Rebuilt for test fixes

Related: rhbz#2055641

Signed-off-by: Adrian Reber <areber@redhat.com>

.protobuf.metadata

@@ -0,0 +1,2 @@
+fe843a3a69583fa23f1e77722c6d25ad3be61703 5ec7f0c4a113e2f18ac2c6cc7df51ad6afc24081.zip
+b613ab3057c8a7400e7b7d3004824274d964a196 protobuf-3.14.0-all.tar.gz

CVE-2021-22570.patch

@@ -0,0 +1,77 @@
+diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc
+index 7af37c57f3..03c4e2b516 100644
+--- a/src/google/protobuf/descriptor.cc
++++ b/src/google/protobuf/descriptor.cc
+@@ -1090,7 +1090,7 @@ inline void DescriptorPool::Tables::FindAllExtensions(
+ 
+ bool DescriptorPool::Tables::AddSymbol(const std::string& full_name,
+                                        Symbol symbol) {
+-  if (InsertIfNotPresent(&symbols_by_name_, full_name.c_str(), symbol)) {
++  if (InsertIfNotPresent(&symbols_by_name_, full_name, symbol)) {
+     symbols_after_checkpoint_.push_back(full_name.c_str());
+     return true;
+   } else {
+@@ -1106,7 +1106,7 @@ bool FileDescriptorTables::AddAliasUnderParent(const void* parent,
+ }
+ 
+ bool DescriptorPool::Tables::AddFile(const FileDescriptor* file) {
+-  if (InsertIfNotPresent(&files_by_name_, file->name().c_str(), file)) {
++  if (InsertIfNotPresent(&files_by_name_, file->name(), file)) {
+     files_after_checkpoint_.push_back(file->name().c_str());
+     return true;
+   } else {
+@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
+       const Descriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start + 1) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end > FieldDescriptor::kMaxNumber) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+                                   range->end - 1);
+@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
+       const EnumDescriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end == INT_MAX) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+                                   range->end);
+@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+   // Use its file as the parent instead.
+   if (parent == nullptr) parent = file_;
+ 
++  if (full_name.find('\0') != std::string::npos) {
++    AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + full_name + "\" contains null character.");
++    return false;
++  }
+   if (tables_->AddSymbol(full_name, symbol)) {
+     if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+       // This is only possible if there was already an error adding something of
+@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+                                    const Message& proto,
+                                    const FileDescriptor* file) {
++  if (name.find('\0') != std::string::npos) {
++    AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + name + "\" contains null character.");
++    return;
++  }
+   if (tables_->AddSymbol(name, Symbol(file))) {
+     // Success.  Also add parent package, if any.
+     std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+   }
+   result->pool_ = pool_;
+ 
++  if (result->name().find('\0') != std::string::npos) {
++    AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + result->name() + "\" contains null character.");
++    return nullptr;
++  }
++
+   // Add to tables.
+   if (!tables_->AddFile(result)) {
+     AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

protobuf.spec

@@ -1,14 +1,16 @@
 # Build -python subpackage
 %bcond_without python
 # Build -java subpackage
-%bcond_without java
+%bcond_with java
 
 #global rcver rc2
+# Disable LTO to work around annobin error messages
+%global _lto_cflags %nil
 
 Summary:        Protocol Buffers - Google's data interchange format
 Name:           protobuf
 Version:        3.14.0
-Release:        4%{?dist}
+Release:        13%{?dist}
 License:        BSD
 URL:            https://github.com/protocolbuffers/protobuf
 Source:         https://github.com/protocolbuffers/protobuf/archive/v%{version}%{?rcver}/%{name}-%{version}%{?rcver}-all.tar.gz
@@ -20,6 +22,12 @@ Source3:        https://github.com/google/googletest/archive/5ec7f0c4a113e2f18ac
 # https://github.com/protocolbuffers/protobuf/issues/8082
 Patch1:         protobuf-3.14-disable-IoTest.LargeOutput.patch
 
+# Fix for CVE-2021-22570 "protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference"
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050492
+# Based on https://github.com/protocolbuffers/protobuf/commit/af95001202a035d78ff997e737bd67fca22ab32a
+# As described in https://bugzilla.suse.com/show_bug.cgi?id=1195258
+Patch2:         CVE-2021-22570.patch
+
 BuildRequires:  make
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -45,9 +53,6 @@ breaking deployed programs that are compiled against the "old" format.
 %package compiler
 Summary:        Protocol Buffers compiler
 Requires:       %{name} = %{version}-%{release}
-Obsoletes:      protobuf-emacs < 3.6.1-4
-Obsoletes:      protobuf-emacs-el < 3.6.1-4
-Requires:       emacs-filesystem >= %{_emacs_version}
 
 %description compiler
 This package contains Protocol Buffers compiler for all programming
@@ -191,13 +196,22 @@ Protocol Buffer BOM POM.
 
 %endif
 
+%package emacs
+Summary:        Emacs mode for Google Protocol Buffers descriptions
+BuildArch:      noarch
+Requires:       emacs-filesystem >= %{_emacs_version}
+Obsoletes:      protobuf-emacs-el < 3.6.1-4
+
+%description emacs
+This package contains syntax highlighting for Google Protocol Buffers
+descriptions in the Emacs editor.
+
 %prep
 %setup -q -n %{name}-%{version}%{?rcver} -a 3
-%ifarch %{ix86} armv7hl
-# IoTest.LargeOutput fails on 32bit arches
+# IoTest.LargeOutput fails sometimes if not enough memory is available
 # https://github.com/protocolbuffers/protobuf/issues/8082
 %patch1 -p1
-%endif
+%patch2 -p1
 mv googletest-5ec7f0c4a113e2f18ac2c6cc7df51ad6afc24081/* third_party/googletest/
 find -name \*.cc -o -name \*.h | xargs chmod -x
 chmod 644 examples/*
@@ -281,7 +295,6 @@ find %{buildroot} -type f -name "*.la" -exec rm -f {} \;
 
 %if %{with python}
 pushd python
-#python ./setup.py install --root=%{buildroot} --single-version-externally-managed --record=INSTALLED_FILES --optimize=1
 %py3_install
 find %{buildroot}%{python3_sitelib} -name \*.py |
   xargs sed -i -e '1{\@^#!@d}'
@@ -314,8 +327,6 @@ install -p -m 0644 %{SOURCE2} %{buildroot}%{_emacs_sitestartdir}
 %license LICENSE
 %{_bindir}/protoc
 %{_libdir}/libprotoc.so.25*
-%{_emacs_sitelispdir}/%{name}/
-%{_emacs_sitestartdir}/protobuf-init.el
 
 %files devel
 %dir %{_includedir}/google
@@ -325,6 +336,10 @@ install -p -m 0644 %{SOURCE2} %{buildroot}%{_emacs_sitestartdir}
 %{_libdir}/pkgconfig/protobuf.pc
 %doc examples/add_person.cc examples/addressbook.proto examples/list_people.cc examples/Makefile examples/README.md
 
+%files emacs
+%{_emacs_sitelispdir}/%{name}/
+%{_emacs_sitestartdir}/protobuf-init.el
+
 %files static
 %{_libdir}/libprotobuf.a
 %{_libdir}/libprotoc.a
@@ -376,6 +391,30 @@ install -p -m 0644 %{SOURCE2} %{buildroot}%{_emacs_sitestartdir}
 
 
 %changelog
+* Wed Mar 23 2022 Adrian Reber <areber@redhat.com> - 3.14.0-13
+- Rebuilt for test fixes
+
+* Tue Mar 22 2022 Adrian Reber <areber@redhat.com> - 3.14.0-12
+- Rebuilt for test fixes
+
+* Tue Mar 08 2022 Adrian Reber <areber@redhat.com> - 3.14.0-11
+- Applied patch for for CVE-2021-22570 (#2055641)
+
+* Wed Feb 23 2022 Adrian Reber <areber@redhat.com> - 3.14.0-9
+- Rebuilt for errata
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.14.0-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Mon Jul 26 2021 Adrian Reber <areber@redhat.com> - 3.14.0-7
+- Disabled Java subpackages
+
+* Thu May 06 2021 Adrian Reber <adrian@lisas.de> - 3.14.0-6
+- Reintroduce the emacs subpackage to avoid file conflicts between
+  protobuf-compiler.x86_64 and protobuf-compiler.i686
+- Disable LTO to fix annobin errors
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.14.0-4
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 

rpminspect.yaml

@@ -0,0 +1,4 @@
+---
+annocheck:
+  jobs:
+    - hardened: --verbose --skip-lto

tests/Makefile

@@ -0,0 +1,12 @@
+all: add_person_cpp
+
+protoc_middleman: addressbook.proto
+	protoc --cpp_out=. --python_out=. addressbook.proto
+
+add_person_cpp: add_person.cc protoc_middleman
+	pkg-config --cflags protobuf  # fails if protobuf is not installed
+	c++ -std=c++11 add_person.cc addressbook.pb.cc -o add_person_cpp `pkg-config --cflags --libs protobuf`
+
+clean:
+	rm -f addressbook_pb2.py addressbook.pb.cc addressbook.pb.h add_person_cpp data
+	rm -rf __pycache__

tests/add_person.cc

@@ -0,0 +1,55 @@
+// Based on the examples from the protobuf release tarball
+
+#include <ctime>
+#include <fstream>
+#include <google/protobuf/util/time_util.h>
+#include <iostream>
+#include <string>
+
+#include "addressbook.pb.h"
+
+using namespace std;
+
+using google::protobuf::util::TimeUtil;
+
+// Main function:  Reads the entire address book from a file,
+//   adds one person based on user input, then writes it back out to the same
+//   file.
+int main(int argc, char* argv[]) {
+  // Verify that the version of the library that we linked against is
+  // compatible with the version of the headers we compiled against.
+  GOOGLE_PROTOBUF_VERIFY_VERSION;
+
+  if (argc != 6) {
+    cerr << "Usage:  " << argv[0] << " ADDRESS_BOOK_FILE ID NAME EMAIL PHONE" << endl;
+    return -1;
+  }
+
+  tutorial::AddressBook address_book;
+
+  fstream input(argv[1], ios::in | ios::binary);
+
+  tutorial::Person* person = address_book.add_people();
+
+  person->set_id(atoi(argv[2]));
+  person->set_name(argv[3]);
+  person->set_email(argv[4]);
+  tutorial::Person::PhoneNumber* phone_number = person->add_phones();
+  phone_number->set_number(argv[5]);
+  phone_number->set_type(tutorial::Person::HOME);
+  *person->mutable_last_updated() = TimeUtil::SecondsToTimestamp(42);
+
+  {
+    // Write the new address book back to disk.
+    fstream output(argv[1], ios::out | ios::trunc | ios::binary);
+    if (!address_book.SerializeToOstream(&output)) {
+      cerr << "Failed to write address book." << endl;
+      return -1;
+    }
+  }
+
+  // Optional:  Delete all global objects allocated by libprotobuf.
+  google::protobuf::ShutdownProtobufLibrary();
+
+  return 0;
+}

tests/addressbook.proto

@@ -0,0 +1,51 @@
+// See README.txt for information and build instructions.
+//
+// Note: START and END tags are used in comments to define sections used in
+// tutorials.  They are not part of the syntax for Protocol Buffers.
+//
+// To get an in-depth walkthrough of this file and the related examples, see:
+// https://developers.google.com/protocol-buffers/docs/tutorials
+
+// [START declaration]
+syntax = "proto3";
+package tutorial;
+
+import "google/protobuf/timestamp.proto";
+// [END declaration]
+
+// [START java_declaration]
+option java_package = "com.example.tutorial";
+option java_outer_classname = "AddressBookProtos";
+// [END java_declaration]
+
+// [START csharp_declaration]
+option csharp_namespace = "Google.Protobuf.Examples.AddressBook";
+// [END csharp_declaration]
+
+// [START messages]
+message Person {
+  string name = 1;
+  int32 id = 2;  // Unique ID number for this person.
+  string email = 3;
+
+  enum PhoneType {
+    MOBILE = 0;
+    HOME = 1;
+    WORK = 2;
+  }
+
+  message PhoneNumber {
+    string number = 1;
+    PhoneType type = 2;
+  }
+
+  repeated PhoneNumber phones = 4;
+
+  google.protobuf.Timestamp last_updated = 5;
+}
+
+// Our address book file is just one of these.
+message AddressBook {
+  repeated Person people = 1;
+}
+// [END messages]

tests/list_people.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+
+# Based on the examples from the protobuf release tarball
+
+import addressbook_pb2
+import sys
+
+
+# Iterates though all people in the AddressBook and prints info about them.
+def ListPeople(address_book):
+  for person in address_book.people:
+    print(f'{person.id},{person.name},{person.email},{person.phones[0].number}')
+
+
+# Main procedure:  Reads the entire address book from a file and prints all
+#   the information inside.
+if len(sys.argv) != 2:
+  print("Usage:", sys.argv[0], "ADDRESS_BOOK_FILE")
+  sys.exit(-1)
+
+address_book = addressbook_pb2.AddressBook()
+
+# Read the existing address book.
+with open(sys.argv[1], "rb") as f:
+  address_book.ParseFromString(f.read())
+
+ListPeople(address_book)

tests/run-simple-test.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+uname -a
+
+make clean all
+
+./add_person_cpp data 13 JustName emailAddress 012344444
+OUT=$(./list_people.py data)
+
+if [ "$OUT" != "13,JustName,emailAddress,012344444" ]; then
+	echo "FAIL"
+	exit 1
+fi
+make clean
+
+exit 0

tests/tests.yml

@@ -0,0 +1,18 @@
+---
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    required_packages:
+    - make
+    - gcc-c++
+    - python3
+    - protobuf-devel
+    - protobuf-compiler
+    - python3-protobuf
+    - pkgconf-pkg-config
+    tests:
+    - simple:
+        dir: .
+        run: ./run-simple-test.sh