Skip to content

GitLab

Commit edb06ab2 authored by 徐豪's avatar 徐豪
Browse files

init

parents
Hide whitespace changes
Inline Side-by-side
Showing with 1293 additions and 0 deletions

Too many changes to show.

To preserve performance only 532 of 532+ files are displayed.
Plain diff Email patch
config/patches/unzip/15-cve-2015-7697.patch 0 → 100644
View file @ edb06ab2
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 14 Sep 2015 18:24:56 +0200
Subject: fix infinite loop when extracting empty bzip2 data
Bug-Debian: https://bugs.debian.org/802160
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339
---
extract.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/extract.c
+++ b/extract.c
@@ -2729,6 +2729,12 @@
int repeated_buf_err;
bz_stream bstrm;
+ if (G.incnt <= 0 && G.csize <= 0L) {
+ /* avoid an infinite loop */
+ Trace((stderr, "UZbunzip2() got empty input\n"));
+ return 2;
+ }
+
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
if (G.redirect_slide)
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
config/patches/unzip/16-fix-integer-underflow-csiz-decrypted.patch 0 → 100644
View file @ edb06ab2
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 22 Sep 2015 18:52:23 +0200
Subject: [PATCH] extract: prevent unsigned overflow on invalid input
Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
Suggested-by: Stefan Cornelius
---
extract.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/extract.c
+++ b/extract.c
@@ -1257,8 +1257,17 @@
if (G.lrec.compression_method == STORED) {
zusz_t csiz_decrypted = G.lrec.csize;
- if (G.pInfo->encrypted)
+ if (G.pInfo->encrypted) {
+ if (csiz_decrypted < 12) {
+ /* handle the error now to prevent unsigned overflow */
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarStringSmall(ErrUnzipNoFile),
+ LoadFarString(InvalidComprData),
+ LoadFarStringSmall2(Inflate)));
+ return PK_ERR;
+ }
csiz_decrypted -= 12;
+ }
if (G.lrec.ucsize != csiz_decrypted) {
Info(slide, 0x401, ((char *)slide,
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
config/patches/unzip/17-restore-unix-timestamps-accurately.patch 0 → 100644
View file @ edb06ab2
From: "Steven M. Schweda" <sms@antinode.info>
Subject: Do not ignore extra fields containing Unix Timestamps
Bug-Debian: https://bugs.debian.org/842993
X-Debian-version: 6.0-21
--- a/process.c
+++ b/process.c
@@ -2914,10 +2914,13 @@
break;
case EF_IZUNIX2:
- if (have_new_type_eb == 0) {
- flags &= ~0x0ff; /* ignore any previous IZUNIX field */
+ if (have_new_type_eb == 0) { /* (< 1) */
have_new_type_eb = 1;
}
+ if (have_new_type_eb <= 1) {
+ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */
+ flags &= 0x0ff;
+ }
#ifdef IZ_HAVE_UXUIDGID
if (have_new_type_eb > 1)
break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
@@ -2933,6 +2936,8 @@
/* new 3rd generation Unix ef */
have_new_type_eb = 2;
+ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */
+ flags &= 0x0ff;
/*
Version 1 byte version of this extra field, currently 1
UIDSize 1 byte Size of UID field
@@ -2953,8 +2958,6 @@
uid_size = *((EB_HEADSIZE + 1) + ef_buf);
gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
- flags &= ~0x0ff; /* ignore any previous UNIX field */
-
if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
uid_size, &z_uidgid[0])
&&
config/patches/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch 0 → 100644
View file @ edb06ab2
From: "Steven M. Schweda" <sms@antinode.info>
Subject: Fix CVE-2014-9913, buffer overflow in unzip
Bug: https://sourceforge.net/p/infozip/bugs/27/
Bug-Debian: https://bugs.debian.org/847485
Bug-Ubuntu: https://launchpad.net/bugs/387350
X-Debian-version: 6.0-21
--- a/list.c
+++ b/list.c
@@ -339,7 +339,18 @@
G.crec.compression_method == ENHDEFLATED) {
methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
} else if (methnum >= NUM_METHODS) {
- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
+ /* 2013-02-26 SMS.
+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
+ * Unexpectedly large compression methods overflow
+ * &methbuf[]. Use the old, three-digit decimal format
+ * for values which fit. Otherwise, sacrifice the
+ * colon, and use four-digit hexadecimal.
+ */
+ if (G.crec.compression_method <= 999) {
+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
+ } else {
+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
+ }
}
#if 0 /* GRR/Euro: add this? */
config/patches/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch 0 → 100644
View file @ edb06ab2
From: "Steven M. Schweda" <sms@antinode.info>
Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
Bug-Debian: https://bugs.debian.org/847486
Bug-Ubuntu: https://launchpad.net/bugs/1643750
X-Debian-version: 6.0-21
--- a/zipinfo.c
+++ b/zipinfo.c
@@ -1921,7 +1921,18 @@
ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
methbuf[3] = dtype[dnum];
} else if (methnum >= NUM_METHODS) { /* unknown */
- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
+ /* 2016-12-05 SMS.
+ * https://launchpad.net/bugs/1643750
+ * Unexpectedly large compression methods overflow
+ * &methbuf[]. Use the old, three-digit decimal format
+ * for values which fit. Otherwise, sacrifice the "u",
+ * and use four-digit hexadecimal.
+ */
+ if (G.crec.compression_method <= 999) {
+ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
+ } else {
+ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
+ }
}
for (k = 0; k < 15; ++k)
config/patches/unzip/20-cve-2018-1000035-unzip-buffer-overflow.patch 0 → 100644
View file @ edb06ab2
From: Karol Babioch <kbabioch@suse.com>
Subject: Fix buffer overflow in password protected zip archives
Bug-Debian: https://bugs.debian.org/889838
Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
X-Debian-version: 6.0-22
--- a/fileio.c
+++ b/fileio.c
@@ -1582,6 +1582,10 @@
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
+ char *zfnf;
+ char *efnf;
+ size_t zfnfl;
+ int isOverflow;
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,7 +1594,15 @@
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+ zfnf = FnFilter1(zfn);
+ efnf = FnFilter2(efn);
+ zfnfl = strlen(zfnf);
+ isOverflow = TRUE;
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
+ {
+ isOverflow = FALSE;
+ }
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
sprintf(prompt, LoadFarString(PasswPrompt),
FnFilter1(zfn), FnFilter2(efn));
m = prompt;
config/patches/unzip/21-fix-warning-messages-on-big-files.patch 0 → 100644
View file @ edb06ab2
From: "Steven M. Schweda" <sms@antinode.info>
Subject: Fix lame code in fileio.c
Bug-Debian: https://bugs.debian.org/929502
X-Debian-version: 6.0-23
--- a/fileio.c
+++ b/fileio.c
@@ -2477,6 +2477,7 @@
*/
return (((zusz_t)sig[7]) << 56)
+ (((zusz_t)sig[6]) << 48)
+ + (((zusz_t)sig[5]) << 40)
+ (((zusz_t)sig[4]) << 32)
+ (zusz_t)((((ulg)sig[3]) << 24)
+ (((ulg)sig[2]) << 16)
config/patches/unzip/22-cve-2019-13232-fix-bug-in-undefer-input.patch 0 → 100644
View file @ edb06ab2
From: Mark Adler <madler@alumni.caltech.edu>
Subject: Fix bug in undefer_input() that misplaced the input state.
Origin: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
Bug-Debian: https://bugs.debian.org/931433
X-Debian-version: 6.0-24
Fix bug in undefer_input() that misplaced the input state.
--- a/fileio.c
+++ b/fileio.c
@@ -532,8 +532,10 @@
* This condition was checked when G.incnt_leftover was set > 0 in
* defer_leftover_input(), and it is NOT allowed to touch G.csize
* before calling undefer_input() when (G.incnt_leftover > 0)
- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
+ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
*/
+ if (G.csize < 0L)
+ G.csize = 0L;
G.incnt = G.incnt_leftover + (int)G.csize;
G.inptr = G.inptr_leftover - (int)G.csize;
G.incnt_leftover = 0;
config/patches/unzip/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 0 → 100644
View file @ edb06ab2
From: Mark Adler <madler@alumni.caltech.edu>
Subject: Detect and reject a zip bomb using overlapped entries.
Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Bug-Debian: https://bugs.debian.org/931433
X-Debian-version: 6.0-24
Detect and reject a zip bomb using overlapped entries.
This detects an invalid zip file that has at least one entry that
overlaps with another entry or with the central directory to the
end of the file. A Fifield zip bomb uses overlapped local entries
to vastly increase the potential inflation ratio. Such an invalid
zip file is rejected.
See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
analysis, construction, and examples of such zip bombs.
The detection maintains a list of covered spans of the zip files
so far, where the central directory to the end of the file and any
bytes preceding the first entry at zip file offset zero are
considered covered initially. Then as each entry is decompressed
or tested, it is considered covered. When a new entry is about to
be processed, its initial offset is checked to see if it is
contained by a covered span. If so, the zip file is rejected as
invalid.
This commit depends on a preceding commit: "Fix bug in
undefer_input() that misplaced the input state."
--- a/extract.c
+++ b/extract.c
@@ -321,6 +321,125 @@
"\nerror: unsupported extra-field compression type (%u)--skipping\n";
static ZCONST char Far BadExtraFieldCRC[] =
"error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
+static ZCONST char Far NotEnoughMemCover[] =
+ "error: not enough memory for bomb detection\n";
+static ZCONST char Far OverlappedComponents[] =
+ "error: invalid zip file with overlapped components (possible zip bomb)\n";
+
+
+
+
+
+/* A growable list of spans. */
+typedef zoff_t bound_t;
+typedef struct {
+ bound_t beg; /* start of the span */
+ bound_t end; /* one past the end of the span */
+} span_t;
+typedef struct {
+ span_t *span; /* allocated, distinct, and sorted list of spans */
+ size_t num; /* number of spans in the list */
+ size_t max; /* allocated number of spans (num <= max) */
+} cover_t;
+
+/*
+ * Return the index of the first span in cover whose beg is greater than val.
+ * If there is no such span, then cover->num is returned.
+ */
+static size_t cover_find(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t lo = 0, hi = cover->num;
+ while (lo < hi) {
+ size_t mid = (lo + hi) >> 1;
+ if (val < cover->span[mid].beg)
+ hi = mid;
+ else
+ lo = mid + 1;
+ }
+ return hi;
+}
+
+/* Return true if val lies within any one of the spans in cover. */
+static int cover_within(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t pos = cover_find(cover, val);
+ return pos > 0 && val < cover->span[pos - 1].end;
+}
+
+/*
+ * Add a new span to the list, but only if the new span does not overlap any
+ * spans already in the list. The new span covers the values beg..end-1. beg
+ * must be less than end.
+ *
+ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
+ * the list as needed. On success, 0 is returned. If the new span overlaps any
+ * existing spans, then 1 is returned and the new span is not added to the
+ * list. If the new span is invalid because beg is greater than or equal to
+ * end, then -1 is returned. If the list needs to be grown but the memory
+ * allocation fails, then -2 is returned.
+ */
+static int cover_add(cover, beg, end)
+ cover_t *cover;
+ bound_t beg;
+ bound_t end;
+{
+ size_t pos;
+ int prec, foll;
+
+ if (beg >= end)
+ /* The new span is invalid. */
+ return -1;
+
+ /* Find where the new span should go, and make sure that it does not
+ overlap with any existing spans. */
+ pos = cover_find(cover, beg);
+ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
+ (pos < cover->num && end > cover->span[pos].beg))
+ return 1;
+
+ /* Check for adjacencies. */
+ prec = pos > 0 && beg == cover->span[pos - 1].end;
+ foll = pos < cover->num && end == cover->span[pos].beg;
+ if (prec && foll) {
+ /* The new span connects the preceding and following spans. Merge the
+ following span into the preceding span, and delete the following
+ span. */
+ cover->span[pos - 1].end = cover->span[pos].end;
+ cover->num--;
+ memmove(cover->span + pos, cover->span + pos + 1,
+ (cover->num - pos) * sizeof(span_t));
+ }
+ else if (prec)
+ /* The new span is adjacent only to the preceding span. Extend the end
+ of the preceding span. */
+ cover->span[pos - 1].end = end;
+ else if (foll)
+ /* The new span is adjacent only to the following span. Extend the
+ beginning of the following span. */
+ cover->span[pos].beg = beg;
+ else {
+ /* The new span has gaps between both the preceding and the following
+ spans. Assure that there is room and insert the span. */
+ if (cover->num == cover->max) {
+ size_t max = cover->max == 0 ? 16 : cover->max << 1;
+ span_t *span = realloc(cover->span, max * sizeof(span_t));
+ if (span == NULL)
+ return -2;
+ cover->span = span;
+ cover->max = max;
+ }
+ memmove(cover->span + pos + 1, cover->span + pos,
+ (cover->num - pos) * sizeof(span_t));
+ cover->num++;
+ cover->span[pos].beg = beg;
+ cover->span[pos].end = end;
+ }
+ return 0;
+}
@@ -376,6 +495,29 @@
}
#endif /* !SFX || SFX_EXDIR */
+ /* One more: initialize cover structure for bomb detection. Start with a
+ span that covers the central directory though the end of the file. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ ((cover_t *)G.cover)->span = NULL;
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+ if ((G.extra_bytes != 0 &&
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+ cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+ G.ziplen) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+
/*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di-
rectory lies at the end of the zipfile and the member files lie at the
@@ -593,7 +735,8 @@
if (error > error_in_archive)
error_in_archive = error;
/* ...and keep going (unless disk full or user break) */
- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
+ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
+ error == PK_BOMB) {
/* clear reached_end to signal premature stop ... */
reached_end = FALSE;
/* ... and cancel scanning the central directory */
@@ -1062,6 +1205,11 @@
/* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes;
+ if (cover_within((cover_t *)G.cover, request)) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
inbuf_offset = request % INBUFSIZ;
bufstart = request - inbuf_offset;
@@ -1602,6 +1750,18 @@
return IZ_CTRLC; /* cancel operation by user request */
}
#endif
+ error = cover_add((cover_t *)G.cover, request,
+ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
+ if (error < 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ if (error != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
#ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
UserStop();
#endif
@@ -2003,6 +2163,34 @@
}
undefer_input(__G);
+
+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
+ /* skip over data descriptor (harder than it sounds, due to signature
+ * ambiguity)
+ */
+# define SIG 0x08074b50
+# define LOW 0xffffffff
+ uch buf[12];
+ unsigned shy = 12 - readbuf((char *)buf, 12);
+ ulg crc = shy ? 0 : makelong(buf);
+ ulg clen = shy ? 0 : makelong(buf + 4);
+ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
+ if (crc == SIG && /* if not SIG, no signature */
+ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
+ (clen == SIG && /* if not SIG, no signature */
+ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
+ (ulen == SIG && /* if not SIG, no signature */
+ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
+ /* if not SIG, have signature */
+ )))))
+ /* skip four more bytes to account for signature */
+ shy += 4 - readbuf((char *)buf, 4);
+ if (G.zip64)
+ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
+ if (shy)
+ error = PK_ERR;
+ }
+
return error;
} /* end function extract_or_test_member() */
--- a/globals.c
+++ b/globals.c
@@ -181,6 +181,7 @@
# if (!defined(NO_TIMESTAMPS))
uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
# endif
+ G.cover = NULL; /* not allocated yet */
#endif
uO.lflag=(-1);
--- a/globals.h
+++ b/globals.h
@@ -260,12 +260,15 @@
ecdir_rec ecrec; /* used in unzip.c, extract.c */
z_stat statbuf; /* used by main, mapname, check_for_newer */
+ int zip64; /* true if Zip64 info in extra field */
+
int mem_mode;
uch *outbufptr; /* extract.c static */
ulg outsize; /* extract.c static */
int reported_backslash; /* extract.c static */
int disk_full;
int newfile;
+ void **cover; /* used in extract.c for bomb detection */
int didCRlast; /* fileio static */
ulg numlines; /* fileio static: number of lines printed */
--- a/process.c
+++ b/process.c
@@ -637,6 +637,13 @@
}
#endif
+ /* Free the cover span list and the cover structure. */
+ if (G.cover != NULL) {
+ free(*(G.cover));
+ free(G.cover);
+ G.cover = NULL;
+ }
+
} /* end function free_G_buffers() */
@@ -1913,6 +1920,8 @@
#define Z64FLGS 0xffff
#define Z64FLGL 0xffffffff
+ G.zip64 = FALSE;
+
if (ef_len == 0 || ef_buf == NULL)
return PK_COOL;
@@ -2084,6 +2093,8 @@
(ZCONST char *)(offset + ef_buf), ULen);
G.unipath_filename[ULen] = '\0';
}
+
+ G.zip64 = TRUE;
}
/* Skip this extra field block */
--- a/unzip.h
+++ b/unzip.h
@@ -645,6 +645,7 @@
#define PK_NOZIP 9 /* zipfile not found */
#define PK_PARAM 10 /* bad or illegal parameters specified */
#define PK_FIND 11 /* no files found */
+#define PK_BOMB 12 /* likely zip bomb */
#define PK_DISK 50 /* disk full */
#define PK_EOF 51 /* unexpected EOF */
config/patches/unzip/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch 0 → 100644
View file @ edb06ab2
From: Mark Adler <madler@alumni.caltech.edu>
Subject: Do not raise a zip bomb alert for a misplaced central directory.
Origin: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
Bug-Debian: https://bugs.debian.org/932404
X-Debian-version: 6.0-25
Do not raise a zip bomb alert for a misplaced central directory.
There is a zip-like file in the Firefox distribution, omni.ja,
which is a zip container with the central directory placed at the
start of the file instead of after the local entries as required
by the zip standard. This commit marks the actual location of the
central directory, as well as the end of central directory records,
as disallowed locations. This now permits such containers to not
raise a zip bomb alert, where in fact there are no overlaps.
--- a/extract.c
+++ b/extract.c
@@ -495,8 +495,11 @@
}
#endif /* !SFX || SFX_EXDIR */
- /* One more: initialize cover structure for bomb detection. Start with a
- span that covers the central directory though the end of the file. */
+ /* One more: initialize cover structure for bomb detection. Start with
+ spans that cover any extra bytes at the start, the central directory,
+ the end of central directory record (including the Zip64 end of central
+ directory locator, if present), and the Zip64 end of central directory
+ record, if present. */
if (G.cover == NULL) {
G.cover = malloc(sizeof(cover_t));
if (G.cover == NULL) {
@@ -508,15 +511,25 @@
((cover_t *)G.cover)->max = 0;
}
((cover_t *)G.cover)->num = 0;
- if ((G.extra_bytes != 0 &&
- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
- cover_add((cover_t *)G.cover,
+ if (cover_add((cover_t *)G.cover,
G.extra_bytes + G.ecrec.offset_start_central_directory,
- G.ziplen) != 0) {
+ G.extra_bytes + G.ecrec.offset_start_central_directory +
+ G.ecrec.size_central_directory) != 0) {
Info(slide, 0x401, ((char *)slide,
LoadFarString(NotEnoughMemCover)));
return PK_MEM;
}
+ if ((G.extra_bytes != 0 &&
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+ (G.ecrec.have_ecr64 &&
+ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
+ G.ecrec.ec64_end) != 0) ||
+ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
+ G.ecrec.ec_end) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
/*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di-
--- a/process.c
+++ b/process.c
@@ -1408,6 +1408,10 @@
/* Now, we are (almost) sure that we have a Zip64 archive. */
G.ecrec.have_ecr64 = 1;
+ G.ecrec.ec_start -= ECLOC64_SIZE+4;
+ G.ecrec.ec64_start = ecrec64_start_offset;
+ G.ecrec.ec64_end = ecrec64_start_offset +
+ 12 + makeint64(&byterec[ECREC64_LENGTH]);
/* Update the "end-of-central-dir offset" for later checks. */
G.real_ecrec_offset = ecrec64_start_offset;
@@ -1542,6 +1546,8 @@
makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
G.ecrec.zipfile_comment_length =
makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
+ G.ecrec.ec_start = G.real_ecrec_offset;
+ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
/* Now, we have to read the archive comment, BEFORE the file pointer
is moved away backwards to seek for a Zip64 ECLOC64 structure.
--- a/unzpriv.h
+++ b/unzpriv.h
@@ -2185,6 +2185,16 @@
int have_ecr64; /* valid Zip64 ecdir-record exists */
int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
ush zipfile_comment_length;
+ zusz_t ec_start, ec_end; /* offsets of start and end of the
+ end of central directory record,
+ including if present the Zip64
+ end of central directory locator,
+ which immediately precedes the
+ end of central directory record */
+ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
+ are the offsets of the start and
+ end of the Zip64 end of central
+ directory record */
} ecdir_rec;
config/patches/unzip/25-cve-2019-13232-fix-bug-in-uzbunzip2.patch 0 → 100644
View file @ edb06ab2
From: Mark Adler <madler@alumni.caltech.edu>
Subject: Fix bug in UZbunzip2() that incorrectly updated G.incnt
Origin: https://github.com/madler/unzip/commit/5e2efcd633a4a1fb95a129a75508e7d769e767be
Bug-Debian: https://bugs.debian.org/963996
X-Debian-version: 6.0-26
Fix bug in UZbunzip2() that incorrectly updated G.incnt.
The update assumed a full buffer, which is not always full. This
could result in a false overlapped element detection when a small
bzip2-compressed file was unzipped. This commit remedies that.
--- a/extract.c
+++ b/extract.c
@@ -3052,7 +3052,7 @@
#endif
G.inptr = (uch *)bstrm.next_in;
- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */
+ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */
uzbunzip_cleanup_exit:
err = BZ2_bzDecompressEnd(&bstrm);
config/patches/unzip/26-cve-2019-13232-fix-bug-in-uzinflate.patch 0 → 100644
View file @ edb06ab2
From: Mark Adler <madler@alumni.caltech.edu>
Subject: Fix bug in UZinflate() that incorrectly updated G.incnt.
Origin: https://github.com/madler/unzip/commit/5c572555cf5d80309a07c30cf7a54b2501493720
X-Debian-version: 6.0-26
Fix bug in UZinflate() that incorrectly updated G.incnt.
The update assumed a full buffer, which is not always full. This
could result in a false overlapped element detection when a small
deflate-compressed file was unzipped using an old zlib. This
commit remedies that.
--- a/inflate.c
+++ b/inflate.c
@@ -700,7 +700,7 @@
G.dstrm.total_out));
G.inptr = (uch *)G.dstrm.next_in;
- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */
+ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */
uzinflate_cleanup_exit:
err = inflateReset(&G.dstrm);
config/patches/unzip/27-zipgrep-avoid-test-errors.patch 0 → 100644
View file @ edb06ab2
From: Kevin Locke <kevin@kevinlocke.name>
Subject: zipgrep: Avoid test errors when no members present
Bug-Debian: https://bugs.debian.org/972233
X-Debian-version: 6.0-26
--- a/unix/zipgrep
+++ b/unix/zipgrep
@@ -44,6 +44,7 @@
opt="-$opt"
fi
+sts=0
status_grep_global=1
IFS='
'
config/patches/unzip/28-cve-2022-0529-and-cve-2022-0530.patch 0 → 100644
View file @ edb06ab2
From: Steven M. Schweda <sms@antinode.info>
Subject: Fix for CVE-2022-0529 and CVE-2022-0530
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/fileio.c
+++ b/fileio.c
@@ -171,8 +171,10 @@
static ZCONST char Far FilenameTooLongTrunc[] =
"warning: filename too long--truncating.\n";
#ifdef UNICODE_SUPPORT
+ static ZCONST char Far UFilenameCorrupt[] =
+ "error: Unicode filename corrupt.\n";
static ZCONST char Far UFilenameTooLongTrunc[] =
- "warning: Converted unicode filename too long--truncating.\n";
+ "warning: Converted Unicode filename too long--truncating.\n";
#endif
static ZCONST char Far ExtraFieldTooLong[] =
"warning: extra field too long (%d). Ignoring...\n";
@@ -2361,16 +2363,30 @@
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
- /* make sure filename is short enough */
- if (strlen(fn) >= FILNAMSIZ) {
- fn[FILNAMSIZ - 1] = '\0';
+
+ /* 2022-07-22 SMS, et al. CVE-2022-0530
+ * Detect conversion failure, emit message.
+ * Continue with unconverted name.
+ */
+ if (fn == NULL)
+ {
Info(slide, 0x401, ((char *)slide,
- LoadFarString(UFilenameTooLongTrunc)));
- error = PK_WARN;
+ LoadFarString(UFilenameCorrupt)));
+ error = PK_ERR;
+ }
+ else
+ {
+ /* make sure filename is short enough */
+ if (strlen(fn) >= FILNAMSIZ) {
+ fn[FILNAMSIZ - 1] = '\0';
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(UFilenameTooLongTrunc)));
+ error = PK_WARN;
+ }
+ /* replace filename with converted UTF-8 */
+ strcpy(G.filename, fn);
+ free(fn);
}
- /* replace filename with converted UTF-8 */
- strcpy(G.filename, fn);
- free(fn);
}
# endif /* UNICODE_WCHAR */
if (G.unipath_filename != G.filename_full)
--- a/process.c
+++ b/process.c
@@ -222,6 +222,8 @@
"\nwarning: Unicode Path version > 1\n";
static ZCONST char Far UnicodeMismatchError[] =
"\nwarning: Unicode Path checksum invalid\n";
+ static ZCONST char Far UFilenameTooLongTrunc[] =
+ "warning: filename too long (P1) -- truncating.\n";
#endif
@@ -1915,7 +1917,7 @@
Sets both local header and central header fields. Not terribly clever,
but it means that this procedure is only called in one place.
- 2014-12-05 SMS.
+ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141.
Added checks to ensure that enough data are available before calling
makeint64() or makelong(). Replaced various sizeof() values with
simple ("4" or "8") constants. (The Zip64 structures do not depend
@@ -1947,9 +1949,10 @@
ef_len - EB_HEADSIZE));
break;
}
+
if (eb_id == EF_PKSZ64)
{
- int offset = EB_HEADSIZE;
+ unsigned offset = EB_HEADSIZE;
if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
{
@@ -2046,7 +2049,7 @@
}
if (eb_id == EF_UNIPATH) {
- int offset = EB_HEADSIZE;
+ unsigned offset = EB_HEADSIZE;
ush ULen = eb_len - 5;
ulg chksum = CRCVAL_INITIAL;
@@ -2504,16 +2507,17 @@
int state_dependent;
int wsize = 0;
int max_bytes = MB_CUR_MAX;
- char buf[9];
+ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size; /* CVE-2022-0529 */
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
-
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1; /* Reused below. */
+ if ((buffer = (char *)malloc( buffer_size)) == NULL) {
return NULL;
}
@@ -2551,8 +2555,28 @@
} else {
/* no MB for this wide */
/* use escape for wide character */
- char *escape_string = wide_to_escape_string(wide_string[i]);
- strcat(buffer, escape_string);
+ size_t buffer_len;
+ size_t escape_string_len;
+ char *escape_string;
+ int err_msg = 0;
+
+ escape_string = wide_to_escape_string(wide_string[i]);
+ buffer_len = strlen( buffer);
+ escape_string_len = strlen( escape_string);
+
+ /* Append escape string, as space allows. */
+ /* 2022-07-18 SMS, et al. CVE-2022-0529 */
+ if (escape_string_len > buffer_size- buffer_len- 1)
+ {
+ escape_string_len = buffer_size- buffer_len- 1;
+ if (err_msg == 0)
+ {
+ err_msg = 1;
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString( UFilenameTooLongTrunc)));
+ }
+ }
+ strncat( buffer, escape_string, escape_string_len);
free(escape_string);
}
}
@@ -2604,9 +2628,18 @@
ZCONST char *utf8_string;
int escape_all;
{
- zwchar *wide = utf8_to_wide_string(utf8_string);
- char *loc = wide_to_local_string(wide, escape_all);
- free(wide);
+ zwchar *wide;
+ char *loc = NULL;
+
+ wide = utf8_to_wide_string( utf8_string);
+
+ /* 2022-07-25 SMS, et al. CVE-2022-0530 */
+ if (wide != NULL)
+ {
+ loc = wide_to_local_string( wide, escape_all);
+ free( wide);
+ }
+
return loc;
}
config/projects/gitlab.rb 0 → 100644
View file @ edb06ab2
#
## Copyright:: Copyright (c) 2013, 2014 GitLab.com
## License:: Apache License, Version 2.0
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
#
require "#{Omnibus::Config.project_root}/lib/gitlab/build_iteration"
require "#{Omnibus::Config.project_root}/lib/gitlab/build/info/package"
require "#{Omnibus::Config.project_root}/lib/gitlab/version"
require "#{Omnibus::Config.project_root}/lib/gitlab/util"
require "#{Omnibus::Config.project_root}/lib/gitlab/ohai_helper.rb"
require "#{Omnibus::Config.project_root}/lib/gitlab/openssl_helper"
require "#{Omnibus::Config.project_root}/files/gitlab-cookbooks/package/libraries/helpers/selinux_distro_helper.rb"
gitlab_package_name = Build::Info::Package.name
gitlab_package_file = File.join(Omnibus::Config.project_dir, 'gitlab', "#{gitlab_package_name}.rb")
# Include package specific details like package name and descrption (for gitlab-ee/gitlab-ce/etc)
instance_eval(IO.read(gitlab_package_file), gitlab_package_file, 1)
# Include all other known gitlab packages in our replace/conflict list to allow transitioning between packages
Dir.glob(File.join(Omnibus::Config.project_dir, 'gitlab', '*.rb')).each do |filename|
other_package = File.basename(filename, '.rb')
next if other_package == gitlab_package_name
replace other_package
conflict other_package
end
license 'MIT'
license_compiled_output true
# Replace older omnibus-gitlab packages
replace 'gitlab'
conflict 'gitlab'
install_dir '/opt/gitlab'
# This is a hack to make a distinction between nightly versions
# See https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1500
#
# This will be resolved as part of
# https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1007
#
# Also check lib/gitlab/build.rb for Docker version forming
build_version Build::Info::Package.semver_version
build_iteration Gitlab::BuildIteration.new.build_iteration
# Openssh needs to be installed
if suse?
runtime_dependency 'openssh'
else
runtime_dependency 'openssh-server'
end
# perl is required for exiftool and openssh certificate hashing
runtime_dependency 'perl'
if rhel?
case OhaiHelper.get_centos_version
when '6', '7'
runtime_dependency 'policycoreutils-python'
when '8', '9'
runtime_dependency 'policycoreutils-python-utils'
end
elsif amazon?
case OhaiHelper.get_amazon_version
when '2'
runtime_dependency 'policycoreutils-python'
when '2023'
runtime_dependency 'policycoreutils-python-utils'
end
end
# Arm targets need libatomic
if OhaiHelper.arm?
if rhel? || amazon?
runtime_dependency 'libatomic'
else
runtime_dependency 'libatomic1'
end
allowed_lib /libatomic.so.1/ if OhaiHelper.raspberry_pi?
end
# FIPs requires system OpenSSL packages to run
if Build::Check.use_system_ssl?
if rhel?
runtime_dependency 'openssl-perl'
else
runtime_dependency 'openssl'
end
end
dependency 'cacerts'
dependency 'omnibus-gitlab-gems'
dependency 'gitlab-selinux' if SELinuxDistroHelper.selinux_supported?
dependency 'redis'
dependency 'nginx'
dependency 'chef-gem'
dependency 'inspec-gem'
dependency 'logrotate'
dependency 'runit'
dependency 'go-crond'
dependency 'docker-distribution-pruner'
if Build::Check.include_ee?
dependency 'consul'
dependency 'pgbouncer-exporter'
unless OhaiHelper.raspberry_pi?
dependency 'spamcheck'
dependency 'spam-classifier'
end
end
dependency 'alertmanager'
dependency 'node-exporter'
dependency 'redis-exporter'
dependency 'postgres-exporter'
dependency 'prometheus'
dependency 'gitlab-exporter'
dependency 'mattermost'
# Components that depend on the contents of this repository tends to dirty the
# cache frequently than vendored components.
if Build::Check.include_ee?
dependency 'gitlab-ctl-ee'
dependency 'gitlab-geo-psql'
dependency 'gitlab-pg-ctl'
end
dependency 'gitlab-cookbooks'
dependency 'chef-acme'
dependency 'gitlab-ctl'
dependency 'gitlab-psql'
dependency 'gitlab-backup-cli'
dependency 'gitlab-redis-cli'
dependency 'gitlab-healthcheck'
dependency 'gitlab-scripts'
dependency 'gitlab-config-template'
# Build GitLab components at the end because except for tag pipelines, we build
# from `main`/`master`, and this can invalidate cache easily. Git is built from
# gitaly sources, and hence falls under the same category.
dependency 'gitlab-elasticsearch-indexer' if Build::Check.include_ee?
dependency 'gitlab-kas'
dependency 'gitlab-shell'
dependency 'gitlab-pages'
dependency 'git'
# `git-filter-repo` is a dependency of Gitaly. But placing it there will cause
# it to be built early in the build list, which will in-turn cause `git` to be
# built early. `git`, being built from `gitaly` source will bust cache often,
# and cause unnecessary rebuilds. Hence, we are placing `git-filter-repo` as a
# project dependency after `git`
dependency 'git-filter-repo'
# gitaly needs grpc to work correctly. These native extensions are built as part
# of gitlab-rails build. So, gitlab-rails has to be built before gitaly. But
# making gitaly depend on gitlab-rails will cause it to be built earlier,
# because of the ordering omnibus applies to transitive dependencies. Building
# gitlab-rails earlier in the sequence is a problem as we expect this component to
# churn a lot, invalidating the build cache for later component builds.
# https://github.com/chef/omnibus/blob/master/docs/Build%20Cache.md
dependency 'gitlab-rails'
dependency 'gitaly'
dependency 'ruby-grpc' if Build::Check.use_system_ssl?
# Package scripts
dependency 'package-scripts'
# version manifest file
dependency 'version-manifest'
if Build::Check.use_system_ssl?
OpenSSLHelper.allowed_libs.each do |lib|
allowed_lib /#{lib}\.so/
end
end
exclude "\.git*"
exclude "bundler\/git"
# don't ship static libraries or header files
exclude 'embedded/lib/**/*.a'
exclude 'embedded/lib/**/*.la'
exclude 'embedded/include'
# exclude manpages and documentation
exclude 'embedded/man'
exclude 'embedded/share/doc'
exclude 'embedded/share/gtk-doc'
exclude 'embedded/share/info'
exclude 'embedded/share/man'
# exclude rubygems build cache
exclude 'embedded/lib/ruby/gems/*/cache'
# exclude test and some vendor folders
exclude 'embedded/lib/ruby/gems/*/gems/*/spec'
exclude 'embedded/lib/ruby/gems/*/gems/*/test'
exclude 'embedded/lib/ruby/gems/*/gems/*/tests'
# Some vendor folders (e.g. licensee) are needed by GitLab.
# For now, exclude the most space-consuming gems until
# there's a better way to whitelist directories.
exclude 'embedded/lib/ruby/gems/*/gems/rugged*/vendor'
exclude 'embedded/lib/ruby/gems/*/gems/ace-rails*/vendor'
exclude 'embedded/lib/ruby/gems/*/gems/libyajl2*/**/vendor'
# exclude gem build logs
exclude 'embedded/lib/ruby/gems/*/extensions/*/*/*/mkmf.log'
exclude 'embedded/lib/ruby/gems/*/extensions/*/*/*/gem_make.out'
# # exclude C sources
exclude 'embedded/lib/ruby/gems/*/gems/*/ext/*.c'
exclude 'embedded/lib/ruby/gems/*/gems/*/ext/*/*.c'
exclude 'embedded/lib/ruby/gems/*/gems/*/ext/*.o'
exclude 'embedded/lib/ruby/gems/*/gems/*/ext/*/*.o'
# # exclude other gem files
exclude 'embedded/lib/ruby/gems/*/gems/*/*.gemspec'
exclude 'embedded/lib/ruby/gems/*/gems/*/*.md'
exclude 'embedded/lib/ruby/gems/*/gems/*/*.rdoc'
exclude 'embedded/lib/ruby/gems/*/gems/*/*.sh'
exclude 'embedded/lib/ruby/gems/*/gems/*/*.txt'
exclude 'embedded/lib/ruby/gems/*/gems/*/*.ruby'
exclude 'embedded/lib/ruby/gems/*/gems/*/*LICENSE*'
exclude 'embedded/lib/ruby/gems/*/gems/*/CHANGES*'
exclude 'embedded/lib/ruby/gems/*/gems/*/Gemfile'
exclude 'embedded/lib/ruby/gems/*/gems/*/Guardfile'
exclude 'embedded/lib/ruby/gems/*/gems/*/README*'
exclude 'embedded/lib/ruby/gems/*/gems/*/Rakefile'
exclude 'embedded/lib/ruby/gems/*/gems/*/run_tests.rb'
exclude 'embedded/lib/ruby/gems/*/gems/*/Documentation'
exclude 'embedded/lib/ruby/gems/*/gems/*/bench'
exclude 'embedded/lib/ruby/gems/*/gems/*/contrib'
exclude 'embedded/lib/ruby/gems/*/gems/*/doc'
exclude 'embedded/lib/ruby/gems/*/gems/*/doc-api'
exclude 'embedded/lib/ruby/gems/*/gems/*/examples'
exclude 'embedded/lib/ruby/gems/*/gems/*/fixtures'
exclude 'embedded/lib/ruby/gems/*/gems/*/gemfiles'
exclude 'embedded/lib/ruby/gems/*/gems/*/libtest'
exclude 'embedded/lib/ruby/gems/*/gems/*/man'
exclude 'embedded/lib/ruby/gems/*/gems/*/sample_documents'
exclude 'embedded/lib/ruby/gems/*/gems/*/samples'
exclude 'embedded/lib/ruby/gems/*/gems/*/sample'
exclude 'embedded/lib/ruby/gems/*/gems/*/script'
exclude 'embedded/lib/ruby/gems/*/gems/*/t'
# Exclude additional files from specific gems
exclude 'embedded/lib/ruby/gems/*/gems/grpc-*/include'
exclude 'embedded/lib/ruby/gems/*/gems/grpc-*/src/core'
exclude 'embedded/lib/ruby/gems/*/gems/grpc-*/src/ruby/ext'
exclude 'embedded/lib/ruby/gems/*/gems/grpc-*/src/ruby/spec'
exclude 'embedded/lib/ruby/gems/*/gems/grpc-*/third_party'
exclude 'embedded/lib/ruby/gems/*/gems/nokogumbo-*/ext'
exclude 'embedded/lib/ruby/gems/*/gems/rbtrace-*/ext/src'
exclude 'embedded/lib/ruby/gems/*/gems/rbtrace-*/ext/dst'
exclude 'embedded/lib/ruby/gems/*/gems/re2-*/ports'
exclude 'embedded/lib/ruby/gems/*/gems/*pg_query-*/ext'
# Exclude exe files from Python libraries
exclude 'embedded/lib/python*/**/*.exe'
# Exclude whl files from Python libraries.
exclude 'embedded/lib/python*/**/*.whl'
# Enable signing packages
package :rpm do
vendor 'GitLab, Inc. <support@gitlab.com>'
signing_passphrase Gitlab::Util.get_env('GPG_PASSPHRASE')
# Enable XZ compression if selected
compress_xz = Gitlab::Util.get_env('COMPRESS_XZ') || 'true'
if compress_xz == 'true'
compression_type :xz
compression_level 6
end
end
package :deb do
vendor 'GitLab, Inc. <support@gitlab.com>'
signing_passphrase Gitlab::Util.get_env('GPG_PASSPHRASE')
# Enable XZ compression if selected
compress_xz = Gitlab::Util.get_env('COMPRESS_XZ') || 'true'
if compress_xz == 'true'
compression_type :xz
compression_level 6
end
end
resources_path "#{Omnibus::Config.project_root}/resources"
# Our package scripts are generated from .erb files,
# so we will grab them from an excluded folder
package_scripts_path "#{install_dir}/.package_util/package-scripts"
exclude '.package_util'
# Exclude Python cache and distribution info
exclude 'embedded/lib/python*/**/*.dist-info'
exclude 'embedded/lib/python*/**/*.egg-info'
exclude 'embedded/lib/python*/**/__pycache__'
# exclude Spamcheck application source and libraries
exclude 'embedded/service/spamcheck/app'
package_user 'root'
package_group 'root'
config/projects/gitlab/gitlab-ce.rb 0 → 100644
View file @ edb06ab2
name 'gitlab-ce'
description 'GitLab Community Edition (including NGINX, Postgres, Redis)'
maintainer 'GitLab, Inc. <support@gitlab.com>'
homepage 'https://about.gitlab.com/'
config/projects/gitlab/gitlab-ee.rb 0 → 100644
View file @ edb06ab2
name 'gitlab-ee'
description 'GitLab Enterprise Edition (including NGINX, Postgres, Redis)'
maintainer 'GitLab, Inc. <support@gitlab.com>'
homepage 'https://about.gitlab.com/'
config/projects/gitlab/gitlab-fips.rb 0 → 100644
View file @ edb06ab2
name 'gitlab-fips'
description 'GitLab Enterprise Edition (including NGINX, Postgres, Redis) with FIPS compliance'
maintainer 'GitLab, Inc. <support@gitlab.com>'
homepage 'https://about.gitlab.com/'
config/software/README.md 0 → 100644
View file @ edb06ab2
## Software Definitions
Most of the software definitions provided in this folder are adapted from [omnibus-software](https://github.com/chef/omnibus-software/tree/master/config/software). Initially, omnibus-software was used directly so that the definitions need not be redefined by Omnibus GitLab. But, omnibus-software [later stated](http://www.getchef.com/blog/2014/06/30/omnibus-a-look-forward/) that it does not intend to provide a comprehensive list of definitions, but will support only the software definitions that are a required part of their product pipelines. So, it was decided that Omnibus GitLab should ship its own copy of software definitions. This, even though increased clutter, provided two advantages: a canonical location for definitions of all softwares used by Omnibus GitLab, and ability to modify the definitions as necessary without the need of specifying overrides.
config/software/alertmanager.rb 0 → 100644
View file @ edb06ab2
#
## Copyright:: Copyright (c) 2018 GitLab.com
## License:: Apache License, Version 2.0
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
#
require "#{Omnibus::Config.project_root}/lib/gitlab/version"
require "#{Omnibus::Config.project_root}/lib/gitlab/prometheus_helper"
name 'alertmanager'
version = Gitlab::Version.new('alertmanager', '0.27.0')
default_version version.print
license 'APACHE-2.0'
license_file 'LICENSE'
license_file 'NOTICE'
skip_transitive_dependency_licensing true
source git: version.remote
go_source = 'github.com/prometheus/alertmanager'
relative_path "src/#{go_source}"
build do
env = {
'GOPATH' => "#{Omnibus::Config.source_dir}/alertmanager",
'GO111MODULE' => 'on',
'GOTOOLCHAIN' => 'local',
}
exporter_source_dir = "#{Omnibus::Config.source_dir}/alertmanager"
cwd = "#{exporter_source_dir}/src/#{go_source}"
prom_version = Prometheus::VersionFlags.new(version)
command "go build -ldflags '#{prom_version.print_ldflags}' ./cmd/alertmanager", env: env, cwd: cwd
mkdir "#{install_dir}/embedded/bin/"
copy 'alertmanager', "#{install_dir}/embedded/bin/"
command "license_finder report --enabled-package-managers godep gomodules --decisions-file=#{Omnibus::Config.project_root}/support/dependency_decisions.yml --format=json --columns name version licenses texts notice --save=license.json"
copy "license.json", "#{install_dir}/licenses/alertmanager.json"
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment