[Bf-blender-cvs] [8a6dabe19f8] tmp_libs_34: Mark false positives CVEs and patch GMP with fix not yet in release

Brecht Van Lommel noreply at git.blender.org
Tue Oct 18 19:37:04 CEST 2022 

Commit: 8a6dabe19f86cce26e137e670f08a9155124d022
Author: Brecht Van Lommel
Date:   Tue Oct 18 19:05:46 2022 +0200
Branches: tmp_libs_34
https://developer.blender.org/rB8a6dabe19f86cce26e137e670f08a9155124d022

Mark false positives CVEs and patch GMP with fix not yet in release

See remarks in cve_check.csv.in for details. This resolves all CVEs reported
by make cve_check.

===================================================================

M	build_files/build_environment/cmake/cve_check.csv.in
M	build_files/build_environment/cmake/gmp.cmake
A	build_files/build_environment/patches/gmp.diff

===================================================================

diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in
index 3797b7ce218..20b631e083b 100644
--- a/build_files/build_environment/cmake/cve_check.csv.in
+++ b/build_files/build_environment/cmake/cve_check.csv.in
@@ -1,3 +1,23 @@
 vendor,product,version,cve_number,remarks,comment
- at PYTHON_ID@,CVE-2009-2940,Ignored,Does not apply to Blender we do not ship pygresql 
+ at OPENJPEG_ID@,CVE-2016-9675,Ignored,issue in convert command line tool not used by blender
+ at PYTHON_ID@,CVE-2009-2940,Ignored,issue in pygresql not used by blender
+ at PYTHON_ID@,CVE-2020-29396,Ignored,issue in odoo not used by blender
+ at PYTHON_ID@,CVE-2021-32052,Ignored,issue in django not used by blender
+ at PYTHON_ID@,CVE-2009-3720,Ignored,already fixed in libexpat version used
+ at SSL_ID@,CVE-2009-1390,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3765,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3766,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3767,Ignored,issue in ldap not used by blender
+ at SSL_ID@,CVE-2019-0190,Ignored,issue in apache not used by blender
+ at TIFF_ID@,CVE-2022-2056,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2057,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2058,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2519,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2520,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2521,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2953,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-34526,Ignored,issue in tiff command line tool not used by blender
+ at XML2_ID@,CVE-2016-3709,Ignored,not affecting blender and not considered a security issue upstream
+ at GMP_ID@,CVE-2021-43618,Ignored,patched using upstream commit 561a9c25298e
+ at SQLITE_ID@,CVE-2022-35737,Ignored,only affects SQLITE_ENABLE_STAT4 compile option not used by blender or python
 @SBOMCONTENTS@
diff --git a/build_files/build_environment/cmake/gmp.cmake b/build_files/build_environment/cmake/gmp.cmake
index e624778869e..ddfdba6662d 100644
--- a/build_files/build_environment/cmake/gmp.cmake
+++ b/build_files/build_environment/cmake/gmp.cmake
@@ -27,6 +27,7 @@ ExternalProject_Add(external_gmp
   DOWNLOAD_DIR ${DOWNLOAD_DIR}
   URL_HASH ${GMP_HASH_TYPE}=${GMP_HASH}
   PREFIX ${BUILD_DIR}/gmp
+  PATCH_COMMAND ${PATCH_CMD} -p 1 -d ${BUILD_DIR}/gmp/src/external_gmp < ${PATCH_DIR}/gmp.diff
   CONFIGURE_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && ${CONFIGURE_COMMAND} --prefix=${LIBDIR}/gmp ${GMP_OPTIONS} ${GMP_EXTRA_ARGS}
   BUILD_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && make -j${MAKE_THREADS}
   INSTALL_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && make install
diff --git a/build_files/build_environment/patches/gmp.diff b/build_files/build_environment/patches/gmp.diff
new file mode 100644
index 00000000000..bf22f93bc4f
--- /dev/null
+++ b/build_files/build_environment/patches/gmp.diff
@@ -0,0 +1,15 @@
+--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
+@@ -88,8 +88,11 @@
+
+   abs_csize = ABS (csize);
+
++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
++    return 0; /* Bit size overflows */
++
+   /* round up to a multiple of limbs */
+-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
+
+   if (abs_xsize != 0)
+     {

More information about the Bf-blender-cvs mailing list