Skip to content

Commit 90dc4a6

Browse files
authored
Fix CVE-2022-0391 for Python's urlparse. (#169)
* Fixed CVE-2022-0391 for Python's urlparse. * Bash checks for the chevahbs scripts. * Removed some unused variables from chevahbs scripts. * Try generic musl build. * Fixed musl version check for 1.2 and newer. * Updated OpenSSL sources to 1.1.1q * Updated OpenSSL 1.1.1 version in our scripts and docs. * Actually updated the docs for OpenSSL 1.1.1q. * Updated own tests for generic musl Linux build. * Backported OpenSSL build fix for macOS. * Ignore dparse issue for now. * Updated cffi and psutil to the latest versions. * Updated cffi sources to 1.15.1. * Try a different psutil check. * Pin psutil to version 5.9.0 on generic Linux builds. * Build generic musl version on Alpine 3.12. * Use a saved paxctl on Alpine 3.12. * Save paxctl on Alpine 3.12 in an already existing path dir. * Changes after own review. * Updated and reorganized external deps sheets. * Updated list of RHEL clones from server repo. * Temporarily disabled ARM64 builds. * More Alpine-related cleanups and fixes. * One more Alpine-related fix.
1 parent 1b74aad commit 90dc4a6

File tree

3,329 files changed

+3546
-2092
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

3,329 files changed

+3546
-2092
lines changed

.github/workflows/bare.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,9 @@ jobs:
3030
strategy:
3131
fail-fast: false
3232
matrix:
33-
# ARM64 is currently our Pine64 board running Ubuntu 16.04.
34-
runs-on: [ ubuntu-20.04, ubuntu-18.04, ARM64 ]
33+
# ARM64 is currently our virtualized Ubuntu 16.04 image.
34+
#runs-on: [ ubuntu-20.04, ubuntu-18.04, ARM64 ]
35+
runs-on: [ ubuntu-20.04, ubuntu-18.04 ]
3536
timeout-minutes: 90
3637
steps:
3738
- name: Prepare OS

.github/workflows/docker.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
matrix:
3333
# CentOS 5.11 setup was saved as an image pushed to Docker Hub. See the
3434
# Overview section at https://hub.docker.com/r/proatria/centos for details.
35-
container: [ 'alpine:3.14', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1' ]
35+
container: [ 'alpine:3.12', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1' ]
3636
timeout-minutes: 30
3737
steps:
3838

@@ -41,7 +41,9 @@ jobs:
4141
if: startsWith(matrix.container, 'alpine')
4242
run: |
4343
apk upgrade -U
44-
apk add git curl bash gcc make m4 automake libtool patch libffi-dev zlib-dev openssl-dev musl-dev lddtree shadow sudo openssh-client paxctl
44+
apk add git curl bash gcc make m4 automake libtool patch libffi-dev zlib-dev openssl-dev musl-dev lddtree shadow sudo openssh-client
45+
curl --output /usr/local/bin/paxctl https://bin.chevah.com:20443/third-party-stuff/alpine/paxctl-3.12
46+
chmod +x /usr/local/bin/paxctl
4547
4648
# Stick to CentOS 8.2 as OpenSSL got updated in 8.3 from 1.1.1c to 1.1.1g.
4749
- name: CentOS 8.2 setup

brink.sh

Lines changed: 87 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,11 @@
3333
# command used to execute Python inside the newly virtual environment.
3434
#
3535

36-
# Script initialization.
37-
set -o nounset
38-
set -o errexit
39-
set -o pipefail
36+
# Bash checks
37+
set -o nounset # always check if variables exist
38+
set -o errexit # always exit on error
39+
set -o errtrace # trap errors in functions as well
40+
set -o pipefail # don't ignore exit codes when piping output
4041

4142
# Initialize default value.
4243
COMMAND=${1-''}
@@ -536,7 +537,7 @@ install_dependencies(){
536537
# If it's too old, exit with a nice informative message.
537538
# If it's supported, return through eval the version numbers to be used for
538539
# naming the package, for example: '8' for RHEL 8.2, '2004' for Ubuntu 20.04,
539-
# '314' for Alpine Linux 3.14, '71' for AIX 7.1, '114' for Solaris 11.4.
540+
# '71' for AIX 7.1, '114' for Solaris 11.4.
540541
#
541542
check_os_version() {
542543
# First parameter should be the human-readable name for the current OS.
@@ -584,7 +585,7 @@ check_os_version() {
584585
if [ "$OS" = "Linux" ]; then
585586
# For old and/or unsupported Linux distros there's a second chance!
586587
(>&2 echo "the generic Linux runtime is used, if possible.")
587-
check_linux_glibc
588+
check_linux_libc
588589
else
589590
(>&2 echo "there is currently no support.")
590591
exit 13
@@ -597,16 +598,42 @@ check_os_version() {
597598

598599
#
599600
# For old unsupported Linux distros (some with no /etc/os-release) and for other
600-
# unsupported Linux distros (eg. Arch), we check if the system is glibc-based.
601+
# unsupported Linux distros, we check if the system is based on glibc or musl.
601602
# If so, we use a generic code path that builds everything statically,
602-
# including OpenSSL, thus only requiring glibc 2.X, where X differs by arch.
603+
# including OpenSSL, thus only requiring glibc or musl.
603604
#
604-
check_linux_glibc() {
605+
check_linux_libc() {
606+
local ldd_output_file=".chevah_libc_version"
607+
set +o errexit
608+
609+
command -v ldd > /dev/null
610+
if [ $? -ne 0 ]; then
611+
(>&2 echo "No ldd binary found, can't check for glibc!")
612+
exit 18
613+
fi
614+
615+
ldd --version > $ldd_output_file 2>&1
616+
egrep "GNU\ libc|GLIBC" $ldd_output_file > /dev/null
617+
if [ $? -eq 0 ]; then
618+
check_glibc_version
619+
else
620+
egrep ^"musl\ libc" $ldd_output_file > /dev/null
621+
if [ $? -eq 0 ]; then
622+
check_musl_version
623+
else
624+
(>&2 echo "Unknown libc reported by ldd... Unsupported Linux.")
625+
rm $ldd_output_file
626+
exit 19
627+
fi
628+
fi
629+
630+
set -o errexit
631+
}
632+
633+
check_glibc_version(){
605634
local glibc_version
606635
local glibc_version_array
607636
local supported_glibc2_version
608-
# Output to a file to avoid "write error: Broken pipe" with grep/head.
609-
local ldd_output_file=".chevah_glibc_version"
610637

611638
# Supported minimum minor glibc 2.X versions for various arches.
612639
# For x64, we build on CentOS 5.11 (Final) with glibc 2.5.
@@ -628,21 +655,6 @@ check_linux_glibc() {
628655
echo "No specific runtime for the current distribution / version / arch."
629656
echo "Minimum glibc version for this arch: 2.${supported_glibc2_version}."
630657

631-
set +o errexit
632-
633-
command -v ldd > /dev/null
634-
if [ $? -ne 0 ]; then
635-
(>&2 echo "No ldd binary found, can't check for glibc!")
636-
exit 18
637-
fi
638-
639-
ldd --version > $ldd_output_file
640-
egrep "GNU\ libc|GLIBC" $ldd_output_file > /dev/null
641-
if [ $? -ne 0 ]; then
642-
(>&2 echo "No glibc reported by ldd... Unsupported Linux libc?")
643-
exit 19
644-
fi
645-
646658
# Tested with glibc 2.5/2.11.3/2.12/2.23/2.28-31 and eglibc 2.13/2.19.
647659
glibc_version=$(head -n 1 $ldd_output_file | rev | cut -d\ -f1 | rev)
648660
rm $ldd_output_file
@@ -668,22 +680,59 @@ check_linux_glibc() {
668680
echo "All is good. Detected glibc version: ${glibc_version}."
669681
fi
670682

671-
set -o errexit
672-
673-
# glibc 2 detected, we set $OS for a generic Linux build.
683+
# Supported glibc version detected, set $OS for a generic glibc Linux build.
674684
OS="lnx"
675685
}
676686

687+
check_musl_version(){
688+
local musl_version
689+
local musl_version_array
690+
local supported_musl11_version=24
691+
692+
echo "No specific runtime for the current distribution / version / arch."
693+
echo "Minimum musl version for this arch: 1.1.${supported_musl11_version}."
694+
695+
# Tested with musl 1.1.24/1.2.2.
696+
musl_version=$(egrep ^Version $ldd_output_file | cut -d\ -f2)
697+
rm $ldd_output_file
698+
699+
if [[ $musl_version =~ [^[:digit:]\.] ]]; then
700+
(>&2 echo "Musl version should only have numbers and periods, but:")
701+
(>&2 echo " \$musl_version=$musl_version")
702+
exit 25
703+
fi
704+
705+
IFS=. read -a musl_version_array <<< "$musl_version"
706+
707+
if [ ${musl_version_array[0]} -lt 1 -o ${musl_version_array[1]} -lt 1 ];then
708+
(>&2 echo "Only musl 1.1 or greater supported! Detected: $musl_version")
709+
exit 26
710+
fi
711+
712+
# Decrement supported_musl11_version if building against an older musl.
713+
if [ ${musl_version_array[0]} -eq 1 -a ${musl_version_array[1]} -eq 1 \
714+
-a ${musl_version_array[2]} -lt ${supported_musl11_version} ]; then
715+
(>&2 echo "NOT good. Detected version is older: ${musl_version}!")
716+
exit 27
717+
else
718+
echo "All is good. Detected musl version: ${musl_version}."
719+
fi
720+
721+
# Supported musl version detected, set $OS for a generic musl Linux build.
722+
OS="lnx_musl"
723+
}
724+
677725
#
678-
# For glibc-based Linux distros, after checking if current version is
679-
# supported with check_os_version(), $OS might already be set to "lnx"
680-
# if current version is too old, through check_linux_glibc().
726+
# For Linux distros with a supported libc, after checking if current version is
727+
# supported with check_os_version(), $OS might be set to something like "lnx"
728+
# if current version is too old, through check_linux_libc() and its subroutines.
681729
#
682730
set_os_if_not_generic() {
683731
local distro_name="$1"
684732
local distro_version="$2"
685733

686-
if [ "$OS" != "lnx" ]; then
734+
# Check if OS starts with "lnx", to match "lnx_musl" too, just in case.
735+
if [ "${OS#lnx}" = "$OS" ]; then
687736
OS="${distro_name}${distro_version}"
688737
fi
689738
}
@@ -705,15 +754,15 @@ detect_os() {
705754
if [ ! -f /etc/os-release ]; then
706755
# No /etc/os-release file present, so we don't support this
707756
# distro, but check for glibc, the generic build should work.
708-
check_linux_glibc
757+
check_linux_libc
709758
else
710759
source /etc/os-release
711760
linux_distro="$ID"
712761
distro_fancy_name="$NAME"
713762
# Some rolling-release distros (eg. Arch Linux) have
714763
# no VERSION_ID here, so don't count on it unconditionally.
715764
case "$linux_distro" in
716-
rhel|centos|ol)
765+
rhel|centos|almalinux|rocky|ol)
717766
os_version_raw="$VERSION_ID"
718767
check_os_version "Red Hat Enterprise Linux" 8 \
719768
"$os_version_raw" os_version_chevah
@@ -728,23 +777,17 @@ detect_os() {
728777
# 04 or first two digits are uneven, use generic build.
729778
if [ ${os_version_chevah%%04} == ${os_version_chevah} \
730779
-o $(( ${os_version_chevah:0:2} % 2 )) -ne 0 ]; then
731-
check_linux_glibc
780+
check_linux_libc
732781
elif [ ${os_version_chevah} == "2204" ]; then
733782
# OpenSSL 3.0.x not supported by cryptography 3.3.x.
734-
check_linux_glibc
783+
check_linux_libc
735784
fi
736785
set_os_if_not_generic "ubuntu" $os_version_chevah
737786
;;
738-
alpine)
739-
os_version_raw="$VERSION_ID"
740-
check_os_version "$distro_fancy_name" 3.12 \
741-
"$os_version_raw" os_version_chevah
742-
set_os_if_not_generic "alpine" $os_version_chevah
743-
;;
744787
*)
745788
# Supported distros with unsupported OpenSSL versions or
746789
# distros not specifically supported: SLES, Debian, etc.
747-
check_linux_glibc
790+
check_linux_libc
748791
;;
749792
esac
750793
fi

chevah_build

Lines changed: 24 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,11 @@
66
# test
77
# compat (for the compat repo tests)
88

9-
set -o nounset
10-
set -o errexit
11-
set -o pipefail
9+
# Bash checks
10+
set -o nounset # always check if variables exist
11+
set -o errexit # always exit on error
12+
set -o errtrace # trap errors in functions as well
13+
set -o pipefail # don't ignore exit codes when piping output
1214

1315
PYTHON_BUILD_VERSION="2.7.18"
1416
LIBFFI_VERSION="3.4.2"
@@ -17,14 +19,14 @@ BZIP2_VERSION="1.0.8"
1719
# We statically build the BSD libedit on selected platforms to get the
1820
# readline module available without linking to the GPL-only readline libs.
1921
LIBEDIT_VERSION="20170329-3.1"
20-
OPENSSL_VERSION="1.1.1n"
22+
OPENSSL_VERSION="1.1.1q"
2123
SQLITE_VERSION="3.37.2"
2224

2325
# Python modules versions to be used everywhere possible.
2426
PYSQLITE_VERSION="2.8.3"
25-
CFFI_VERSION="1.15.0"
27+
CFFI_VERSION="1.15.1"
2628
SCANDIR_VERSION="1.10.0"
27-
PSUTIL_VERSION="5.9.0"
29+
PSUTIL_VERSION="5.9.2"
2830
SUBPROCESS32_VERSION="3.5.4"
2931

3032
# Versions no longer upgradable because of Python 2 deprecation.
@@ -33,8 +35,8 @@ PYOPENSSL_VERSION="21.0.0"
3335
# Backported fix for https://github.com/pypa/pip/issues/9827
3436
# at https://github.com/chevah/pip/tree/20.3.4chevah.
3537
PIP_VERSION="20.3.4chevah1"
36-
# For pip <21.1 and click <8.0.0.
37-
SAFETY_IGNORED_OPTS="-i 40291 -i 47833"
38+
# For pip <21.1, click <8.0.0, dparse <0.5.2.
39+
SAFETY_IGNORED_OPTS="-i 40291 -i 47833 -i 50571"
3840
# setuptools 44.x is the last series to support Python 2.7.
3941
# More at https://github.com/pypa/setuptools/pull/1955.
4042
SETUPTOOLS_VERSION="44.1.1"
@@ -124,7 +126,6 @@ BUILD_FOLDER='build'
124126
COMMON_PKGS="gcc make m4 automake libtool patch"
125127
DEB_PKGS="$COMMON_PKGS git libffi-dev zlib1g-dev libncurses5-dev libssl-dev"
126128
RPM_PKGS="$COMMON_PKGS git libffi-devel zlib-devel ncurses-devel openssl-devel"
127-
APK_PKGS="$COMMON_PKGS git zlib-dev musl-dev openssl-dev linux-headers lddtree"
128129
# No automated Windows package management, but here's what it's needed.
129130
CHOCO_PKGS="vcpython27 make git StrawberryPerl nasm 7zip"
130131

@@ -279,7 +280,7 @@ case $OS in
279280
# libffi not available in the base system, only as port/package.
280281
export BUILD_LIBFFI="yes"
281282
;;
282-
lnx)
283+
lnx*)
283284
export CC="gcc"
284285
export CXX="g++"
285286
export MAKE="make"
@@ -294,18 +295,19 @@ case $OS in
294295
export PATH="/usr/local/bin:$PATH"
295296
# In particular, Perl's Test::Simple and its deps are required.
296297
execute perl -MTest::Simple -e 1
297-
;;
298-
alpine*)
299-
# Do not depend on libffi and ncurses-libs Alpine packages.
300-
# It's better to run on minimal Alpine containers.
301-
export BUILD_LIBFFI="yes"
302-
export BUILD_LIBEDIT="no"
303-
export CC="gcc"
304-
export CXX="g++"
305-
export MAKE="make"
298+
# Version 5.9.2 of psutil not working properly on CentOS 5.
299+
PIP_LIBRARIES="\
300+
cryptography==${CRYPTOGRAPHY_VERSION} \
301+
pyOpenSSL==${PYOPENSSL_VERSION} \
302+
scandir==${SCANDIR_VERSION} \
303+
subprocess32==${SUBPROCESS32_VERSION} \
304+
bcrypt==${BCRYPT_VERSION} \
305+
psutil=="5.9.0" \
306+
setproctitle==${SETPROCTITLE_VERSION}
307+
"
306308
;;
307309
*)
308-
# Only supported Linux distributions other than Alpine should be left.
310+
# Only supported Linux distributions should be left.
309311
export CC="gcc"
310312
export CXX="g++"
311313
export MAKE="make"
@@ -367,13 +369,8 @@ check_dependencies() {
367369
packages=$RPM_PKGS
368370
check_command="rpm --query"
369371
;;
370-
alpine*)
371-
# Alpine 3.9 switched back to OpenSSL as default.
372-
packages=$APK_PKGS
373-
check_command="apk info -q -e"
374-
;;
375372
# On remaining OS'es we just check for some of the needed commands.
376-
lnx)
373+
lnx*)
377374
# Generic Linux builds need Perl 5.10.0+ for building OpenSSL.
378375
# For testing OpenSSL, Test::More 0.96 or newer is needed.
379376
packages="$CC make m4 git patch perl"
@@ -485,8 +482,7 @@ command_build() {
485482
${INSTALL_FOLDER}/lib/pkgconfig/:${PKG_CONFIG_PATH}"
486483
elif [ "${OS%lnx*}" = "" -o "${OS%macos*}" = "" ]; then
487484
# Passing -rpath to ldd is needed for building cryptography w/ pip.
488-
export LDFLAGS="-L${INSTALL_FOLDER}/lib64/ \
489-
-Wl,-rpath,${INSTALL_FOLDER}/lib64/ ${LDFLAGS}"
485+
export LDFLAGS="-Wl,-rpath,${INSTALL_FOLDER}/lib/ ${LDFLAGS}"
490486
export PKG_CONFIG_PATH="\
491487
${INSTALL_FOLDER}/lib64/pkgconfig/:${PKG_CONFIG_PATH}"
492488
fi

0 commit comments

Comments
 (0)