File libgcrypt-CVE-2024-2236_01.patch of Package libgcrypt.39917
From 6a47cf0a9dc76e9c15e92ff209aabc2197014c52 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 7 Feb 2022 18:41:32 +0100
Subject: [PATCH 01/11] Enable GitLab CI and add README.md
This commit is automatically rebased on top of the upstream libgcrypt
master by a CI system in the 'autoupdate' branch.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
.gitlab-ci.yml | 225 +++++++++++++++++++++++++++++++++++++++++++++++++
README.md | 80 ++++++++++++++++++
2 files changed, 305 insertions(+)
create mode 100644 .gitlab-ci.yml
create mode 100644 README.md
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..2c4b80d3
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,225 @@
+---
+# yamllint disable rule:line-length
+
+variables:
+ IMAGES_URI: "$CI_REGISTRY/redhat-crypto/libgcrypt/images"
+
+stages:
+ - build
+ - test
+ - analysis
+ - publish
+
+.build:
+ stage: build
+ variables:
+ TERM: xterm
+ host: ""
+ build: ""
+ configure_flags: >-
+ --enable-maintainer-mode
+ --enable-hmac-binary-check="qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
+ --with-fips-module-version="CI-$${CI_JOB_NAME}-$$(date +%Y-%m-%d)"
+ configure_additional_flags: ""
+ configure_analysis_flags: ""
+ before_script:
+ - uname -a
+ - cat /etc/os-release
+ script:
+ - |
+ # configure section
+ echo -e "\e[0Ksection_start:$(date +%s):configure[collapsed=true]\r\e[0K../configure $host $build $configure_flags $configure_additional_flags $cofigure_analysis_flags"
+ - autoreconf -f
+ - mkdir -p build build/profile destroot
+ - cd build
+ - (eval ../configure $host $build $configure_flags $configure_additional_flags $configure_analysis_flags) 2> >(tee configure-stderr.log >&2)
+ - |
+ # end of configure section
+ echo -e "\e[0Ksection_end:$(date +%s):configure\r\e[0K"
+ - |
+ # make dist section
+ echo -e "\e[0Ksection_start:$(date +%s):make_dist[collapsed=true]\r\e[0Kmake dist"
+ - (make dist) 2> >(tee make-dist-stderr.log >&2)
+ - |
+ # end of make dist section
+ echo -e "\e[0Ksection_end:$(date +%s):make_dist\r\e[0K"
+ - |
+ # build section
+ echo -e "\e[0Ksection_start:$(date +%s):build[collapsed=true]\r\e[0Kmake"
+ - (make --output-sync -j"$(nproc)") 2> >(tee make-stderr.log >&2)
+ - |
+ # end of build section
+ echo -e "\e[0Ksection_end:$(date +%s):build\r\e[0K"
+ - |
+ # install section
+ echo -e "\e[0Ksection_start:$(date +%s):install[collapsed=true]\r\e[0Kmake install"
+ - (DESTDIR="$(readlink -f ../destroot)" make install) 2> >(tee make-install-stderr.log >&2)
+ - |
+ # end of install section
+ echo -e "\e[0Ksection_end:$(date +%s):install\r\e[0K"
+ after_script:
+ - |
+ # print stderr logs
+ echo -e "\e[91mSTDERR output\e[0m"
+ for log in build/*-stderr.log; do
+ echo "= $log =" | sed 's/./=/g'
+ echo -e "+ \e[93m${log}\e[0m +"
+ echo "= $log =" | sed 's/./=/g'
+ cat "$log"
+ done
+ tags:
+ - shared
+
+.test:
+ extends: .build
+ stage: test
+ script:
+ - |
+ # configure section
+ echo -e "\e[0Ksection_start:$(date +%s):configure[collapsed=true]\r\e[0K../configure $host $build $configure_flags $configure_additional_flags $cofigure_analysis_flags"
+ - autoreconf -f
+ - mkdir -p build build/profile destroot
+ - cd build
+ - (eval ../configure $host $build $configure_flags $configure_additional_flags $configure_analysis_flags) 2> >(tee configure-stderr.log >&2)
+ - |
+ # end of configure section
+ echo -e "\e[0Ksection_end:$(date +%s):configure\r\e[0K"
+ - |
+ # build section
+ echo -e "\e[0Ksection_start:$(date +%s):build[collapsed=true]\r\e[0Kmake"
+ - (make --output-sync -j"$(nproc)") 2> >(tee make-stderr.log >&2)
+ - |
+ # end of build section
+ echo -e "\e[0Ksection_end:$(date +%s):build\r\e[0K"
+ - |
+ # test section
+ echo -e "\e[0Ksection_start:$(date +%s):check[collapsed=true]\r\e[0Kmake check"
+ - (make check) 2> >(tee make-check-stderr.log >&2)
+ - |
+ # end of test section
+ echo -e "\e[0Ksection_end:$(date +%s):check\r\e[0K"
+ - |
+ # fips test section
+ echo -e "\e[0Ksection_start:$(date +%s):check_fips[collapsed=true]\r\e[0KLIBGCRYPT_FORCE_FIPS_MODE=1 make check"
+ - (LIBGCRYPT_FORCE_FIPS_MODE=1 make check) 2> >(tee make-check-fips-stderr.log >&2)
+ - |
+ # end of fips test section
+ echo -e "\e[0Ksection_end:$(date +%s):check_fips\r\e[0K"
+
+ubuntu/gcc:
+ extends: .build
+ image: "$IMAGES_URI/libgcrypt-ubuntu"
+
+ubuntu/gcc/test:
+ extends: .test
+ image: !reference [fedora/gcc, image]
+
+fedora/gcc:
+ extends: .build
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+ image: "$IMAGES_URI/libgcrypt-fedora"
+
+fedora/gcc/test:
+ extends: .test
+ image: !reference [fedora/gcc, image]
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+
+fedora/clang:
+ extends: fedora/gcc
+ image: "$IMAGES_URI/libgcrypt-fedora-clang"
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+ configure_additional_flags: >-
+ CC=/usr/bin/clang
+
+fedora/clang/test:
+ extends: .test
+ image: !reference [fedora/clang, image]
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+ configure_additional_flags: >-
+ CC=/usr/bin/clang
+
+centos8stream/gcc:
+ extends: .build
+ image: "$IMAGES_URI/libgcrypt-centos8stream"
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+
+centos8stream/gcc/test:
+ extends: .test
+ image: !reference [centos8stream/gcc, image]
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+
+centos9stream/gcc:
+ extends: .build
+ image: "$IMAGES_URI/libgcrypt-centos9stream"
+ variables:
+ host: --host=x86_64-redhat-linux-gnu
+ build: --build=x86_64-redhat-linux-gnu
+
+centos9stream/gcc/test:
+ extends: .test
+ image: !reference [centos9stream/gcc, image]
+
+fedora/clang/coverage:
+ stage: analysis
+ extends: fedora/clang/test
+ variables:
+ LLVM_PROFILE_FILE: "profile/libgcrypt.%p.profraw"
+ configure_analysis_flags: >-
+ "CFLAGS=-fprofile-instr-generate -fcoverage-mapping -O1"
+ coverage: '/Total Line Coverage: \d+\.\d+/'
+ script:
+ - !reference [fedora/clang/test, script]
+ - echo -e "\e[0Ksection_start:$(date +%s):coverage[collapsed=true]\r\e[0Kcompute coverage"
+ - llvm-profdata merge -sparse -o profile/libgcrypt.profdata tests/profile/libgcrypt.*.profraw
+ - llvm-cov report src/.libs/libgcrypt.so -instr-profile=profile/libgcrypt.profdata
+ - llvm-cov show -format=html src/.libs/libgcrypt.so -instr-profile=profile/libgcrypt.profdata -output-dir=../public
+ - echo -e "\e[0Ksection_end:$(date +%s):coverage\r\e[0K"
+ - >-
+ echo -n "Total Line Coverage: ";
+ llvm-cov report src/.libs/libgcrypt.so -instr-profile=profile/libgcrypt.profdata | tail -n1 | awk '{print $10}'
+ artifacts:
+ expire_in: "1 week"
+ paths:
+ - public
+
+pages:
+ stage: publish
+ script:
+ - ls -lashR public
+ dependencies:
+ - fedora/clang/coverage
+ artifacts:
+ expire_in: "1 week"
+ paths:
+ - public
+
+fedora/clang/address-sanitizer:
+ stage: analysis
+ extends: fedora/clang/test
+ variables:
+ configure_analysis_flags: >-
+ CFLAGS='-fsanitize=address -fsanitize-address-use-after-return=always
+ -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1'
+ LDFLAGS='-fsanitize=address -fsanitize-address-use-after-return=always
+ -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1'
+
+fedora/clang/undefined-behavior-sanitizer:
+ stage: analysis
+ extends: fedora/clang/test
+ variables:
+ UBSAN_OPTIONS: "print_stacktrace=1"
+ configure_analysis_flags: >-
+ CFLAGS='-fsanitize=undefined -fno-omit-frame-pointer -g -O1'
+ LDFLAGS='-fsanitize=undefined -fno-omit-frame-pointer -g -O1'
diff --git a/README.md b/README.md
new file mode 100644
index 00000000..140c3a06
--- /dev/null
+++ b/README.md
@@ -0,0 +1,80 @@
+<!-- vim:ts=2:sts=2:sw=2:et:tw=100
+ -->
+[][pipeline-master]
+
+# libgcrypt CI Mirror
+
+This project is a mirror of the libgcrypt master branch from
+`https://dev.gnupg.org/source/libgcrypt.git`. Every night, a [CI run][pipeline-autoupdate] from the
+[`autoupdate` branch][autoupdate-ci] fetches new commits from upstream, rebases the CI configuration
+on top of upstream and force-pushes the result into the master branch.
+
+If there are new changes, this will automatically trigger various verification builds as defined in
+the [GitLab CI configuration][master-ci]. You can see previous CI results in the [CI/CD
+ยป Pipelines][pipeline-master] section on GitLab.
+
+## CI Jobs
+
+The CI configuration builds libgcrypt in containers defined in
+[redhat-crypto/libgcrypt/images][images]. The following stages use these containers:
+
+### Build Stage
+
+The build stage consists of
+
+ - `./configure` with `--enable-hmac-binary-check` and `--with-fips-module-version`,
+ - `make dist`,
+ - `make`, and
+ - `make install` with `DESTDIR`.
+
+Note that all builds are [out-of-source builds][vpath-builds]. The build logs are collapsed by
+default. The end of the build log shows output on stderr generated by the various phases to increase
+warning visibility.
+
+The build stage is run on
+
+ - CentOS 8 Stream with GCC
+ - CentOS 9 Stream with GCC
+ - Fedora (latest release) with GCC
+ - Fedora (latest release) with clang
+ - Ubuntu (latest release) with GCC
+
+### Test Stage
+
+The test stage consists of
+
+ - the same `./configure` command as used in the build stage,
+ - `make`,
+ - `make check`, and
+ - `make check` with `LIBGCRYPT_FORCE_FIPS_MODE=1` set in the environment
+
+The test stage is run on the same platforms as the build stage.
+
+### Analysis Stage
+
+The analysis stage consists of
+
+ - a build with [Clang AddressSanitizer][asan] and [LeakSanitizer][lsan]
+ - a build with [Clang Source-based Code Coverage][coverage]
+ - a build with [Clang UndefinedBehaviorSanitizer][ubsan]
+
+All these steps are run on the latest Fedora release and run the same steps as the test stage.
+
+The AddressSanitizer build uses `-fsanitize-address-use-after-return=always` and
+`-fsanitize-address-use-after-scope`. A leak suppression file is available in
+[tests/lsan\_suppressions.txt][suppressions]. It is currently maintained in this fork.
+
+The coverage build produces an HTML coverage report that is uploaded to GitLab pages and available
+at <https://redhat-crypto.gitlab.io/libgcrypt/libgcrypt-mirror/>.
+
+[pipeline-master]: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/pipelines?page=1&scope=all&ref=master
+[pipeline-autoupdate]: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/pipelines?page=1&scope=all&ref=autoupdate
+[autoupdate-ci]: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/blob/autoupdate/.gitlab-ci.yml
+[master-ci]: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/blob/master/.gitlab-ci.yml
+[images]: https://gitlab.com/redhat-crypto/libgcrypt/images
+[vpath-builds]: https://www.gnu.org/software/automake/manual/html_node/VPATH-Builds.html
+[asan]: https://clang.llvm.org/docs/AddressSanitizer.html
+[lsan]: https://clang.llvm.org/docs/LeakSanitizer.html
+[ubsan]: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
+[coverage]: https://clang.llvm.org/docs/SourceBasedCodeCoverage.html
+[suppressions]: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/blob/master/tests/lsan_suppressions.txt
--
2.49.0
