From 310da8838d1d388f876e863064566964258538d2 Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Mon, 21 Mar 2022 14:26:13 -0400
Subject: [PATCH] Support using the system version of brotli

This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was
found to be vulnerable to CVE-2020-8927, which was caused by the older
version of brotli built into .NET. .NET was vulernable even in
environments where a system-wide version of brotli was present and had
already received fixes for this CVE. We could have avoided a Remote Code
Execution vulnerability in such environments by using the system's
version of brotli.

This is similar to the existing support for disabling distro-agnostic
OpenSSL (except no OpenSSL is embedded) and using the system libunwind
(a copy of libunwind is embedded this repo).

One small twist is the presence of entrypoint verification. In a
system-brotli build, the verification fails, because the built library,
libSystem.IO.Compression.Native.so, doesn't include the symbols for
Brotli. Those symbols are instead used from the system brotli libraries.
---
 src/native/external/brotli.cmake              |  2 +-
 .../CMakeLists.txt                            | 31 +++++++++++++------
 .../entrypoints.c                             |  8 ++---
 .../extra_libs.cmake                          |  7 +++++
 4 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/src/native/external/brotli.cmake b/src/native/external/brotli.cmake
index a6394f369f1ce1..6e4d3f7ee0b489 100644
--- a/src/native/external/brotli.cmake
+++ b/src/native/external/brotli.cmake
@@ -1,4 +1,4 @@
-include_directories("${CMAKE_CURRENT_LIST_DIR}/brotli/include")
+include_directories(BEFORE "${CMAKE_CURRENT_LIST_DIR}/brotli/include")
 
 set (BROTLI_SOURCES_BASE
     common/constants.c
diff --git a/src/native/libs/System.IO.Compression.Native/CMakeLists.txt b/src/native/libs/System.IO.Compression.Native/CMakeLists.txt
index 83259d9ae29dbb..35c6776a89b046 100644
--- a/src/native/libs/System.IO.Compression.Native/CMakeLists.txt
+++ b/src/native/libs/System.IO.Compression.Native/CMakeLists.txt
@@ -7,11 +7,20 @@ set(NATIVECOMPRESSION_SOURCES
 )
 
 if (NOT CLR_CMAKE_TARGET_BROWSER)
-    include(${CLR_SRC_NATIVE_DIR}/external/brotli.cmake)
+
+    if (CLR_CMAKE_USE_SYSTEM_BROTLI)
+        add_definitions(-DFEATURE_USE_SYSTEM_BROTLI)
+    else ()
+        include(${CLR_SRC_NATIVE_DIR}/external/brotli.cmake)
+
+        set (NATIVECOMPRESSION_SOURCES
+            ${NATIVECOMPRESSION_SOURCES}
+            ${BROTLI_SOURCES}
+        )
+    endif ()
 
     set (NATIVECOMPRESSION_SOURCES
         ${NATIVECOMPRESSION_SOURCES}
-        ${BROTLI_SOURCES}
         entrypoints.c
     )
 endif ()
@@ -60,14 +69,16 @@ if (CLR_CMAKE_TARGET_UNIX OR CLR_CMAKE_TARGET_BROWSER)
             set_property(TARGET System.IO.Compression.Native APPEND_STRING PROPERTY LINK_FLAGS ${EXPORTS_LINKER_OPTION})
             set_property(TARGET System.IO.Compression.Native APPEND_STRING PROPERTY LINK_DEPENDS ${EXPORTS_FILE})
 
-            add_custom_command(TARGET System.IO.Compression.Native POST_BUILD
-                COMMENT "Verifying System.IO.Compression.Native entry points against entrypoints.c "
-                COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/../verify-entrypoints.sh
-                    $<TARGET_FILE:System.IO.Compression.Native>
-                    ${CMAKE_CURRENT_SOURCE_DIR}/entrypoints.c
-                    ${CMAKE_NM}
-                VERBATIM
-            )
+            if (NOT CLR_CMAKE_USE_SYSTEM_BROTLI)
+                add_custom_command(TARGET System.IO.Compression.Native POST_BUILD
+                    COMMENT "Verifying System.IO.Compression.Native entry points against entrypoints.c "
+                    COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/../verify-entrypoints.sh
+                        $<TARGET_FILE:System.IO.Compression.Native>
+                        ${CMAKE_CURRENT_SOURCE_DIR}/entrypoints.c
+                        ${CMAKE_NM}
+                    VERBATIM
+                )
+            endif ()
         endif ()
 
         install_with_stripped_symbols (System.IO.Compression.Native PROGRAMS .)
diff --git a/src/native/libs/System.IO.Compression.Native/entrypoints.c b/src/native/libs/System.IO.Compression.Native/entrypoints.c
index e9db720107c757..6b6cc64ad0d3bd 100644
--- a/src/native/libs/System.IO.Compression.Native/entrypoints.c
+++ b/src/native/libs/System.IO.Compression.Native/entrypoints.c
@@ -5,10 +5,10 @@
 
 // Include System.IO.Compression.Native headers
 #include "pal_zlib.h"
-#include <external/brotli/include/brotli/decode.h>
-#include <external/brotli/include/brotli/encode.h>
-#include <external/brotli/include/brotli/port.h>
-#include <external/brotli/include/brotli/types.h>
+#include <brotli/decode.h>
+#include <brotli/encode.h>
+#include <brotli/port.h>
+#include <brotli/types.h>
 
 static const Entry s_compressionNative[] =
 {
diff --git a/src/native/libs/System.IO.Compression.Native/extra_libs.cmake b/src/native/libs/System.IO.Compression.Native/extra_libs.cmake
index 652a37a238895a..8910bae96d9d2d 100644
--- a/src/native/libs/System.IO.Compression.Native/extra_libs.cmake
+++ b/src/native/libs/System.IO.Compression.Native/extra_libs.cmake
@@ -12,4 +12,11 @@ macro(append_extra_compression_libs NativeLibsExtra)
       find_package(ZLIB REQUIRED)
   endif ()
   list(APPEND ${NativeLibsExtra} ${ZLIB_LIBRARIES})
+
+  if (CLR_CMAKE_USE_SYSTEM_BROTLI)
+    find_library(BROTLIDEC brotlidec REQUIRED)
+    find_library(BROTLIENC brotlienc REQUIRED)
+
+    list(APPEND ${NativeLibsExtra} ${BROTLIDEC} ${BROTLIENC})
+  endif ()
 endmacro()