!38 Fix EulerMaker build failure

From: @wang--ge Reviewed-by: @caodongxia Signed-off-by: @caodongxia
fix EulerMaker build failure
2023-10-17 07:32:04 +00:00 · 2023-10-17 11:32:19 +08:00 · 2023-06-28 07:58:47 +00:00 · 2023-06-28 11:32:20 +08:00 · 2021-10-11 11:45:29 +00:00 · 2021-10-11 19:04:47 +08:00
4 changed files with 319 additions and 9 deletions
--- a/CVE-2022-2414.patch
+++ b/CVE-2022-2414.patch
@ -0,0 +1,144 @@
 From 1fe34b30ed12710f6ea4c2fae4686f36dd4ef705 Mon Sep 17 00:00:00 2001
 From: Chris Kelley <ckelley@redhat.com>
 Date: Fri, 10 Jun 2022 17:25:07 +0100
 Subject: [PATCH] Disable access to external entities when parsing XML
 Origin: https://github.com/dogtagpki/pki/commit/1fe34b30ed12710f6ea4c2fae4686f36dd4ef705
 This reduces the vulnerability of XML parsers to XXE (XML external
 entity) injection.
 The best way to prevent XXE is to stop using XML altogether, which we do
 plan to do. Until that happens I consider it worthwhile to tighten the
 security here though.
 ---
 .../cms/servlet/csadmin/SecurityDomainProcessor.java     | 6 +++++-
 .../cmscore/src/com/netscape/cmscore/apps/ServerXml.java | 1 +
 base/test/src/com/netscape/test/TestListener.java        | 5 ++++-
 base/util/src/com/netscape/cmsutil/xml/XMLObject.java    | 9 +++++++++
 4 files changed, 19 insertions(+), 2 deletions(-)
 diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
 index 2090fec357a..6931fa5c5f5 100644
 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
 +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -24,6 +24,7 @@
 import java.util.Locale;
 import java.util.Vector;
 +import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -640,7 +641,10 @@ public static void main(String args[]) throws Exception {
         XMLObject xmlObject = convertDomainInfoToXMLObject(before);
         Document document = xmlObject.getDocument();
 -        Transformer transformer = TransformerFactory.newInstance().newTransformer();
 +        TransformerFactory transformerFactory = TransformerFactory.newInstance();
 +        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 +        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
 +        Transformer transformer = transformerFactory.newTransformer();
         transformer.setOutputProperty(OutputKeys.INDENT, "yes");
         transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
 diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
 index 59a06ba39ba..2886291af2d 100644
 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
 +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
@@ -40,6 +40,7 @@ public static ServerXml load(String filename) throws Exception {
         ServerXml serverXml = new ServerXml();
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 +        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document document = builder.parse(filename);
 diff --git a/base/test/src/com/netscape/test/TestListener.java b/base/test/src/com/netscape/test/TestListener.java
 index 96c4c906892..d55458716fe 100644
 --- a/base/test/src/com/netscape/test/TestListener.java
 +++ b/base/test/src/com/netscape/test/TestListener.java
@@ -10,6 +10,7 @@
 import java.util.Date;
 import java.util.TimeZone;
 +import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
@@ -22,7 +23,6 @@
 import org.junit.runner.Result;
 import org.junit.runner.notification.Failure;
 import org.junit.runner.notification.RunListener;
 -
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Text;
@@ -64,9 +64,12 @@ public TestListener() throws Exception {
         dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
         docBuilderFactory = DocumentBuilderFactory.newInstance();
 +        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         docBuilder = docBuilderFactory.newDocumentBuilder();
         transFactory = TransformerFactory.newInstance();
 +        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 +        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         trans = transFactory.newTransformer();
         trans.setOutputProperty(OutputKeys.INDENT, "yes");
 diff --git a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
 index a7715ec9908..d8e0f413325 100644
 --- a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
 +++ b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
@@ -25,6 +25,7 @@
 import java.io.StringWriter;
 import java.util.Vector;
 +import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +57,7 @@ public XMLObject() throws ParserConfigurationException {
     public XMLObject(InputStream s)
             throws SAXException, IOException, ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 +        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder docBuilder = factory.newDocumentBuilder();
         mDoc = docBuilder.parse(s);
     }
@@ -63,6 +65,7 @@ public XMLObject(InputStream s)
     public XMLObject(File f)
             throws SAXException, IOException, ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 +        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder docBuilder = factory.newDocumentBuilder();
         mDoc = docBuilder.parse(f);
     }
@@ -159,6 +162,8 @@ public Vector<String> getValuesFromContainer(Node container, String tagname) {
     public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         TransformerFactory tranFactory = TransformerFactory.newInstance();
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         Transformer aTransformer = tranFactory.newTransformer();
         Source src = new DOMSource(mDoc);
         Result dest = new StreamResult(bos);
@@ -169,6 +174,8 @@ public byte[] toByteArray() throws TransformerConfigurationException, Transforme
     public void output(OutputStream os)
             throws TransformerConfigurationException, TransformerException {
         TransformerFactory tranFactory = TransformerFactory.newInstance();
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         Transformer aTransformer = tranFactory.newTransformer();
         Source src = new DOMSource(mDoc);
         Result dest = new StreamResult(os);
@@ -177,6 +184,8 @@ public void output(OutputStream os)
     public String toXMLString() throws TransformerConfigurationException, TransformerException {
         TransformerFactory tranFactory = TransformerFactory.newInstance();
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 +        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         Transformer transformer = tranFactory.newTransformer();
         Source src = new DOMSource(mDoc);
         StreamResult dest = new StreamResult(new StringWriter());
--- a/pki-core.spec
+++ b/pki-core.spec
@ -4,13 +4,17 @@
 Name:                pki-core
 Version:             10.7.3
-Release:             1
+Release:             6
 Summary:             The PKI Core Package
 License:             GPLv2 and LGPLv2
 URL:                 http://www.dogtagpki.org/
 Source0:             https://github.com/dogtagpki/pki/archive/v%{version}/pki-%{version}.tar.gz
 Source1:             https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 Patch1:              0001-Fix-URL-redirection-for-KRA-and-OCSP-web-UI-241.patch
 Patch2:              remove-sslget-V-option.patch
 Patch3:              remove-revoker-V-option.patch
 Patch4:              CVE-2022-2414.patch
 BuildRequires:       git make cmake >= 2.8.9-1 gcc-c++ zip java-1.8.0-openjdk-devel
 BuildRequires:       ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
 BuildRequires:       apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
@ -31,6 +35,8 @@ BuildRequires:       systemd zlib zlib-devel nss-tools openssl golang
 Dogtag PKI is a designed  enterprise software system
 manage enterprise Public Key Infrastructure deployments.
 %bcond_with console
 %package -n          pki-symkey
 Summary:             The PKI Symmetric Key Package
 Requires:            java-1.8.0-openjdk-headless jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0
@ -57,7 +63,8 @@ Summary:             The PKI Python 3 Package
 BuildArch:           noarch
 Obsoletes:           pki-base-python3 < %{version}
 Provides:            pki-base-python3 = %{version}
-%{?python_provide:%python_provide python3-pki}
+Provides:            python3-pki = %{version}
 Provides:            python-pki = %{version}
 Requires:            pki-base = %{version} python3-cryptography python3-lxml
 Requires:            python3-requests >= 2.6.0 python3-six python3-nss
 %description -n      python3-pki
@ -187,6 +194,7 @@ Conflicts:           pki-server-theme < %{version} pki-console-theme < %{version
 %description -n      pki-help
 Documentation for KPI.
 %if %{with console}
 %package -n          pki-console
 Summary:             The PKI Console Package
 BuildArch:           noarch
@ -195,6 +203,7 @@ Requires:            idm-console-framework >= 1.2.0 pki-base-java = %{version}
 Requires:            pki-console-theme = %{version}
 %description -n      pki-console
 The PKI console is a Java application used to manage the PKI server.
 %endif
 %prep
 %autosetup -n pki-%{version} -p1 -S git
@ -208,9 +217,9 @@ else
    app_server=tomcat-$tomcat_version
 fi
 # generate go-md2man
-mkdir -p /home/abuild/rpmbuild/bin/
+mkdir -p ~/rpmbuild/bin/
 cd go-md2man-*
-go build -mod=vendor -o /home/abuild/rpmbuild/bin/
+go build -mod=vendor -o ~/rpmbuild/bin/
 cd -
 mkdir -p build
 cd build
@ -226,11 +235,11 @@ cd build
    -DWITH_PYTHON2:BOOL=OFF -DWITH_PYTHON3:BOOL=ON \
    -DWITH_PYTHON3_DEFAULT:BOOL=ON -DPYTHON_EXECUTABLE=%{__python3} \
    -DWITH_TEST:BOOL=ON -DWITH_JAVADOC:BOOL=ON \
-    -DBUILD_PKI_CONSOLE:BOOL=ON -DTHEME= \
+    -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:OFF} -DTHEME= \
    ..
 %install
-export PATH=$PATH:/home/abuild/rpmbuild/bin/
+export PATH=$PATH:~/rpmbuild/bin/
 cd build
 %make_build \
    VERBOSE=%{?_verbose} CMAKE_NO_VERBOSE=1 \
@ -262,12 +271,12 @@ if (test("/etc/sysconfig/pki/ca") or
    test("/etc/sysconfig/pki/kra") or
    test("/etc/sysconfig/pki/ocsp") or
    test("/etc/sysconfig/pki/tks")) then
-   msg = "Unable to upgrade to Fedora 20.  There are PKI 9 instances\n" ..
+   msg = "Unable to upgrade to PKI-10.  There are PKI 9 instances\n" ..
         "that will no longer work since they require Tomcat 6, and \n" ..
-         "Tomcat 6 is no longer available in Fedora 20.\n\n" ..
+         "Tomcat 6 is no longer available.\n\n" ..
         "Please follow these instructions to migrate the instances to \n" ..
         "PKI 10:\n\n" ..
-         "http://www.dogtagpki.org/wiki/Migrating_PKI_9_Instances_to_PKI_10"
+         "https://github.com/dogtagpki/pki/wiki/Migrating-PKI-9-to-PKI-10"
   error(msg)
 end
@ -423,11 +432,28 @@ fi
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 %if %{with console}
 %files -n pki-console
 %doc base/console/LICENSE
 %{_bindir}/pkiconsole
 %{_javadir}/pki/pki-console.jar
 %endif
 %changelog
 * Tue Oct 17 2023 Ge Wang <wang__ge@126.com> - 10.7.3-6
 - Fix EulerMaker build failure caused by build root difference
 * Wed Jun 28 2023 wangkai <13474090681@163.com> - 10.7.3-5
 - Fix CVE-2022-2414
 * Mon Oct 11 2021 wangyue <wangyue92@huawei.com> - 10.7.3-4
 - remove sslget and revoker -V option
 * Fri Sep 24 2021 wutao <wutao61@huawei.com> - 10.7.3-3
 - disable pki-console
 * Thu Sep 23 2021 wutao <wutao61@huawei.com> - 10.7.3-2
 - change link source and delete useless information
 * Mon Sep 13 2021 wutao <wutao61@huawei.com> - 10.7.3-1
 - Package init
--- a/remove-revoker-V-option.patch
+++ b/remove-revoker-V-option.patch
@ -0,0 +1,78 @@
 From d39e6a872df75ca34d6960f0f1294f84e1290ea4 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Mon, 11 Oct 2021 15:42:09 +0800
 Subject: [PATCH] 2
 ---
 base/native-tools/src/revoker/revoker.c | 39 ++++++++++---------------
 1 file changed, 15 insertions(+), 24 deletions(-)
 diff --git a/base/native-tools/src/revoker/revoker.c b/base/native-tools/src/revoker/revoker.c
 index b7ff4ea..89ad2ad 100644
 --- a/base/native-tools/src/revoker/revoker.c
 +++ b/base/native-tools/src/revoker/revoker.c
@@ -94,8 +94,6 @@ int getopt(int ac, char * const av[], const char * opts);
 #endif /* XP_PC */
 /*end secopt.h*/
 -#define VERSIONSTRING "$Revision$ ($Date$)"
 -
 #ifndef PORT_Sprintf
 #define PORT_Sprintf sprintf
 #endif
@@ -137,21 +135,20 @@ static void
 Usage(const char *progName)
 {
     fprintf(stderr, 
 -    	"Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n"
 -	"          [-v] [-V] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n"
 -    "      serialNum:    List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n"
 -    "      reasoncode:  integer from 0 to 6, as follows\n"
 -    "                    0 = Unspecified   (default)\n"
 -    "                    1 = Key compromised\n"
 -    "                    2 = CA key compromised\n"
 -    "                    3 = Affiliation changed\n"
 -    "                    4 = Certificate superseded\n"
 -    "                    5 = Cessation of operation\n"
 -    "                    6 = Certificate is on hold\n"
 -    "     -u  : unrevoke (take off hold)\n"
 -    "     -v  : verbose\n"
 -    "     -V  : report version information\n",
 -	progName);
 +    	     "Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n"
 +	     "          [-v] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n"
 +             "      serialNum:    List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n"
 +             "      reasoncode:  integer from 0 to 6, as follows\n"
 +             "                    0 = Unspecified   (default)\n"
 +             "                    1 = Key compromised\n"
 +             "                    2 = CA key compromised\n"
 +             "                    3 = Affiliation changed\n"
 +             "                    4 = Certificate superseded\n"
 +             "                    5 = Cessation of operation\n"
 +             "                    6 = Certificate is on hold\n"
 +             "     -u  : unrevoke (take off hold)\n"
 +             "     -v  : verbose\n",
 +	     progName);
     exit(1);
 }
@@ -745,15 +742,9 @@ main(int argc, char **argv)
     progName = progName ? progName + 1 : tmp;
 -    while ((optchar = getopt(argc, argv, "Vd:n:p:s:r:i:w:uv")) != -1) {
 +    while ((optchar = getopt(argc, argv, "d:n:p:s:r:i:w:uv")) != -1) {
 	switch(optchar) {
 -/* Version */
 -	case 'V':
 -	  printf("%s\n",VERSIONSTRING);
 -	  PR_Cleanup();
 -	  return 0;
 -
 /* Directory which holds NSS database */
 	case 'd':
 	    dir = optarg;
 -- 
 2.23.0
--- a/remove-sslget-V-option.patch
+++ b/remove-sslget-V-option.patch
@ -0,0 +1,62 @@
 From bf0fc39a800136fc25c4dca488c6058178bd74ab Mon Sep 17 00:00:00 2001
 From: Alexander Scheel <ascheel@redhat.com>
 Date: Tue, 18 Feb 2020 15:59:12 -0500
 Subject: [PATCH] Remove sslget -V option
 Since we haven't used SVN in a while, $Revision$ and $Date$
 no longer update. Remove the -V option instead of passing in
 a valid version number.
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
 base/native-tools/src/sslget/sslget.c | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)
 diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c
 index 4f3ebc4500..f115b21347 100644
 --- a/base/native-tools/src/sslget/sslget.c
 +++ b/base/native-tools/src/sslget/sslget.c
@@ -96,8 +96,6 @@ int getopt(int ac, char * const av[], const char * opts);
 #endif /* XP_PC */
 /*end secopt.h*/
 -#define VERSIONSTRING "$Revision$ ($Date$)"
 -
 #ifndef PORT_Sprintf
 #define PORT_Sprintf sprintf
 #endif
@@ -140,12 +138,11 @@ static void
 Usage(const char *progName)
 {
     fprintf(stderr, 
 -    	"Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n"
 -	"          [-e post] [-v] [-V] -r url hostname[:port]\n"
 -    "     -n  : nickname or hsm:nickname\n"
 -    "     -v  : verbose\n"
 -    "     -V  : report version information\n",
 -	progName);
 +            "Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n"
 +            "          [-e post] [-v] -r url hostname[:port]\n"
 +            "     -n  : nickname or hsm:nickname\n"
 +            "     -v  : verbose\n",
 +            progName);
     exit(1);
 }
@@ -823,15 +820,9 @@ main(int argc, char **argv)
     progName = progName ? progName + 1 : tmp;
 -    while ((optchar = getopt(argc, argv, "Vd:e:n:p:r:w:v")) != -1) {
 +    while ((optchar = getopt(argc, argv, "d:e:n:p:r:w:v")) != -1) {
 	switch(optchar) {
 -/* Version */
 -	case 'V':
 -	  printf("%s\n",VERSIONSTRING);
 -	  PR_Cleanup();
 -	  return 0;
 -
 /* Directory which holds NSS database */
 	case 'd':
 	    dir = optarg;
Author	SHA1	Message	Date
openeuler-ci-bot	e78b2ddfe8	!38 Fix EulerMaker build failure From: @wang--ge Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-10-17 07:32:04 +00:00
wang--ge	19d3b9deda	fix EulerMaker build failure	2023-10-17 11:32:19 +08:00
openeuler-ci-bot	ee8f14340a	!32 Fix CVE-2022-2414 From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-06-28 07:58:47 +00:00
wk333	c913083ff6	Fix CVE-2022-2414	2023-06-28 11:32:20 +08:00
openeuler-ci-bot	b91392fd40	!17 [sync] PR-16: remove sslget and revoker -V option From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-10-11 11:45:29 +00:00
wang_yue111	2d23dd4b4d	remove sslget and revoker -V option (cherry picked from commit b7e771850e3d944dc4196ce7537028dc95c897dd)	2021-10-11 19:04:47 +08:00
openeuler-ci-bot	275130946a	!11 [sync] PR-10: disable pki-console From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-09-24 08:45:01 +00:00
jackie_wu	44c6d5b1d5	disable pki-console (cherry picked from commit b9d9291a4bb60759fe516eb6b69bba52f383aab7)	2021-09-24 15:34:42 +08:00
openeuler-ci-bot	59f96798d5	!9 [sync] PR-8: change link source From: @openeuler-sync-bot Reviewed-by: @small_leek,@small_leek Signed-off-by: @small_leek	2021-09-24 07:24:21 +00:00
jackie_wu	f5804631b3	change link source (cherry picked from commit 8b25a59da8622591d4e253e22bd497f48a218455)	2021-09-23 19:13:26 +08:00