From 9ad46603e481af27ed2fa671134133ae57a819ee Mon Sep 17 00:00:00 2001
From: Ilya Biryukov <ibiryukov@google.com>
Date: Fri, 18 Aug 2017 09:37:23 +0000
Subject: [PATCH] Addressed some security issues in Dockerfiles.

Summary:
- Removed --trust-server-cert from `svn checkout` invocations.
  Installing 'ca-certificates' package on ubuntu adds required CAs to
  the system and svn can do proper checkout using https.

- Added checksum verification when installing cmake from cmake.org.

Reviewers: mehdi_amini, klimek

Reviewed By: mehdi_amini

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D36673

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@311152 91177308-0d34-0410-b5e6-96231b3b80d8
---
 utils/docker/debian8/build/Dockerfile      | 20 +++++++++++++++-----
 utils/docker/nvidia-cuda/build/Dockerfile  |  3 ++-
 utils/docker/scripts/build_install_llvm.sh | 10 ++--------
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/utils/docker/debian8/build/Dockerfile b/utils/docker/debian8/build/Dockerfile
index 13a11a73be6..708d3fca134 100644
--- a/utils/docker/debian8/build/Dockerfile
+++ b/utils/docker/debian8/build/Dockerfile
@@ -18,14 +18,24 @@ RUN grep deb /etc/apt/sources.list | \
 
 # Install compiler, python and subversion.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends build-essential python2.7 wget \
-            subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates gnupg \
+    	    build-essential python2.7 wget subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
-# Install cmake version that can compile clang into /usr/local.
+# Import public key required for verifying signature of cmake download.
+RUN gpg --keyserver hkp://pgp.mit.edu --recv 0x2D2CEF1034921684
+
+# Download, verify and install cmake version that can compile clang into /usr/local.
 # (Version in debian8 repos is is too old)
-RUN wget -O - "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" | \
-    tar xzf - -C /usr/local --strip-components=1
+RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \
+    gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \
+    ( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \
+      sha256sum -c - ) && \
+    tar xzf cmake-3.7.2-Linux-x86_64.tar.gz -C /usr/local --strip-components=1 && \
+    cd / && rm -rf /tmp/cmake-install
 
 # Arguments passed to build_install_clang.sh.
 ARG buildscript_args
diff --git a/utils/docker/nvidia-cuda/build/Dockerfile b/utils/docker/nvidia-cuda/build/Dockerfile
index 619b80cbb61..b008c411ff1 100644
--- a/utils/docker/nvidia-cuda/build/Dockerfile
+++ b/utils/docker/nvidia-cuda/build/Dockerfile
@@ -17,7 +17,8 @@ ARG buildscript_args
 
 # Install llvm build dependencies.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends cmake python2.7 subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates cmake python2.7 \
+		    subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
 # Run the build. Results of the build will be available as /tmp/clang.tar.gz.
diff --git a/utils/docker/scripts/build_install_llvm.sh b/utils/docker/scripts/build_install_llvm.sh
index 642f16a84dd..4614f2ca203 100755
--- a/utils/docker/scripts/build_install_llvm.sh
+++ b/utils/docker/scripts/build_install_llvm.sh
@@ -167,20 +167,14 @@ for LLVM_PROJECT in $LLVM_PROJECTS; do
   fi
 
   echo "Checking out https://llvm.org/svn/llvm-project/$SVN_PROJECT to $CLANG_BUILD_DIR/src/$LLVM_PROJECT"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/$SVN_PROJECT/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/$LLVM_PROJECT"
 done
 
 if [ $CLANG_TOOLS_EXTRA_ENABLED -ne 0 ]; then
   echo "Checking out https://llvm.org/svn/llvm-project/clang-tools-extra to $CLANG_BUILD_DIR/src/clang/tools/extra"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/clang-tools-extra/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/clang/tools/extra"
 fi
-- 
2.11.0