View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001768 | OpenMPT | libopenmpt | public | 2024-04-01 09:45 | 2024-07-18 18:21 |
| Reporter | manx | Assigned To | manx | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | assigned | Resolution | open | ||
| Target Version | OpenMPT 1.32 / libopenmpt 0.8 (goals) | ||||
| Summary | 0001768: do not ship generated Autotools files in release tarballs | ||||
| Description | These generated files are not easily verifyable against the source repository, and can only be reproduced by using the exact same Autotools version as is used on our build infrastructure. | ||||
| Tags | No tags attached. | ||||
| Has the bug occurred in previous versions? | |||||
| Tested code revision (in case you know it) | |||||
 |
no-shipped-autoreconf-v1.patch (6,993 bytes)
Index: build/autotools/autoconfiscate.sh
===================================================================
--- build/autotools/autoconfiscate.sh (revision 20562)
+++ build/autotools/autoconfiscate.sh (working copy)
@@ -29,9 +29,13 @@
rm -rf bin/dist-autotools.tar || true
echo "Cleaning tmp directory ..."
+if [ -e bin/dist-autotools.tmp ]; then
+ chmod -R u+rw bin/dist-autotools.tmp || true
+fi
if [ -e bin/dist-autotools ]; then
chmod -R u+rw bin/dist-autotools || true
fi
+rm -rf bin/dist-autotools.tmp || true
rm -rf bin/dist-autotools || true
echo "Making tmp directory ..."
@@ -50,6 +54,7 @@
svn export ./doc/openmpt_styleguide.md bin/dist-autotools/doc/openmpt_styleguide.md
svn export ./doc/libopenmpt bin/dist-autotools/doc/libopenmpt
svn export ./soundlib bin/dist-autotools/soundlib
+rm bin/dist-autotools/soundlib/plugins/OpCodes.h
svn export ./sounddsp bin/dist-autotools/sounddsp
mkdir -p bin/dist-autotools/src/mpt
svn export ./src/mpt/.clang-format bin/dist-autotools/src/mpt/.clang-format
@@ -96,16 +101,25 @@
svn export ./src/openmpt/random bin/dist-autotools/src/openmpt/random
svn export ./src/openmpt/soundbase bin/dist-autotools/src/openmpt/soundbase
svn export ./test bin/dist-autotools/test
+rm bin/dist-autotools/test/libopenmpt_test.manifest
rm bin/dist-autotools/test/mpt_tests_crypto.cpp
rm bin/dist-autotools/test/mpt_tests_uuid_namespace.cpp
+rm bin/dist-autotools/test/test.flac
svn export ./libopenmpt bin/dist-autotools/libopenmpt
+rm bin/dist-autotools/libopenmpt/libopenmpt_version.rc
+rm -r bin/dist-autotools/libopenmpt/in_openmpt
+rm -r bin/dist-autotools/libopenmpt/plugin-common
+rm -r bin/dist-autotools/libopenmpt/xmp-openmpt
svn export ./examples bin/dist-autotools/examples
svn export ./openmpt123 bin/dist-autotools/openmpt123
+rm bin/dist-autotools/openmpt123/openmpt123.h2m
+rm bin/dist-autotools/openmpt123/openmpt123.manifest
mkdir bin/dist-autotools/build
mkdir bin/dist-autotools/build/svn_version
svn export ./build/svn_version/svn_version.h bin/dist-autotools/build/svn_version/svn_version.h
mkdir bin/dist-autotools/m4
touch bin/dist-autotools/m4/emptydir
+svn export ./build/autotools/autogen.sh bin/dist-autotools/autogen.sh
svn export ./build/autotools/configure.ac bin/dist-autotools/configure.ac
svn export ./build/autotools/Makefile.am bin/dist-autotools/Makefile.am
svn export ./build/autotools/ax_cxx_compile_stdcxx.m4 bin/dist-autotools/m4/ax_cxx_compile_stdcxx.m4
@@ -122,6 +136,7 @@
cp -r ./doc/openmpt_styleguide.md bin/dist-autotools/doc/openmpt_styleguide.md
cp -r ./doc/libopenmpt bin/dist-autotools/doc/libopenmpt
cp -r ./soundlib bin/dist-autotools/soundlib
+rm bin/dist-autotools/soundlib/plugins/OpCodes.h
cp -r ./sounddsp bin/dist-autotools/sounddsp
mkdir -p bin/dist-autotools/src/mpt
cp -r ./src/mpt/.clang-format bin/dist-autotools/src/mpt/.clang-format
@@ -168,16 +183,25 @@
cp -r ./src/openmpt/random bin/dist-autotools/src/openmpt/random
cp -r ./src/openmpt/soundbase bin/dist-autotools/src/openmpt/soundbase
cp -r ./test bin/dist-autotools/test
+rm bin/dist-autotools/test/libopenmpt_test.manifest
rm bin/dist-autotools/test/mpt_tests_crypto.cpp
rm bin/dist-autotools/test/mpt_tests_uuid_namespace.cpp
+rm bin/dist-autotools/test/test.flac
cp -r ./libopenmpt bin/dist-autotools/libopenmpt
+rm bin/dist-autotools/libopenmpt/libopenmpt_version.rc
+rm -r bin/dist-autotools/libopenmpt/in_openmpt
+rm -r bin/dist-autotools/libopenmpt/plugin-common
+rm -r bin/dist-autotools/libopenmpt/xmp-openmpt
cp -r ./examples bin/dist-autotools/examples
cp -r ./openmpt123 bin/dist-autotools/openmpt123
+rm bin/dist-autotools/openmpt123/openmpt123.h2m
+rm bin/dist-autotools/openmpt123/openmpt123.manifest
mkdir bin/dist-autotools/build
mkdir bin/dist-autotools/build/svn_version
cp -r ./build/svn_version/svn_version.h bin/dist-autotools/build/svn_version/svn_version.h
mkdir bin/dist-autotools/m4
touch bin/dist-autotools/m4/emptydir
+cp -r ./build/autotools/autogen.sh bin/dist-autotools/autogen.sh
cp -r ./build/autotools/configure.ac bin/dist-autotools/configure.ac
cp -r ./build/autotools/Makefile.am bin/dist-autotools/Makefile.am
cp -r ./build/autotools/ax_cxx_compile_stdcxx.m4 bin/dist-autotools/m4/ax_cxx_compile_stdcxx.m4
@@ -242,6 +266,29 @@
echo "OUTPUT_DIRECTORY = doxygen-doc" >> Doxyfile.in
echo "WARN_IF_DOC_ERROR = NO" >> Doxyfile.in
+MPT_DISTVERSION="$(cat configure.ac | grep AC_INIT | awk '{print $2;}' | sed -E 's/\[(.*)\],/\1/g')"
+
+echo "Building tarball ..."
+cd ..
+mv dist-autotools dist-autotools.tmp
+mkdir dist-autotools
+mv dist-autotools.tmp dist-autotools/libopenmpt-$MPT_DISTVERSION
+cd dist-autotools
+tar cv --numeric-owner --owner=0 --group=0 libopenmpt-$MPT_DISTVERSION > libopenmpt-$MPT_DISTVERSION.tar
+gzip --rsyncable --no-name --best > libopenmpt-$MPT_DISTVERSION.tar.gz < libopenmpt-$MPT_DISTVERSION.tar
+
+echo "Cleaning source tree ..."
+rm -rf libopenmpt-$MPT_DISTVERSION
+rm -rf libopenmpt-$MPT_DISTVERSION.tar
+
+echo "Creating tarball test directory ..."
+mkdir test
+cd test
+
+echo "Unpacking tarball ..."
+tar xvapf ../libopenmpt-$MPT_DISTVERSION.tar.gz
+cd libopenmpt-$MPT_DISTVERSION
+
echo "Running 'autoreconf -i' ..."
autoreconf -i
Index: build/autotools/autogen.sh
===================================================================
--- build/autotools/autogen.sh (nonexistent)
+++ build/autotools/autogen.sh (working copy)
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -e
+
+autoreconf -i
Property changes on: build/autotools/autogen.sh
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+LF
\ No newline at end of property
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/x-sh
\ No newline at end of property
Index: doc/libopenmpt/changelog.md
===================================================================
--- doc/libopenmpt/changelog.md (revision 20562)
+++ doc/libopenmpt/changelog.md (working copy)
@@ -12,6 +12,13 @@
* [**New**] `Makefile CONFIG=djgpp` now supports building LGPL libraries as
DXE (use `ENABLE_DXE=0` to disable).
+ * [**Change**] Contrary to GNU recommendations, we no longer generate the
+ `configure` and related scripts for the libopenmpt Autotools tarball.
+ This is a direct reaction to CVE-2024-3094 (xz backdoor). These gererated
+ script heavily depend on the Autoconf version used on the generating host
+ and are thus not easily verifyable for others. You should generate those
+ yourself with a reasonable modern Autoconf version as listed in the
+ libopenmpt dependencies.
* [**Change**] DOS builds now use zlib, libmpg123, libogg, and libvorbis
instead of miniz, minimp3, and stb_vorbis by default.
* [**Change**] `Makefile CONFIG=djgpp` now sets `ALLOW_LGPL=1` by default.
|
|
|
This is currently blocked by NetBSD (where Autotools just behave erraticly) and OpenBSD (which is missing autoreconf (for unknown reasons) and requires setting AUTOCONF_VERSION (also for unkwon reasons)). |
|
|
OpenBSD is supported since r20973. |
|
|
NetBSD supported since r21198. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-04-01 09:45 | manx | New Issue | |
| 2024-04-01 09:45 | manx | Status | new => assigned |
| 2024-04-01 09:45 | manx | Assigned To | => manx |
| 2024-04-10 15:54 | manx | Note Added: 0005928 | |
| 2024-04-10 15:54 | manx | File Added: no-shipped-autoreconf-v1.patch | |
| 2024-06-01 11:42 | manx | Note Added: 0005964 | |
| 2024-06-09 06:21 | manx | Note Added: 0005965 | |
| 2024-07-18 18:21 | manx | Note Added: 0005998 |
