated source code to easily write and read your structured + data to and from a variety of data streams and using a variety of languages. + You can even update your data structure without breaking deployed programs + that are compiled against the "old" format. + . + This is the "protobuf-c" implementation of Protocol Buffers in C. + . + This package contains the "protoc-c" code generator that creates C stubs from + Protocol Buffers .proto files. These stubs must be compiled and linked against + the libprotobuf-c support library. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..5820d6f --- /dev/null +++ b/debian/copyright @@ -0,0 +1,69 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Files: * +Copyright: 2008-2019 Dave Benson and the protobuf-c authors +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + . + The code generated by the protoc-c compiler is owned by the owner of the + input files used when generating it. This code is not standalone and + requires a support library to be linked with it. This support library is + covered by the above license. + +Files: protoc-c/* +Copyright: 2008 Google Inc. +License: BSD-3-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Files: debian/* +Copyright: 2009-2019 Robert Edmonds +License: permissive + Copying and distribution of this package, with or without modification, + are permitted in any medium without royalty provided the copyright notice + and this notice are preserved. diff --git a/debian/libprotobuf-c-dev.install b/debian/libprotobuf-c-dev.install new file mode 100644 index 0000000..7dc29e2 --- /dev/null +++ b/debian/libprotobuf-c-dev.install @@ -0,0 +1,5 @@ +usr/include/google/protobuf-c/* +usr/include/protobuf-c/* +usr/lib/*/lib*.a +usr/lib/*/lib*.so +usr/lib/*/pkgconfig/*.pc diff --git a/debian/libprotobuf-c1.install b/debian/libprotobuf-c1.install new file mode 100644 index 0000000..3ddde58 --- /dev/null +++ b/debian/libprotobuf-c1.install @@ -0,0 +1 @@ +usr/lib/*/lib*.so.* diff --git a/debian/libprotobuf-c1.symbols b/debian/libprotobuf-c1.symbols new file mode 100644 index 0000000..372a5bc --- /dev/null +++ b/debian/libprotobuf-c1.symbols @@ -0,0 +1,23 @@ +libprotobuf-c.so.1 libprotobuf-c1 #MINVER# +* Build-Depends-Package: libprotobuf-c-dev + LIBPROTOBUF_C_1.0.0@LIBPROTOBUF_C_1.0.0 1.0.0 + LIBPROTOBUF_C_1.3.0@LIBPROTOBUF_C_1.3.0 1.3.1 + protobuf_c_buffer_simple_append@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_empty_string@LIBPROTOBUF_C_1.3.0 1.3.1 + protobuf_c_enum_descriptor_get_value@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_enum_descriptor_get_value_by_name@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_check@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_descriptor_get_field@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_descriptor_get_field_by_name@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_free_unpacked@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_get_packed_size@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_init@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_pack@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_pack_to_buffer@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_message_unpack@LIBPROTOBUF_C_1.0.0 1.0.1 + protobuf_c_service_descriptor_get_method_by_name@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_service_destroy@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_service_generated_init@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_service_invoke_internal@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_version@LIBPROTOBUF_C_1.0.0 1.0.0 + protobuf_c_version_number@LIBPROTOBUF_C_1.0.0 1.0.0 diff --git a/debian/patches/CVE-2022-33070.patch b/debian/patches/CVE-2022-33070.patch new file mode 100644 index 0000000..1e35917 --- /dev/null +++ b/debian/patches/CVE-2022-33070.patch @@ -0,0 +1,84 @@ +From 6e389ce2c34355d36009a8fb1666bed29fa2d4f4 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Mon, 6 Jun 2022 13:57:38 -0600 +Subject: [PATCH] Only shift unsigned values to avoid implementation-specific + behavior. This converts the arithmetic shifts to logical shifts. It is based + in part on a stackoverflow answer by John Schultz, + https://stackoverflow.com/questions/4533076/google-protocol-buffers-zigzag-encoding + +--- + protobuf-c/protobuf-c.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/protobuf-c/protobuf-c.c ++++ b/protobuf-c/protobuf-c.c +@@ -312,9 +312,8 @@ int32_size(int32_t v) + static inline uint32_t + zigzag32(int32_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31); + } + + /** +@@ -376,9 +375,8 @@ uint64_size(uint64_t v) + static inline uint64_t + zigzag64(int64_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63); + } + + /** +@@ -798,7 +796,8 @@ uint32_pack(uint32_t value, uint8_t *out + } + + /** +- * Pack a signed 32-bit integer and return the number of bytes written. ++ * Pack a signed 32-bit integer and return the number of bytes written, ++ * passed as unsigned to avoid implementation-specific behavior. + * Negative numbers are encoded as two's complement 64-bit integers. + * + * \param value +@@ -809,14 +808,14 @@ uint32_pack(uint32_t value, uint8_t *out + * Number of bytes written to `out`. + */ + static inline size_t +-int32_pack(int32_t value, uint8_t *out) ++int32_pack(uint32_t value, uint8_t *out) + { +- if (value < 0) { ++ if ((int32_t)value < 0) { + out[0] = value | 0x80; + out[1] = (value >> 7) | 0x80; + out[2] = (value >> 14) | 0x80; + out[3] = (value >> 21) | 0x80; +- out[4] = (value >> 28) | 0x80; ++ out[4] = (value >> 28) | 0xf0; + out[5] = out[6] = out[7] = out[8] = 0xff; + out[9] = 0x01; + return 10; +@@ -2422,7 +2421,7 @@ static inline int32_t + unzigzag32(uint32_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int32_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int32_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint32_t +@@ -2464,7 +2463,7 @@ static inline int64_t + unzigzag64(uint64_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int64_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int64_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint64_t diff --git a/debian/patches/misc-2022-null-deref.patch b/debian/patches/misc-2022-null-deref.patch new file mode 100644 index 0000000..e018ebb --- /dev/null +++ b/debian/patches/misc-2022-null-deref.patch @@ -0,0 +1,23 @@ +From ab5f76a52bade28a2c025bd52c7847f033ca82f3 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 29 Jun 2022 11:18:16 -0600 +Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref. + +[edmonds: Import commit from +https://github.com/sudo-project/sudo/commit/bfc6249902d842626058e74074832930feaf2f80.patch.] +--- + protobuf-c/protobuf-c.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/protobuf-c/protobuf-c.c ++++ b/protobuf-c/protobuf-c.c +@@ -3224,6 +3224,9 @@ protobuf_c_message_unpack(const Protobuf + /* allocate space for repeated fields, also check that all required fields have been set */ + for (f = 0; f < desc->n_fields; f++) { + const ProtobufCFieldDescriptor *field = desc->fields + f; ++ if (field == NULL) { ++ continue; ++ } + if (field->label == PROTOBUF_C_LABEL_REPEATED) { + size_t siz = + sizeof_elt_in_repeated_array(field->type); diff --git a/debian/patches/misc-2022-unsigned-integer.patch b/debian/patches/misc-2022-unsigned-integer.patch new file mode 100644 index 0000000..afb8e1b --- /dev/null +++ b/debian/patches/misc-2022-unsigned-integer.patch @@ -0,0 +1,30 @@ +From 289f5c18b195aa43d46a619d1188709abbfa9c82 Mon Sep 17 00:00:00 2001 +From: 10054172 +Date: Fri, 18 Mar 2022 12:42:57 -0400 +Subject: [PATCH 1/2] Fix issue #499: unsigned integer overflow + +Signed-off-by: 10054172 +--- + protobuf-c/protobuf-c.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/protobuf-c/protobuf-c.c ++++ b/protobuf-c/protobuf-c.c +@@ -2600,10 +2600,13 @@ parse_required_member(ScannedMember *sca + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); ++ if (len >= pref_len) ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ else ++ subm = NULL; + + if (maybe_clear && + *pmessage != NULL && diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..35f7c19 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +CVE-2022-33070.patch +misc-2022-unsigned-integer.patch +misc-2022-null-deref.patch diff --git a/debian/protobuf-c-compiler.install b/debian/protobuf-c-compiler.install new file mode 100644 index 0000000..1df36c6 --- /dev/null +++ b/debian/protobuf-c-compiler.install @@ -0,0 +1 @@ +usr/bin/* diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..d8309f6 --- /dev/null +++ b/debian/rules @@ -0,0 +1,6 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/build-test b/debian/tests/build-test new file mode 100644 index 0000000..1374363 --- /dev/null +++ b/debian/tests/build-test @@ -0,0 +1,29 @@ +#!/bin/sh +set -eu + +if [ -n "${DEB_HOST_GNU_TYPE:-}" ]; then + CROSS_COMPILE="$DEB_HOST_GNU_TYPE-" +else + CROSS_COMPILE= +fi + +cd "$AUTOPKGTEST_TMP" + +cat < libtest.c +#include +#include + +int +main (int argc, + char **argv) +{ + const char* version_str = protobuf_c_version(); + printf("protobuf-c version: %s\n", version_str); +} +EOF + +${CROSS_COMPILE}gcc -o libtest libtest.c $(${CROSS_COMPILE}pkg-config --cflags --libs libprotobuf-c) +echo "build ok" +[ -x libtest ] +./libtest +echo "starts ok" diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..e174ce1 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,6 @@ +Tests: build-test +Depends: libprotobuf-c-dev, build-essential, pkg-config + +Test-Command: dh_auto_configure; dh_auto_build; dh_auto_test +Depends: @builddeps@ +Restrictions: allow-stderr diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..5f4bed6 --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=4 +opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/-$1\.tar\.gz/ \ + https://github.com/protobuf-c/protobuf-c/tags .*/v?(\d\S+)\.tar\.gz