Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Fix boost::beast vulnerability - develop #10979

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .cicd/platforms/pinned/amazon_linux-2-pinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,12 @@ RUN git clone --depth 1 --single-branch --branch llvmorg-10.0.0 https://github.c
make install && \
cd / && \
rm -rf /llvm
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
# download Boost, apply fix for CVE-2016-9840 and build
ENV BEAST_FIX_URL https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
RUN curl -fsSLO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
tar -xjf boost_1_72_0.tar.bz2 && \
cd boost_1_72_0 && \
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}" && \
./bootstrap.sh --with-toolset=clang --prefix=/usr/local && \
./b2 toolset=clang cxxflags='-stdlib=libc++ -D__STRICT_ANSI__ -nostdinc++ -I/usr/local/include/c++/v1 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie' linkflags='-stdlib=libc++ -pie' link=static threading=multi --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
cd / && \
Expand Down
5 changes: 3 additions & 2 deletions .cicd/platforms/pinned/centos-7.7-pinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,11 @@ RUN git clone --depth 1 --single-branch --branch llvmorg-10.0.0 https://github.c
make install && \
cd / && \
rm -rf /llvm
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
ENV BEAST_FIX_URL https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
RUN curl -fsSLO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
tar -xjf boost_1_72_0.tar.bz2 && \
cd boost_1_72_0 && \
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}" && \
./bootstrap.sh --with-toolset=clang --prefix=/usr/local && \
./b2 toolset=clang cxxflags='-stdlib=libc++ -D__STRICT_ANSI__ -nostdinc++ -I/usr/local/include/c++/v1 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie' linkflags='-stdlib=libc++ -pie' link=static threading=multi --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
cd / && \
Expand Down
3 changes: 3 additions & 0 deletions .cicd/platforms/pinned/macos-10.15-pinned.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ rm -rf clang10
curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2
tar -xjf boost_1_72_0.tar.bz2
cd boost_1_72_0
# apply patch to fix CVE-2016-9840
BEAST_FIX_URL=https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}"
./bootstrap.sh --prefix=/usr/local
sudo -E ./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(getconf _NPROCESSORS_ONLN) install
cd ..
Expand Down
3 changes: 3 additions & 0 deletions .cicd/platforms/pinned/macos-11-pinned.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ rm -rf clang10
curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2
tar -xjf boost_1_72_0.tar.bz2
cd boost_1_72_0
# apply patch to fix CVE-2016-9840
BEAST_FIX_URL=https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}"
./bootstrap.sh --prefix=/usr/local
sudo -E ./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(getconf _NPROCESSORS_ONLN) install
cd ..
Expand Down
5 changes: 3 additions & 2 deletions .cicd/platforms/pinned/oracle_linux-8-pinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,11 @@ RUN curl -LO https://yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_6
rpm -i doxygen-1.8.14-12.el8.x86_64.rpm && \
rm doxygen-1.8.14-12.el8.x86_64.rpm

# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
ENV BEAST_FIX_URL https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
RUN curl -fsSLO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
tar -xjf boost_1_72_0.tar.bz2 && \
cd boost_1_72_0 && \
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}" && \
./bootstrap.sh --with-toolset=clang --prefix=/usr/local && \
./b2 toolset=clang \
cxxflags='-stdlib=libc++ -D__STRICT_ANSI__ -nostdinc++ -I/usr/local/include/c++/v1 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie' \
Expand Down
6 changes: 4 additions & 2 deletions .cicd/platforms/pinned/ubuntu-18.04-pinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,12 @@ RUN git clone --depth 1 --single-branch --branch llvmorg-10.0.0 https://github.c
make install && \
cd / && \
rm -rf /llvm
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
# download Boost, apply fix for CVE-2016-9840 and build
ENV BEAST_FIX_URL https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
RUN curl -fsSLO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
tar -xjf boost_1_72_0.tar.bz2 && \
cd boost_1_72_0 && \
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}" && \
./bootstrap.sh --with-toolset=clang --prefix=/usr/local && \
./b2 toolset=clang cxxflags='-stdlib=libc++ -D__STRICT_ANSI__ -nostdinc++ -I/usr/local/include/c++/v1 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie' linkflags='-stdlib=libc++ -pie' link=static threading=multi --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
cd / && \
Expand Down
6 changes: 4 additions & 2 deletions .cicd/platforms/pinned/ubuntu-20.04-pinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,12 @@ RUN git clone --depth 1 --single-branch --branch llvmorg-10.0.0 https://github.c
make install && \
cd / && \
rm -rf /llvm
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
# download Boost, apply fix for CVE-2016-9840 and build
ENV BEAST_FIX_URL https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp
RUN curl -fsSLO https://boostorg.jfrog.io/artifactory/main/release/1.72.0/source/boost_1_72_0.tar.bz2 && \
tar -xjf boost_1_72_0.tar.bz2 && \
cd boost_1_72_0 && \
curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}" && \
./bootstrap.sh --with-toolset=clang --prefix=/usr/local && \
./b2 toolset=clang cxxflags='-stdlib=libc++ -D__STRICT_ANSI__ -nostdinc++ -I/usr/local/include/c++/v1 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie' linkflags='-stdlib=libc++ -pie' link=static threading=multi --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
cd / && \
Expand Down
13 changes: 8 additions & 5 deletions .cicd/platforms/unpinned/amazon_linux-2-unpinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,16 @@ RUN curl -LO https://github.com/Kitware/CMake/releases/download/v3.16.2/cmake-3.
make install && \
rm -rf cmake-3.16.2.tar.gz cmake-3.16.2
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.bz2 && \
tar -xjf boost_1_71_0.tar.bz2 && \
cd boost_1_71_0 && \
ENV BOOST_VERSION 1_78_0
ENV BOOST_VERSION_DOT 1.78.0
RUN curl -fsSLO "https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION_DOT}/source/boost_${BOOST_VERSION}.tar.bz2" && \
tar -xjf "boost_${BOOST_VERSION}.tar.bz2" && \
cd "boost_${BOOST_VERSION}" && \
./bootstrap.sh --prefix=/usr/local && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -j$(nproc) install && \
cd / && \
rm -rf boost_1_71_0.tar.bz2 /boost_1_71_0
rm -rf "boost_${BOOST_VERSION}.tar.bz2" "/boost_${BOOST_VERSION}"

# install nvm
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.0/install.sh | bash
# load nvm in non-interactive shells
Expand Down
13 changes: 8 additions & 5 deletions .cicd/platforms/unpinned/centos-7.7-unpinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,18 @@ RUN curl -LO https://github.com/Kitware/CMake/releases/download/v3.16.2/cmake-3.
make install && \
rm -rf cmake-3.16.2.tar.gz cmake-3.16.2
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.bz2 && \
ENV BOOST_VERSION 1_78_0
ENV BOOST_VERSION_DOT 1.78.0
RUN curl -fsSLO "https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION_DOT}/source/boost_${BOOST_VERSION}.tar.bz2" && \
source /opt/rh/devtoolset-8/enable && \
source /opt/rh/rh-python36/enable && \
tar -xjf boost_1_71_0.tar.bz2 && \
cd boost_1_71_0 && \
tar -xjf "boost_${BOOST_VERSION}.tar.bz2" && \
cd "boost_${BOOST_VERSION}" && \
./bootstrap.sh --prefix=/usr/local && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -q -j$(nproc) install && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -j$(nproc) install && \
cd / && \
rm -rf boost_1_71_0.tar.bz2 /boost_1_71_0
rm -rf "boost_${BOOST_VERSION}.tar.bz2" "/boost_${BOOST_VERSION}"

# install nvm
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.0/install.sh | bash
# load nvm in non-interactive shells
Expand Down
13 changes: 7 additions & 6 deletions .cicd/platforms/unpinned/oracle_linux-8-unpinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -67,14 +67,15 @@ RUN curl -LO https://yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_6
rm doxygen-1.8.14-12.el8.x86_64.rpm

# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.bz2 && \
tar -xjf boost_1_71_0.tar.bz2 && \
cd boost_1_71_0 && \
ENV BOOST_VERSION 1_78_0
ENV BOOST_VERSION_DOT 1.78.0
RUN curl -fsSLO "https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION_DOT}/source/boost_${BOOST_VERSION}.tar.bz2" && \
tar -xjf "boost_${BOOST_VERSION}.tar.bz2" && \
cd "boost_${BOOST_VERSION}" && \
./bootstrap.sh --prefix=/usr/local && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options \
--with-chrono --with-test -q -j$(nproc) install && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -j$(nproc) install && \
cd / && \
rm -rf boost_1_71_0.tar.bz2 /boost_1_71_0
rm -rf "boost_${BOOST_VERSION}.tar.bz2" "/boost_${BOOST_VERSION}"

# requests module. used by tests
RUN python3 -m pip install requests
Expand Down
11 changes: 7 additions & 4 deletions .cicd/platforms/unpinned/ubuntu-18.04-unpinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,16 @@ RUN curl -LO https://github.com/Kitware/CMake/releases/download/v3.16.2/cmake-3.
make install && \
rm -rf cmake-3.16.2.tar.gz cmake-3.16.2
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.bz2 && \
tar -xjf boost_1_71_0.tar.bz2 && \
cd boost_1_71_0 && \
ENV BOOST_VERSION 1_78_0
ENV BOOST_VERSION_DOT 1.78.0
RUN curl -fsSLO "https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION_DOT}/source/boost_${BOOST_VERSION}.tar.bz2" && \
tar -xjf "boost_${BOOST_VERSION}.tar.bz2" && \
cd "boost_${BOOST_VERSION}" && \
./bootstrap.sh --prefix=/usr/local && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -j$(nproc) install && \
cd / && \
rm -rf boost_1_71_0.tar.bz2 /boost_1_71_0
rm -rf "boost_${BOOST_VERSION}.tar.bz2" "/boost_${BOOST_VERSION}"

# install nvm
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.0/install.sh | bash
# load nvm in non-interactive shells
Expand Down
11 changes: 7 additions & 4 deletions .cicd/platforms/unpinned/ubuntu-20.04-unpinned.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,16 @@ RUN curl -LO https://github.com/Kitware/CMake/releases/download/v3.16.2/cmake-3.
make install && \
rm -rf cmake-3.16.2.tar.gz cmake-3.16.2
# build boost
RUN curl -LO https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.bz2 && \
tar -xjf boost_1_71_0.tar.bz2 && \
cd boost_1_71_0 && \
ENV BOOST_VERSION 1_78_0
ENV BOOST_VERSION_DOT 1.78.0
RUN curl -fsSLO "https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION_DOT}/source/boost_${BOOST_VERSION}.tar.bz2" && \
tar -xjf "boost_${BOOST_VERSION}.tar.bz2" && \
cd "boost_${BOOST_VERSION}" && \
./bootstrap.sh --prefix=/usr/local && \
./b2 --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test -j$(nproc) install && \
cd / && \
rm -rf boost_1_71_0.tar.bz2 /boost_1_71_0
rm -rf "boost_${BOOST_VERSION}.tar.bz2" "/boost_${BOOST_VERSION}"

# install node 12
RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - && \
. /etc/lsb-release && \
Expand Down
9 changes: 7 additions & 2 deletions scripts/.build_vars
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,13 @@ export CMAKE_VERSION_PATCH=2
export CMAKE_VERSION=${CMAKE_VERSION_MAJOR}.${CMAKE_VERSION_MINOR}.${CMAKE_VERSION_PATCH}

# BOOST
export BOOST_VERSION_MAJOR=1
export BOOST_VERSION_MINOR=72
if $PIN_COMPILER; then
export BOOST_VERSION_MAJOR=1
export BOOST_VERSION_MINOR=72
else
export BOOST_VERSION_MAJOR=1
export BOOST_VERSION_MINOR=78
fi
export BOOST_VERSION_PATCH=0
export BOOST_VERSION=${BOOST_VERSION_MAJOR}_${BOOST_VERSION_MINOR}_${BOOST_VERSION_PATCH}
export BOOST_ROOT=${BOOST_LOCATION:-${SRC_DIR}/boost_${BOOST_VERSION}}
Expand Down
2 changes: 2 additions & 0 deletions scripts/helpers/eosio.sh
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,7 @@ function ensure-boost() {
[[ $ARCH == "Darwin" ]] && export CPATH="$(python-config --includes | awk '{print $1}' | cut -dI -f2):$CPATH" # Boost has trouble finding pyconfig.h
echo "${COLOR_CYAN}[Ensuring Boost $( echo $BOOST_VERSION | sed 's/_/./g' ) library installation]${COLOR_NC}"
BOOSTVERSION=$( grep "#define BOOST_VERSION" "$BOOST_ROOT/include/boost/version.hpp" 2>/dev/null | tail -1 | tr -s ' ' | cut -d\ -f3 || true )
BEAST_FIX_URL="https://raw.githubusercontent.com/boostorg/beast/3fd090af3b7e69ed7871c64a4b4b86fae45e98da/include/boost/beast/zlib/detail/inflate_stream.ipp"
if [[ "${BOOSTVERSION}" != "${BOOST_VERSION_MAJOR}0${BOOST_VERSION_MINOR}0${BOOST_VERSION_PATCH}" ]]; then
B2_FLAGS="-q -j${JOBS} --with-iostreams --with-date_time --with-filesystem --with-system --with-program_options --with-chrono --with-test install"
BOOTSTRAP_FLAGS=""
Expand All @@ -238,6 +239,7 @@ function ensure-boost() {
curl -LO https://boostorg.jfrog.io/artifactory/main/release/$BOOST_VERSION_MAJOR.$BOOST_VERSION_MINOR.$BOOST_VERSION_PATCH/source/boost_$BOOST_VERSION.tar.bz2 \
&& tar -xjf boost_$BOOST_VERSION.tar.bz2 \
&& cd $BOOST_ROOT \
&& if "$PIN_COMPILER"; then curl -fsSLo boost/beast/zlib/detail/inflate_stream.ipp "${BEAST_FIX_URL}"; fi \
&& SDKROOT="$SDKROOT" ./bootstrap.sh ${BOOTSTRAP_FLAGS} --prefix=$BOOST_ROOT \
&& SDKROOT="$SDKROOT" ./b2 ${B2_FLAGS} \
&& cd .. \
Expand Down