From 5db15bbd74a8f8a46ba4599b3b331e180cfe5d44 Mon Sep 17 00:00:00 2001 From: Attila Krasznahorkay <Attila.Krasznahorkay@cern.ch> Date: Wed, 29 Nov 2023 10:41:00 +0100 Subject: [PATCH 1/2] Add a patch for ROOT's WebUI vulnerability. At the same time removed the "outdated ROOT patches" from the repository. --- External/ROOT/CMakeLists.txt | 6 ++-- External/ROOT/patches/v6-26-08-cmp0135.patch | 12 -------- External/ROOT/patches/v6-26-08-vdt.patch | 31 -------------------- External/ROOT/patches/v6-28-08-webgui.patch | 15 ++++++++++ 4 files changed, 18 insertions(+), 46 deletions(-) delete mode 100644 External/ROOT/patches/v6-26-08-cmp0135.patch delete mode 100644 External/ROOT/patches/v6-26-08-vdt.patch create mode 100644 External/ROOT/patches/v6-28-08-webgui.patch diff --git a/External/ROOT/CMakeLists.txt b/External/ROOT/CMakeLists.txt index 7562957e..bec7c440 100644 --- a/External/ROOT/CMakeLists.txt +++ b/External/ROOT/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (C) 2002-2022 CERN for the benefit of the ATLAS collaboration +# Copyright (C) 2002-2023 CERN for the benefit of the ATLAS collaboration # # Configuration for building ROOT as part of the offline / analysis release. # @@ -27,10 +27,10 @@ mark_as_advanced( ATLAS_ROOT_SOURCE ) # Decide whether / how to patch the ROOT sources. set( ATLAS_ROOT_PATCH - "PATCH_COMMAND;patch;-p1;<;${CMAKE_CURRENT_SOURCE_DIR}/patches/v6-28-04-vdt.patch" + "PATCH_COMMAND;patch;-p1;<;${CMAKE_CURRENT_SOURCE_DIR}/patches/v6-28-04-vdt.patch;COMMAND;patch;-p1;<;${CMAKE_CURRENT_SOURCE_DIR}/patches/v6-28-08-webgui.patch" CACHE STRING "Patch command for ROOT" ) set( ATLAS_ROOT_FORCEDOWNLOAD_MESSAGE - "Forcing the re-download of ROOT (2023.07.26.)" + "Forcing the re-download of ROOT (2023.11.29.)" CACHE STRING "Download message to update whenever patching changes" ) mark_as_advanced( ATLAS_ROOT_PATCH ATLAS_ROOT_FORCEDOWNLOAD_MESSAGE ) diff --git a/External/ROOT/patches/v6-26-08-cmp0135.patch b/External/ROOT/patches/v6-26-08-cmp0135.patch deleted file mode 100644 index fcabb606..00000000 --- a/External/ROOT/patches/v6-26-08-cmp0135.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur root-6.26.08-orig/CMakeLists.txt root-6.26.08-patched/CMakeLists.txt ---- root-6.26.08-orig/CMakeLists.txt 2022-10-18 08:52:45.000000000 +0200 -+++ root-6.26.08-patched/CMakeLists.txt 2022-12-02 09:51:17.083162714 +0100 -@@ -18,7 +18,7 @@ - " Please see README/INSTALL for more information.") - endif() - --set(policy_new CMP0072 CMP0077 CMP0135) -+set(policy_new CMP0072 CMP0077) - foreach(policy ${policy_new}) - if(POLICY ${policy}) - cmake_policy(SET ${policy} NEW) diff --git a/External/ROOT/patches/v6-26-08-vdt.patch b/External/ROOT/patches/v6-26-08-vdt.patch deleted file mode 100644 index 1c5ac4a8..00000000 --- a/External/ROOT/patches/v6-26-08-vdt.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- root-6.26.08/cmake/modules/SearchInstalledSoftware.cmake 2022-10-18 08:52:45.000000000 +0200 -+++ root-6.26.08-patched/cmake/modules/SearchInstalledSoftware.cmake 2022-11-03 10:22:03.803979340 +0100 -@@ -1627,23 +1627,26 @@ - set(vdt_version 0.4.4) - set(VDT_FOUND True) - set(VDT_LIBRARIES ${CMAKE_BINARY_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}vdt${CMAKE_SHARED_LIBRARY_SUFFIX}) -+ get_filename_component(python_path ${PYTHON_EXECUTABLE} DIRECTORY) - ExternalProject_Add( - VDT - URL ${lcgpackages}/vdt-${vdt_version}.tar.gz - URL_HASH SHA256=8b1664b45ec82042152f89d171dd962aea9bb35ac53c8eebb35df1cb9c34e498 - INSTALL_DIR ${CMAKE_BINARY_DIR} -- CMAKE_ARGS -+ CONFIGURE_COMMAND ${CMAKE_COMMAND} -E env PATH=${python_path}:$ENV{PATH} -+ ${CMAKE_COMMAND} - -DSSE=OFF # breaks on ARM without this - -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} - -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} - -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} - -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS} - -DCMAKE_CXX_FLAGS=${ROOT_EXTERNAL_CXX_FLAGS} -- -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR> -+ -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR> <SOURCE_DIR> - LOG_DOWNLOAD 1 LOG_CONFIGURE 1 LOG_BUILD 1 LOG_INSTALL 1 - BUILD_BYPRODUCTS ${VDT_LIBRARIES} - TIMEOUT 600 - ) -+ unset(python_path) - ExternalProject_Add_Step( - VDT copy2externals - COMMAND ${CMAKE_COMMAND} -E copy_directory ${CMAKE_BINARY_DIR}/include/vdt ${CMAKE_BINARY_DIR}/ginclude/vdt diff --git a/External/ROOT/patches/v6-28-08-webgui.patch b/External/ROOT/patches/v6-28-08-webgui.patch new file mode 100644 index 00000000..9fa619ef --- /dev/null +++ b/External/ROOT/patches/v6-28-08-webgui.patch @@ -0,0 +1,15 @@ +diff --git a/config/rootrc.in b/config/rootrc.in +index 50c37fb0c7..63aa8d822c 100644 +--- a/config/rootrc.in ++++ b/config/rootrc.in +@@ -244,8 +244,8 @@ WebGui.HttpPortMin: 8800 + WebGui.HttpPortMax: 9800 + # Exact IP iddress to bind bind http server (default - empty) + WebGui.HttpBind: +-# Use only loopback address to bind http server (default - no) +-WebGui.HttpLoopback: no ++# Use only loopback address to bind http server (default - yes) ++WebGui.HttpLoopback: yes + # Use https protocol for the http server (default - no) + WebGui.UseHttps: no + WebGui.ServerCert: rootserver.pem -- GitLab From 0452ea2ff3fbdede6401c77e93367691133f72c7 Mon Sep 17 00:00:00 2001 From: Attila Krasznahorkay <Attila.Krasznahorkay@cern.ch> Date: Wed, 29 Nov 2023 11:43:29 +0100 Subject: [PATCH 2/2] Switched to getting ROOT from the ATLAS webserver. Only falling back to the main ROOT server if the ATLAS one is unreachable. --- External/ROOT/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/External/ROOT/CMakeLists.txt b/External/ROOT/CMakeLists.txt index bec7c440..eaf2a0b6 100644 --- a/External/ROOT/CMakeLists.txt +++ b/External/ROOT/CMakeLists.txt @@ -21,7 +21,7 @@ endif() # Declare where to get ROOT from. set( ATLAS_ROOT_SOURCE - "URL;https://root.cern/download/root_v6.28.08.source.tar.gz;URL_MD5;3eca7fadb7867232fa74a7262644b05d" + "URL;http://cern.ch/atlas-software-dist-eos/externals/ROOT/root_v6.28.08.source.tar.gz;https://root.cern/download/root_v6.28.08.source.tar.gz;URL_MD5;3eca7fadb7867232fa74a7262644b05d" CACHE STRING "The source for ROOT" ) mark_as_advanced( ATLAS_ROOT_SOURCE ) -- GitLab