From 0744477aa5275fc5ba4a0071797fb3c4cacdb1f7 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 25 Apr 2023 17:56:21 -0600 Subject: [PATCH 1/5] Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference (bz#2189654) --- 9621.patch | 36 ++++++++++++++++++++++++++++++++++++ vtk.spec | 8 +++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 9621.patch diff --git a/9621.patch b/9621.patch new file mode 100644 index 0000000..b4c3835 --- /dev/null +++ b/9621.patch @@ -0,0 +1,36 @@ +From 72119ea71422d2892f2a0475fc282835310f8d9e Mon Sep 17 00:00:00 2001 +From: Cory Quammen +Date: Thu, 29 Sep 2022 13:10:00 -0400 +Subject: [PATCH] vtkXMLTreeReader: protect against possible nullptr + dereference + +Vulnerability reported at +https://nvd.nist.gov/vuln/detail/CVE-2021-42521. + +Fixes #17818 + +(cherry picked from commit 9a2fe8ef2ecbf04f811b2e02b71eae8b94aae089) +--- + IO/Infovis/vtkXMLTreeReader.cxx | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/IO/Infovis/vtkXMLTreeReader.cxx b/IO/Infovis/vtkXMLTreeReader.cxx +index 64abca37e96..af64572b27f 100644 +--- a/IO/Infovis/vtkXMLTreeReader.cxx ++++ b/IO/Infovis/vtkXMLTreeReader.cxx +@@ -217,6 +217,12 @@ int vtkXMLTreeReader::RequestData( + + // Get the root element node + xmlNode* rootElement = xmlDocGetRootElement(doc); ++ if (!rootElement) ++ { ++ vtkErrorMacro(<< "Could not get root element of document."); ++ return 0; ++ } ++ + vtkXMLTreeReaderProcessElement(builder, -1, rootElement, this->ReadCharData, this->MaskArrays); + + xmlFreeDoc(doc); +-- +GitLab + diff --git a/vtk.spec b/vtk.spec index 3dab677..98fcd3a 100644 --- a/vtk.spec +++ b/vtk.spec @@ -40,7 +40,7 @@ Summary: The Visualization Toolkit - A high level 3D visualization library Name: vtk Version: 9.1.0 -Release: 17%{?dist} +Release: 18%{?dist} # This is a variant BSD license, a cross between BSD and ZLIB. # For all intents, it has the same rights and restrictions as BSD. # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant @@ -58,6 +58,8 @@ Patch2: vtk-netcdf.patch # Duplicate define conflict with Xutil, see: # https://gitlab.kitware.com/vtk/vtk/-/issues/18048 Patch3: vtk-AllValues.patch +# CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference +Patch4: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch URL: https://vtk.org/ @@ -844,6 +846,10 @@ cat xorg.log %changelog +* Tue Apr 25 2023 Orion Poplawski - 9.1.0-18 +- Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr + dereference (bz#2189654) + * Thu Jul 28 2022 Orion Poplawski - 9.1.0-17 - Remove all of vtkdata/Wrapping to keep vtk-data noarch From c83770a71caded74535e6c0749236eceeba7a96d Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 24 Jun 2025 09:28:27 -0600 Subject: [PATCH 2/5] Rebuild for proj 9 --- vtk.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vtk.spec b/vtk.spec index 98fcd3a..eba6428 100644 --- a/vtk.spec +++ b/vtk.spec @@ -40,7 +40,7 @@ Summary: The Visualization Toolkit - A high level 3D visualization library Name: vtk Version: 9.1.0 -Release: 18%{?dist} +Release: 19%{?dist} # This is a variant BSD license, a cross between BSD and ZLIB. # For all intents, it has the same rights and restrictions as BSD. # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant @@ -846,6 +846,9 @@ cat xorg.log %changelog +* Tue Jun 24 2025 Orion Poplawski - 9.1.0-19 +- Rebuild for proj 9 + * Tue Apr 25 2023 Orion Poplawski - 9.1.0-18 - Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference (bz#2189654) From 3da9ad4e024e0692cf1fa248fa7843137785d439 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 24 Nov 2025 17:21:22 -0700 Subject: [PATCH 3/5] Rebuild for gdal (rhbz#2416611) --- vtk.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vtk.spec b/vtk.spec index eba6428..3c2ae42 100644 --- a/vtk.spec +++ b/vtk.spec @@ -40,7 +40,7 @@ Summary: The Visualization Toolkit - A high level 3D visualization library Name: vtk Version: 9.1.0 -Release: 19%{?dist} +Release: 20%{?dist} # This is a variant BSD license, a cross between BSD and ZLIB. # For all intents, it has the same rights and restrictions as BSD. # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant @@ -846,6 +846,9 @@ cat xorg.log %changelog +* Tue Nov 25 2025 Orion Poplawski - 9.1.0-20 +- Rebuild for gdal (rhbz#2416611) + * Tue Jun 24 2025 Orion Poplawski - 9.1.0-19 - Rebuild for proj 9 From cedd757304fef8b004e489cd42dd7e0124037697 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 26 Nov 2025 08:33:07 -0700 Subject: [PATCH 4/5] Backport ppc64le inline patch --- vtk-ppc64-no-always-inline.patch | 14 ++++++++++++++ vtk.spec | 5 +++++ 2 files changed, 19 insertions(+) create mode 100644 vtk-ppc64-no-always-inline.patch diff --git a/vtk-ppc64-no-always-inline.patch b/vtk-ppc64-no-always-inline.patch new file mode 100644 index 0000000..60d5bc5 --- /dev/null +++ b/vtk-ppc64-no-always-inline.patch @@ -0,0 +1,14 @@ +diff --git a/Common/Core/vtkDataArrayMeta.h b/Common/Core/vtkDataArrayMeta.h +index 376244b..9b8f58e 100644 +--- a/Common/Core/vtkDataArrayMeta.h ++++ b/Common/Core/vtkDataArrayMeta.h +@@ -43,7 +43,8 @@ + #define VTK_ITER_ASSERT(x, msg) + #endif + +-#if defined(VTK_ALWAYS_OPTIMIZE_ARRAY_ITERATORS) && !defined(VTK_DEBUG_RANGE_ITERATORS) ++#if (defined(VTK_ALWAYS_OPTIMIZE_ARRAY_ITERATORS) || !defined(VTK_DEBUG_RANGE_ITERATORS)) && \ ++ !defined(VTK_COMPILER_MSVC) && !defined(__PPC64__) + #define VTK_ITER_INLINE VTK_ALWAYS_INLINE + #define VTK_ITER_ASSUME VTK_ASSUME_NO_ASSERT + #define VTK_ITER_OPTIMIZE_START VTK_ALWAYS_OPTIMIZE_START diff --git a/vtk.spec b/vtk.spec index 3c2ae42..6933f09 100644 --- a/vtk.spec +++ b/vtk.spec @@ -60,6 +60,10 @@ Patch2: vtk-netcdf.patch Patch3: vtk-AllValues.patch # CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference Patch4: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch +# always_inline fails on ppc64le +# https://gitlab.kitware.com/vtk/vtk/-/issues/19622 +# https://bugzilla.redhat.com/show_bug.cgi?id=2386242 +Patch5: vtk-ppc64-no-always-inline.patch URL: https://vtk.org/ @@ -848,6 +852,7 @@ cat xorg.log %changelog * Tue Nov 25 2025 Orion Poplawski - 9.1.0-20 - Rebuild for gdal (rhbz#2416611) +- Backport ppc64le inline patch * Tue Jun 24 2025 Orion Poplawski - 9.1.0-19 - Rebuild for proj 9 From 02400611be531e6372c7298ae7245d74c3ec1f51 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 4 Dec 2025 07:41:45 -0700 Subject: [PATCH 5/5] Use bundled eigen3 on ppc64le - https://issues.redhat.com/browse/RHEL-131497 --- vtk-eigen3.patch | 12 ++++++++++++ vtk.spec | 21 +++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 vtk-eigen3.patch diff --git a/vtk-eigen3.patch b/vtk-eigen3.patch new file mode 100644 index 0000000..7fa124a --- /dev/null +++ b/vtk-eigen3.patch @@ -0,0 +1,12 @@ +diff -up VTK-9.1.0/ThirdParty/eigen/vtkeigen/CMakeLists.txt.eigen3 VTK-9.1.0/ThirdParty/eigen/vtkeigen/CMakeLists.txt +--- VTK-9.1.0/ThirdParty/eigen/vtkeigen/CMakeLists.txt.eigen3 2021-11-04 13:48:20.000000000 -0600 ++++ VTK-9.1.0/ThirdParty/eigen/vtkeigen/CMakeLists.txt 2025-12-03 21:34:28.475070319 -0700 +@@ -486,7 +486,7 @@ endif () + + foreach(var INCLUDE_INSTALL_DIR CMAKEPACKAGE_INSTALL_DIR PKGCONFIG_INSTALL_DIR) + if(IS_ABSOLUTE "${${var}}") +- message(FATAL_ERROR "${var} must be relative to CMAKE_PREFIX_PATH. Got: ${${var}}") ++ file(RELATIVE_PATH "${var}" "${CMAKE_INSTALL_PREFIX}" "${${var}}") + endif() + endforeach() + diff --git a/vtk.spec b/vtk.spec index 6933f09..0115bea 100644 --- a/vtk.spec +++ b/vtk.spec @@ -31,6 +31,13 @@ %bcond_without flexiblas %endif +%ifarch ppc64le +# Deal with ppc64le issue - https://issues.redhat.com/browse/RHEL-131497 +%bcond_with eigen3 +%else +%bcond_without eigen3 +%endif + # VTK currently is carrying local modifications to gl2ps %bcond_with gl2ps @@ -64,6 +71,8 @@ Patch4: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch # https://gitlab.kitware.com/vtk/vtk/-/issues/19622 # https://bugzilla.redhat.com/show_bug.cgi?id=2386242 Patch5: vtk-ppc64-no-always-inline.patch +# Fix build of bundled eigen3 +Patch6: vtk-eigen3.patch URL: https://vtk.org/ @@ -88,7 +97,9 @@ BuildRequires: boost-devel BuildRequires: cgnslib-devel BuildRequires: cli11-devel BuildRequires: double-conversion-devel +%if %{with eigen3} BuildRequires: eigen3-devel +%endif BuildRequires: expat-devel %if %{with fmt} BuildRequires: fmt-devel >= 8.1.0 @@ -174,7 +185,9 @@ Requires: cgnslib-devel%{?_isa} \ Requires: cli11-static \ Requires: double-conversion-devel%{?_isa} \ # eigen3 is noarch and header-only \ +%if %{with eigen3} \ Requires: eigen3-static \ +%endif \ Requires: expat-devel%{?_isa} \ %if %{with fmt} \ Requires: fmt-devel%{?_isa} \ @@ -497,7 +510,7 @@ programming languages. # TODO - VPIC - not yet packaged # TODO - xdmf2 - not yet packaged # TODO - xdmf3 - not yet packaged -for x in vtk{cli11,doubleconversion,eigen,expat,%{?with_fmt:fmt,}freetype,%{?with_gl2ps:gl2ps,}glew,hdf5,jpeg,jsoncpp,libharu,libproj,libxml2,lz4,lzma,mpi4py,netcdf,ogg,pegtl,png,pugixml,sqlite,theora,tiff,utf8,zfp,zlib} +for x in vtk{cli11,doubleconversion,%{?with_eigen3:eigen,}expat,%{?with_fmt:fmt,}freetype,%{?with_gl2ps:gl2ps,}glew,hdf5,jpeg,jsoncpp,libharu,libproj,libxml2,lz4,lzma,mpi4py,netcdf,ogg,pegtl,png,pugixml,sqlite,theora,tiff,utf8,zfp,zlib} do rm -r ThirdParty/*/${x} done @@ -564,13 +577,16 @@ export JAVA_TOOL_OPTIONS=-Xmx2048m %endif \ -DVTK_WRAP_PYTHON:BOOL=ON \\\ -DVTK_USE_EXTERNAL=ON \\\ +%if !%{with eigen3} \ + -DVTK_MODULE_USE_EXTERNAL_VTK_eigen:BOOL=OFF \\\ +%endif \ + -DVTK_MODULE_USE_EXTERNAL_VTK_exprtk:BOOL=OFF \\\ %if !%{with fmt} \ -DVTK_MODULE_USE_EXTERNAL_VTK_fmt:BOOL=OFF \\\ %endif \ %if !%{with gl2ps} \ -DVTK_MODULE_USE_EXTERNAL_VTK_gl2ps:BOOL=OFF \\\ %endif \ - -DVTK_MODULE_USE_EXTERNAL_VTK_exprtk:BOOL=OFF \\\ -DVTK_MODULE_USE_EXTERNAL_VTK_ioss:BOOL=OFF \\\ -DVTK_USE_TK=ON \\\ %{?with_flexiblas:-DBLA_VENDOR=FlexiBLAS} @@ -853,6 +869,7 @@ cat xorg.log * Tue Nov 25 2025 Orion Poplawski - 9.1.0-20 - Rebuild for gdal (rhbz#2416611) - Backport ppc64le inline patch +- Use bundled eigen3 on ppc64le - https://issues.redhat.com/browse/RHEL-131497 * Tue Jun 24 2025 Orion Poplawski - 9.1.0-19 - Rebuild for proj 9