[CG-Fix-CVE-2021-44906] Patching on thrift.0.14.1 for package minimist (#10555)

richardyu-ms · web-flow · commit 37debbeb382d · 2022-04-22T09:43:16.000+08:00
* [CG-Fix-CVE-2021-44906] Patching on thrift.0.14.1 for package minimist Signed-off-by: richardyu-ms <richard.yu@microsoft.com> * add more information in patch Signed-off-by: richardyu-ms <richard.yu@microsoft.com> * Update 0003-Remove-minimist-packages.patch * change the thrift 0.14.1 to package download Signed-off-by: richardyu-ms <richard.yu@microsoft.com> * use the series file for patching * fix a code defect
diff --git a/.gitmodules b/.gitmodules
@@ -103,6 +103,3 @@
 [submodule "src/sonic-p4rt/sonic-pins"]
 	path = src/sonic-p4rt/sonic-pins
 	url = https://github.com/Azure/sonic-pins.git
-[submodule "src/thrift_0_14_1/thrift"]
-	path = src/thrift_0_14_1/thrift
-	url = https://github.com/apache/thrift.git
diff --git a/rules/thrift_0_14_1.mk b/rules/thrift_0_14_1.mk
@@ -4,8 +4,8 @@ THRIFT_0_14_1_VERSION = 0.14.1
 THRIFT_0_14_1_VERSION_FULL = $(THRIFT_0_14_1_VERSION)
 
 LIBTHRIFT_0_14_1 = libthrift0_$(THRIFT_0_14_1_VERSION)_$(CONFIGURED_ARCH).deb
-$(LIBTHRIFT_0_14_1)_SRC_PATH = $(SRC_PATH)/thrift_0_14_1/thrift
-SONIC_DPKG_DEBS += $(LIBTHRIFT_0_14_1)
+$(LIBTHRIFT_0_14_1)_SRC_PATH = $(SRC_PATH)/thrift_0_14_1
+SONIC_MAKE_DEBS += $(LIBTHRIFT_0_14_1)
 
 LIBTHRIFT_0_14_1_DEV = libthrift-dev_$(THRIFT_0_14_1_VERSION)_$(CONFIGURED_ARCH).deb
 $(eval $(call add_derived_package,$(LIBTHRIFT_0_14_1),$(LIBTHRIFT_0_14_1_DEV)))
diff --git a/src/thrift_0_14_1/Makefile b/src/thrift_0_14_1/Makefile
@@ -0,0 +1,28 @@
+SHELL = /bin/bash
+.ONESHELL:
+.SHELLFLAGS += -e -x
+
+THRIFT_VERSION = 0.14.1
+
+MAIN_TARGET = libthrift0_$(THRIFT_VERSION)_$(CONFIGURED_ARCH).deb
+DERIVED_TARGETS = libthrift-dev_$(THRIFT_VERSION)_$(CONFIGURED_ARCH).deb \
+		  python3-thrift_$(THRIFT_VERSION)_$(CONFIGURED_ARCH).deb \
+		  thrift-compiler_$(THRIFT_VERSION)_$(CONFIGURED_ARCH).deb
+
+THRIFT_LINK_PRE = https://archive.apache.org/dist/thrift
+
+$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
+	rm -rf thrift-$(THRIFT_VERSION)
+
+	wget -O "thrift_$(THRIFT_VERSION).tar.gz" "$(THRIFT_LINK_PRE)/$(THRIFT_VERSION)/thrift-$(THRIFT_VERSION).tar.gz"
+
+	tar -xvzf ./thrift_$(THRIFT_VERSION).tar.gz
+	if [ -f thrift.patch/series ]; then pushd thrift-$(THRIFT_VERSION) && QUILT_PATCHES=../thrift.patch quilt push -a; [ -d .pc ] && rm -rf .pc; popd; fi
+
+	pushd thrift-$(THRIFT_VERSION)
+	DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -d -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
+	popd
+
+	mv $(DERIVED_TARGETS) $* $(DEST)/
+
+$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
diff --git a/src/thrift_0_14_1/thrift b/src/thrift_0_14_1/thrift
diff --git a/src/thrift_0_14_1/thrift.patch/0003-Remove-minimist-packages.patch b/src/thrift_0_14_1/thrift.patch/0003-Remove-minimist-packages.patch
@@ -0,0 +1,268 @@
+From f6fa1794539e68ac294038ac388d6bde40a6c237 Mar 2, 2021  00:00:00
+From: richardyu-ms <richard.yu@microsoft.com>
+Date: Tue, 12 Apr 2022 15:46:16 +0000
+Subject: [PATCH] Fix security issue for package minimist
+
+---
+3 files changed, 9 insertions(+), 120 deletions(-)
+
+Index: thrift-0.14.1/lib/js/package-lock.json
+===================================================================
+--- thrift-0.14.1.orig/lib/js/package-lock.json
++++ thrift-0.14.1/lib/js/package-lock.json
+@@ -1037,16 +1037,7 @@
+       "dev": true,
+       "requires": {
+         "acorn-node": "^1.6.1",
+-        "defined": "^1.0.0",
+-        "minimist": "^1.1.1"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
++        "defined": "^1.0.0"
+       }
+     },
+     "diffie-hellman": {
+@@ -2616,20 +2607,11 @@
+         "decamelize": "^1.1.2",
+         "loud-rejection": "^1.0.0",
+         "map-obj": "^1.0.1",
+-        "minimist": "^1.1.3",
+         "normalize-package-data": "^2.3.4",
+         "object-assign": "^4.0.1",
+         "read-pkg-up": "^1.0.1",
+         "redent": "^1.0.0",
+         "trim-newlines": "^1.0.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
+       }
+     },
+     "micromatch": {
+@@ -2690,12 +2672,6 @@
+         "brace-expansion": "^1.1.7"
+       }
+     },
+-    "minimist": {
+-      "version": "0.0.8",
+-      "resolved": "http://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+-      "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
+-      "dev": true
+-    },
+     "mixin-deep": {
+       "version": "1.3.1",
+       "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz",
+@@ -2721,10 +2697,7 @@
+       "version": "0.5.1",
+       "resolved": "http://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+       "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+-      "dev": true,
+-      "requires": {
+-        "minimist": "0.0.8"
+-      }
++      "dev": true
+     },
+     "module-deps": {
+       "version": "6.2.2",
+@@ -3971,18 +3944,7 @@
+       "version": "1.0.0",
+       "resolved": "https://registry.npmjs.org/subarg/-/subarg-1.0.0.tgz",
+       "integrity": "sha1-9izxdYHplrSPyWVpn1TAauJouNI=",
+-      "dev": true,
+-      "requires": {
+-        "minimist": "^1.1.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
+-      }
++      "dev": true
+     },
+     "supports-color": {
+       "version": "5.5.0",
+Index: thrift-0.14.1/lib/ts/package-lock.json
+===================================================================
+--- thrift-0.14.1.orig/lib/ts/package-lock.json
++++ thrift-0.14.1/lib/ts/package-lock.json
+@@ -1139,16 +1139,7 @@
+       "dev": true,
+       "requires": {
+         "acorn-node": "^1.3.0",
+-        "defined": "^1.0.0",
+-        "minimist": "^1.1.1"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
++        "defined": "^1.0.0"
+       }
+     },
+     "diagnostics": {
+@@ -3032,20 +3023,11 @@
+         "decamelize": "^1.1.2",
+         "loud-rejection": "^1.0.0",
+         "map-obj": "^1.0.1",
+-        "minimist": "^1.1.3",
+         "normalize-package-data": "^2.3.4",
+         "object-assign": "^4.0.1",
+         "read-pkg-up": "^1.0.1",
+         "redent": "^1.0.0",
+         "trim-newlines": "^1.0.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
+       }
+     },
+     "micromatch": {
+@@ -3121,11 +3103,6 @@
+         "brace-expansion": "^1.1.7"
+       }
+     },
+-    "minimist": {
+-      "version": "0.0.8",
+-      "resolved": "http://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+-      "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0="
+-    },
+     "mixin-deep": {
+       "version": "1.3.1",
+       "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz",
+@@ -3150,10 +3127,7 @@
+     "mkdirp": {
+       "version": "0.5.1",
+       "resolved": "http://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+-      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+-      "requires": {
+-        "minimist": "0.0.8"
+-      }
++      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM="
+     },
+     "module-deps": {
+       "version": "6.2.0",
+@@ -4396,18 +4370,7 @@
+       "version": "1.0.0",
+       "resolved": "https://registry.npmjs.org/subarg/-/subarg-1.0.0.tgz",
+       "integrity": "sha1-9izxdYHplrSPyWVpn1TAauJouNI=",
+-      "dev": true,
+-      "requires": {
+-        "minimist": "^1.1.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
+-      }
++      "dev": true
+     },
+     "supports-color": {
+       "version": "5.5.0",
+Index: thrift-0.14.1/package-lock.json
+===================================================================
+--- thrift-0.14.1.orig/package-lock.json
++++ thrift-0.14.1/package-lock.json
+@@ -1427,16 +1427,7 @@
+       "integrity": "sha512-4vGP107UDhhNHeWA5N8j/nUPlQbtB/W/K2x/P7aElbWMWrOkJA0MRSVFsMFrTPSAAjZWCG9uki2+1cQDzFtVcQ==",
+       "dev": true,
+       "requires": {
+-        "html-validator": "3.1.3",
+-        "minimist": "1.2.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
++        "html-validator": "3.1.3"
+       }
+     },
+     "http-signature": {
+@@ -1920,18 +1911,7 @@
+       "version": "2.1.1",
+       "resolved": "https://registry.npmjs.org/json5/-/json5-2.1.1.tgz",
+       "integrity": "sha512-l+3HXD0GEI3huGq1njuqtzYK8OYJyXMkOLtQ53pjWh89tvWS2h6l+1zMkYWqlb57+SiQodKZyvMEFb2X+KrFhQ==",
+-      "dev": true,
+-      "requires": {
+-        "minimist": "^1.2.0"
+-      },
+-      "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        }
+-      }
++      "dev": true
+     },
+     "jsprim": {
+       "version": "1.4.1",
+@@ -2072,20 +2052,11 @@
+         "brace-expansion": "^1.1.7"
+       }
+     },
+-    "minimist": {
+-      "version": "0.0.8",
+-      "resolved": "http://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+-      "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
+-      "dev": true
+-    },
+     "mkdirp": {
+       "version": "0.5.1",
+       "resolved": "http://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+       "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+-      "dev": true,
+-      "requires": {
+-        "minimist": "0.0.8"
+-      }
++      "dev": true
+     },
+     "ms": {
+       "version": "2.0.0",
+@@ -2790,7 +2761,6 @@
+         "glob": "~7.1.2",
+         "has": "~1.0.3",
+         "inherits": "~2.0.3",
+-        "minimist": "~1.2.0",
+         "object-inspect": "~1.6.0",
+         "resolve": "~1.7.1",
+         "resumer": "~0.0.0",
+@@ -2798,12 +2768,6 @@
+         "through": "~2.3.8"
+       },
+       "dependencies": {
+-        "minimist": {
+-          "version": "1.2.0",
+-          "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+-          "dev": true
+-        },
+         "resolve": {
+           "version": "1.7.1",
+           "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.7.1.tgz",
diff --git a/src/thrift_0_14_1/thrift.patch/series b/src/thrift_0_14_1/thrift.patch/series
@@ -1,2 +1,3 @@
 0001-Remove-unneeded-packages.patch
 0002-Fix-build-rules.patch
+0003-Remove-minimist-packages.patch

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`0001-Remove-unneeded-packages.patch`
`2`	`2`	`0002-Fix-build-rules.patch`
	`3`	`+0003-Remove-minimist-packages.patch`