openkylin
/
yaml-cpp
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
Lu zhiping 2022-06-08 15:11:53 +08:00
parent 3b67b86dec
commit cf4f5eee44
7 changed files with 1 additions and 531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
debian/patches/fix-CVE-2017-11692.patch vendored
View File

@ -1,40 +0,0 @@
commit c9460110e072df84b7dee3eb651f2ec5df75fb18
Author: Jesse Beder <jbeder@gmail.com>
Date: Mon Jan 20 18:05:15 2020 -0600
Fix reading empty token stack with a node with properties but no scalar.
E.g. `!2`.
Index: yaml-cpp-0.6.2/src/singledocparser.cpp
===================================================================
--- yaml-cpp-0.6.2.orig/src/singledocparser.cpp 2020-03-17 18:05:02.241678211 +1100
+++ yaml-cpp-0.6.2/src/singledocparser.cpp 2020-03-17 18:05:02.237678252 +1100
@@ -74,6 +74,12 @@
anchor_t anchor;
ParseProperties(tag, anchor);
+ // after parsing properties, an empty node is again a possibility
+ if (m_scanner.empty()) {
+ eventHandler.OnNull(mark, anchor);
+ return;
+ }
+
const Token& token = m_scanner.peek();
if (token.type == Token::PLAIN_SCALAR && IsNullString(token.value)) {
Index: yaml-cpp-0.6.2/test/integration/load_node_test.cpp
===================================================================
--- yaml-cpp-0.6.2.orig/test/integration/load_node_test.cpp 2020-03-17 18:05:02.241678211 +1100
+++ yaml-cpp-0.6.2/test/integration/load_node_test.cpp 2020-03-17 18:05:02.237678252 +1100
@@ -237,5 +237,10 @@
EXPECT_EQ(node.as<std::string>(), "foo");
}
+TEST(NodeTest, LoadTagWithNullScalar) {
+ Node node = Load("!2");
+ EXPECT_TRUE(node.IsNull());
+}
+
} // namespace
} // namespace YAML

396
debian/patches/fix-unbounded-recursion-depth.patch vendored
View File

@ -1,396 +0,0 @@
Description: Fix unbounded recursion CVEs
Origin: https://github.com/jbeder/yaml-cpp/pull/807
Forwarded: yes
Bug: https://github.com/jbeder/yaml-cpp/issues/459
Bug: https://github.com/jbeder/yaml-cpp/issues/655
Bug: https://github.com/jbeder/yaml-cpp/issues/654
Bug: https://github.com/jbeder/yaml-cpp/issues/660
This cherry-picks the (so-far-unmerged) upstream pull request.
The final 5 commits of that PR are not included; they only add tests
to a file not present in the 0.6.2 (or 0.6.3) release.
From d540476e31b080aa1f903ad20ec0426dd3838be7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 25 Apr 2017 20:10:20 -0400
Subject: [PATCH 1/9] fix stack overflow in HandleNode() (CVE-2017-5950)
simply set a hardcoded recursion limit to 2000 (inspired by Python's)
to avoid infinitely recursing into arbitrary data structures
assert() the depth. unsure if this is the right approach, but given
that HandleNode() is "void", I am not sure how else to return an
error. the problem with this approach of course is that it will still
crash the caller, unless they have proper exception handling in place.
Closes: #459
---
src/singledocparser.cpp | 2 ++
src/singledocparser.h | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp
index a27c1c3b..1b4262ee 100644
--- a/src/singledocparser.cpp
+++ b/src/singledocparser.cpp
@@ -46,6 +46,8 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) {
}
void SingleDocParser::HandleNode(EventHandler& eventHandler) {
+ assert(depth < depth_limit);
+ depth++;
// an empty node *is* a possibility
if (m_scanner.empty()) {
eventHandler.OnNull(m_scanner.mark(), NullAnchor);
diff --git a/src/singledocparser.h b/src/singledocparser.h
index 2b92067c..7046f1e2 100644
--- a/src/singledocparser.h
+++ b/src/singledocparser.h
@@ -51,6 +51,8 @@ class SingleDocParser : private noncopyable {
anchor_t LookupAnchor(const Mark& mark, const std::string& name) const;
private:
+ int depth = 0;
+ int depth_limit = 2000;
Scanner& m_scanner;
const Directives& m_directives;
std::unique_ptr<CollectionStack> m_pCollectionStack;
From ac00ef937702598aa27739c8c46be37ac5699039 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 26 Apr 2017 10:25:43 -0400
Subject: [PATCH 2/9] throw an exception instead of using assert()
assert() may be compiled out in production and is clunkier to catch.
some ParserException are already thrown elsewhere in the code and it
seems to make sense to reuse the primitive, although it may still
crash improperly configured library consumers, those who do not handle
exceptions explicitly.
we use the BAD_FILE error message because at this point we do not
exactly know which specific data structure led to the recursion.
---
src/singledocparser.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp
index 1b4262ee..1af13f49 100644
--- a/src/singledocparser.cpp
+++ b/src/singledocparser.cpp
@@ -46,7 +46,9 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) {
}
void SingleDocParser::HandleNode(EventHandler& eventHandler) {
- assert(depth < depth_limit);
+ if (depth > depth_limit) {
+ throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE);
+ }
depth++;
// an empty node *is* a possibility
if (m_scanner.empty()) {
From e78e3bf6a6d61ca321af90d213dc4435ed5cf602 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 26 Apr 2017 10:39:45 -0400
Subject: [PATCH 3/9] increase and decrease depth properly on subhandlers
the original implementation couldn't parse a document with more than
depth_limit entries. now we explicitly increase *and* decrease the
depth on specific handlers like maps, sequences and so on - any
handler that may in turn callback into HandleNode().
this is a little clunky - I would have prefered to increment and
decrement the counter in only one place, but there are many different
return points and this is not Golang so I can't think of a better way
to to this.
---
src/singledocparser.cpp | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp
index 1af13f49..89234867 100644
--- a/src/singledocparser.cpp
+++ b/src/singledocparser.cpp
@@ -49,7 +49,6 @@ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
if (depth > depth_limit) {
throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE);
}
- depth++;
// an empty node *is* a possibility
if (m_scanner.empty()) {
eventHandler.OnNull(m_scanner.mark(), NullAnchor);
@@ -61,9 +60,11 @@ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
// special case: a value node by itself must be a map, with no header
if (m_scanner.peek().type == Token::VALUE) {
+ depth++;
eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
+ depth--;
return;
}
@@ -98,32 +99,42 @@ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
m_scanner.pop();
return;
case Token::FLOW_SEQ_START:
+ depth++;
eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow);
HandleSequence(eventHandler);
eventHandler.OnSequenceEnd();
+ depth--;
return;
case Token::BLOCK_SEQ_START:
+ depth++;
eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block);
HandleSequence(eventHandler);
eventHandler.OnSequenceEnd();
+ depth--;
return;
case Token::FLOW_MAP_START:
+ depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
+ depth--;
return;
case Token::BLOCK_MAP_START:
+ depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
+ depth--;
return;
case Token::KEY:
// compact maps can only go in a flow sequence
if (m_pCollectionStack->GetCurCollectionType() ==
CollectionType::FlowSeq) {
+ depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
+ depth--;
return;
}
break;
From 1690cacb3ff6d927286ded92b8fedd37b4045c7c Mon Sep 17 00:00:00 2001
From: Keith Bennett <keithb@genebygene.com>
Date: Thu, 29 Mar 2018 16:45:11 -0500
Subject: [PATCH 4/9] use RAII type class to guard against stack depth
recursion instead of error-prone manual increment/check/decrement
---
include/yaml-cpp/depthguard.h | 74 +++++++++++++++++++++++++++++++++++
src/depthguard.cpp | 14 +++++++
src/singledocparser.cpp | 18 ++-------
src/singledocparser.h | 4 +-
4 files changed, 94 insertions(+), 16 deletions(-)
create mode 100644 include/yaml-cpp/depthguard.h
create mode 100644 src/depthguard.cpp
diff --git a/include/yaml-cpp/depthguard.h b/include/yaml-cpp/depthguard.h
new file mode 100644
index 00000000..6aac81aa
--- /dev/null
+++ b/include/yaml-cpp/depthguard.h
@@ -0,0 +1,74 @@
+#ifndef DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
+#define DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
+
+#if defined(_MSC_VER) || \
+ (defined(__GNUC__) && (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) || \
+ (__GNUC__ >= 4)) // GCC supports "pragma once" correctly since 3.4
+#pragma once
+#endif
+
+#include "exceptions.h"
+
+namespace YAML {
+
+/**
+ * @brief The DeepRecursion class
+ * An exception class which is thrown by DepthGuard. Ideally it should be
+ * a member of DepthGuard. However, DepthGuard is a templated class which means
+ * that any catch points would then need to know the template parameters. It is
+ * simpler for clients to not have to know at the catch point what was the
+ * maximum depth.
+ */
+class DeepRecursion : public ParserException {
+ int m_atDepth = 0;
+public:
+ // no custom dtor needed, but virtual dtor necessary to prevent slicing
+ virtual ~DeepRecursion() = default;
+
+ // construct an exception explaining how deep you were
+ DeepRecursion(int at_depth, const Mark& mark_, const std::string& msg_);
+
+ // query how deep you were when the exception was thrown
+ int AtDepth() const;
+};
+
+/**
+ * @brief The DepthGuard class
+ * DepthGuard takes a reference to an integer. It increments the integer upon
+ * construction of DepthGuard and decrements the integer upon destruction.
+ *
+ * If the integer would be incremented past max_depth, then an exception is
+ * thrown. This is ideally geared toward guarding against deep recursion.
+ *
+ * @param max_depth
+ * compile-time configurable maximum depth.
+ */
+template <int max_depth = 2000>
+class DepthGuard final /* final because non-virtual dtor */ {
+ int & m_depth;
+public:
+ DepthGuard(int & depth_, const Mark& mark_, const std::string& msg_) : m_depth(depth_) {
+ ++m_depth;
+ if ( max_depth <= m_depth ) {
+ throw DeepRecursion{m_depth, mark_, msg_};
+ }
+ }
+
+ // DepthGuard is neither copyable nor moveable.
+ DepthGuard(const DepthGuard & copy_ctor) = delete;
+ DepthGuard(DepthGuard && move_ctor) = delete;
+ DepthGuard & operator=(const DepthGuard & copy_assign) = delete;
+ DepthGuard & operator=(DepthGuard && move_assign) = delete;
+
+ ~DepthGuard() {
+ --m_depth;
+ }
+
+ int current_depth() const {
+ return m_depth;
+ }
+};
+
+} // namespace YAML
+
+#endif // DEPTH_GUARD_H_00000000000000000000000000000000000000000000000000000000
diff --git a/src/depthguard.cpp b/src/depthguard.cpp
new file mode 100644
index 00000000..6d47eba3
--- /dev/null
+++ b/src/depthguard.cpp
@@ -0,0 +1,14 @@
+#include "yaml-cpp/depthguard.h"
+
+namespace YAML {
+
+DeepRecursion::DeepRecursion(int at_depth, const Mark& mark_, const std::string& msg_)
+ : ParserException(mark_, msg_),
+ m_atDepth(at_depth) {
+}
+
+int DeepRecursion::AtDepth() const {
+ return m_atDepth;
+}
+
+} // namespace YAML
diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp
index 89234867..37cc1f51 100644
--- a/src/singledocparser.cpp
+++ b/src/singledocparser.cpp
@@ -7,6 +7,7 @@
#include "singledocparser.h"
#include "tag.h"
#include "token.h"
+#include "yaml-cpp/depthguard.h"
#include "yaml-cpp/emitterstyle.h"
#include "yaml-cpp/eventhandler.h"
#include "yaml-cpp/exceptions.h" // IWYU pragma: keep
@@ -46,9 +47,8 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) {
}
void SingleDocParser::HandleNode(EventHandler& eventHandler) {
- if (depth > depth_limit) {
- throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE);
- }
+ DepthGuard depthguard(depth, m_scanner.mark(), ErrorMsg::BAD_FILE);
+
// an empty node *is* a possibility
if (m_scanner.empty()) {
eventHandler.OnNull(m_scanner.mark(), NullAnchor);
@@ -60,11 +60,9 @@ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
// special case: a value node by itself must be a map, with no header
if (m_scanner.peek().type == Token::VALUE) {
- depth++;
eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
- depth--;
return;
}
@@ -99,42 +97,32 @@ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
m_scanner.pop();
return;
case Token::FLOW_SEQ_START:
- depth++;
eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow);
HandleSequence(eventHandler);
eventHandler.OnSequenceEnd();
- depth--;
return;
case Token::BLOCK_SEQ_START:
- depth++;
eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block);
HandleSequence(eventHandler);
eventHandler.OnSequenceEnd();
- depth--;
return;
case Token::FLOW_MAP_START:
- depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
- depth--;
return;
case Token::BLOCK_MAP_START:
- depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
- depth--;
return;
case Token::KEY:
// compact maps can only go in a flow sequence
if (m_pCollectionStack->GetCurCollectionType() ==
CollectionType::FlowSeq) {
- depth++;
eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
HandleMap(eventHandler);
eventHandler.OnMapEnd();
- depth--;
return;
}
break;
diff --git a/src/singledocparser.h b/src/singledocparser.h
index 7046f1e2..f1676c43 100644
--- a/src/singledocparser.h
+++ b/src/singledocparser.h
@@ -16,6 +16,8 @@
namespace YAML {
class CollectionStack;
+template <int> class DepthGuard; // depthguard.h
+class DeepRecursion; // an exception which may be thrown from excessive call stack recursion, see depthguard.h
class EventHandler;
class Node;
class Scanner;
@@ -51,8 +53,8 @@ class SingleDocParser : private noncopyable {
anchor_t LookupAnchor(const Mark& mark, const std::string& name) const;
private:
+ using DepthGuard = YAML::DepthGuard<2000>;
int depth = 0;
- int depth_limit = 2000;
Scanner& m_scanner;
const Directives& m_directives;
std::unique_ptr<CollectionStack> m_pCollectionStack;

24
debian/patches/install-cmake-dev-files.patch vendored
View File

@ -1,24 +0,0 @@
Description: Install libs and cmake files to the Debian location
Instead of moving the libs to the DEB_HOST_MULTIARCH lib directory during
packaging, have cmake install the libs directly. This is needed so the CMake
development files point to the correct location for the libs. Also, install
yaml-cpp-config.cmake, yaml-cpp-config-version.cmake, and
yaml-cpp-targets.cmake.
Author: Paul Novotny <paul@paulnovo.us>
Forwarded: not-needed
Last-Update: 2015-11-29
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -262,7 +262,10 @@ endif()
set(INCLUDE_INSTALL_ROOT_DIR include)
set(INCLUDE_INSTALL_DIR ${INCLUDE_INSTALL_ROOT_DIR}/yaml-cpp)
-set(LIB_INSTALL_DIR "lib${LIB_SUFFIX}")
+SET(LIB_INSTALL_DIR "${_library_dir}${LIB_SUFFIX}" CACHE
+ "Directory relative to CMAKE_INSTALL_PREFIX in which to install libraries"
+ STRING)
+MARK_AS_ADVANCED(LIB_INSTALL_DIR)
set(_INSTALL_DESTINATIONS
RUNTIME DESTINATION bin

15
debian/patches/reproducible-build.patch vendored
View File

@ -1,15 +0,0 @@
Description: Make the build reproducible
Author: Reiner Herrmann <reiner@reiner-h.de>
Bug-Debian: https://bugs.debian.org/808714
Last-Update: 2016-10-11
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -106,6 +106,7 @@ set(library_sources
${contrib_private_headers}
)
add_sources(${library_sources})
+list(SORT library_sources)
if(VERBOSE)
message(STATUS "sources: ${sources}")

5
debian/patches/series vendored
View File

@ -1,5 +0,0 @@
install-cmake-dev-files.patch
reproducible-build.patch
symbol-visibility.patch
fix-CVE-2017-11692.patch
fix-unbounded-recursion-depth.patch

50
debian/patches/symbol-visibility.patch vendored
View File

@ -1,50 +0,0 @@
commit df9206778fe9ff1bdd56d975c29c43dfe1e66de7
Author: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Date: Fri Nov 23 15:26:53 2018 +1100
Export only YAML_CPP_API-tagged symbols on Linux.
This marks classes tagged with YAML_CPP_API with visibility("default"), to
explicitly export them, and then makes the default visibility "hidden" via
-fvisibility=hidden.
This reduces the number of exported symbols by more than 50%, which has
a small application start-up time and memory useage benefit. It also
makes it more feasible to audit the set of exported symbols in automated
ABI compatibility systems.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1aa7839..e97d054 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -142,6 +142,14 @@ if(WIN32)
endif()
endif()
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+ set(CMAKE_CXX_VISIBILITY_PRESET hidden)
+ if (POLICY CMP0063)
+ cmake_policy(SET CMP0063 NEW)
+ endif()
+ add_definitions(-DYAML_CPP_USE_VISIBILITY)
+endif()
+
# GCC or Clang or Intel Compiler specialities
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU" OR
CMAKE_CXX_COMPILER_ID MATCHES "Clang" OR
diff --git a/include/yaml-cpp/dll.h b/include/yaml-cpp/dll.h
index a32c06b..5b8c905 100644
--- a/include/yaml-cpp/dll.h
+++ b/include/yaml-cpp/dll.h
@@ -27,7 +27,11 @@
#define YAML_CPP_API __declspec(dllimport)
#endif // yaml_cpp_EXPORTS
#else // YAML_CPP_DLL
+#ifdef YAML_CPP_USE_VISIBILITY
+#define YAML_CPP_API __attribute__ ((visibility("default")))
+#else
#define YAML_CPP_API
+#endif // YAML_CPP_USE_VISIBILITY
#endif // YAML_CPP_DLL
#endif // DLL_H_62B23520_7C8E_11DE_8A39_0800200C9A66

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt)
3.0 (native)