aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-09-14 16:49:28 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2016-09-14 14:51:06 +0000
commitdf6821feaf2cf3c3da4a496525469ca67301d347 (patch)
treeab1ceb63a9f2d347c55a06d0530396a16ec10434
parent5dfc3609c83443f92ad4f2deb320e2e4e8a711bd (diff)
downloadaports-df6821feaf2cf3c3da4a496525469ca67301d347.tar.bz2
aports-df6821feaf2cf3c3da4a496525469ca67301d347.tar.xz
main/icu: Security fix (CVE-2016-6293)
fixes #6145
-rw-r--r--main/icu/APKBUILD16
-rw-r--r--main/icu/CVE-2015-1270.patch18
-rw-r--r--main/icu/CVE-2016-6293.patch232
3 files changed, 244 insertions, 22 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index 112f175338..a84f584f70 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
@@ -5,7 +5,7 @@ pkgver=57.1
# convert x.y.z to x_y_z
_ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
pkgdesc="International Components for Unicode library"
url="http://www.icu-project.org/"
arch="all"
@@ -15,8 +15,13 @@ depends=
makedepends=
source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
icu-timezone.patch
+ CVE-2016-6293.patch
"
+# secfixes:
+# 57.1-r1:
+# - CVE-2016-6293
+
_builddir="$srcdir"/icu/source
prepare() {
@@ -68,8 +73,11 @@ libs() {
}
md5sums="976734806026a4ef8bdd17937c8898b9 icu4c-57_1-src.tgz
-2c81d9c9a6ea0af5b7391e001f37a5e0 icu-timezone.patch"
+2c81d9c9a6ea0af5b7391e001f37a5e0 icu-timezone.patch
+7e65666fd48718440d819748118834ba CVE-2016-6293.patch"
sha256sums="ff8c67cb65949b1e7808f2359f2b80f722697048e90e7cfc382ec1fe229e9581 icu4c-57_1-src.tgz
-1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158 icu-timezone.patch"
+1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158 icu-timezone.patch
+4b7322fa2d222bf20e74f8fb5d31f3ee44f214fc4b17e60dd89cc6252348435e CVE-2016-6293.patch"
sha512sums="a3c701e9c81622db545bcf93f315c7b13159750f43f009d0aec59ceae3a8e1ccb751826d4b8a7387aca47f38bff2a85816b1a123b07d2bf731558c7b66e47b8a icu4c-57_1-src.tgz
-40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825 icu-timezone.patch"
+40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825 icu-timezone.patch
+8fba91b583896c52c12a0c8327f12fb77826779e453f91752826143bfdd5d2a2abe8db9836cdb6e12bcd31b9c683c00163e7c787807209d2e87ee8558d6293fb CVE-2016-6293.patch"
diff --git a/main/icu/CVE-2015-1270.patch b/main/icu/CVE-2015-1270.patch
deleted file mode 100644
index 57e128f7b3..0000000000
--- a/main/icu/CVE-2015-1270.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Index: /icu/trunk/source/common/ucnv_io.cpp
-===================================================================
---- source/common/ucnv_io.cpp (revision 37485)
-+++ source/common/ucnv_io.cpp (revision 37486)
-@@ -2,5 +2,5 @@
- ******************************************************************************
- *
--* Copyright (C) 1999-2013, International Business Machines
-+* Copyright (C) 1999-2015, International Business Machines
- * Corporation and others. All Rights Reserved.
- *
-@@ -745,5 +745,5 @@
- * again. This behaviour is similar to how ICU4J does it.
- */
-- if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') {
-+ if (aliasTmp[0] == 'x' && aliasTmp[1] == '-') {
- aliasTmp = aliasTmp+2;
- } else {
diff --git a/main/icu/CVE-2016-6293.patch b/main/icu/CVE-2016-6293.patch
new file mode 100644
index 0000000000..fc4562c1d0
--- /dev/null
+++ b/main/icu/CVE-2016-6293.patch
@@ -0,0 +1,232 @@
+Index: /icu/trunk/source/common/uloc.cpp
+===================================================================
+--- source/common/uloc.cpp (revision 39108)
++++ source/common/uloc.cpp (revision 39109)
+@@ -2249,5 +2249,5 @@
+ float q;
+ int32_t dummy; /* to avoid uninitialized memory copy from qsort */
+- char *locale;
++ char locale[ULOC_FULLNAME_CAPACITY+1];
+ } _acceptLangItem;
+
+@@ -2291,7 +2291,5 @@
+ UErrorCode *status)
+ {
+- _acceptLangItem *j;
+- _acceptLangItem smallBuffer[30];
+- char **strs;
++ MaybeStackArray<_acceptLangItem, 4> items; // Struct for collecting items.
+ char tmp[ULOC_FULLNAME_CAPACITY +1];
+ int32_t n = 0;
+@@ -2303,9 +2301,5 @@
+ int32_t i;
+ int32_t l = (int32_t)uprv_strlen(httpAcceptLanguage);
+- int32_t jSize;
+- char *tempstr; /* Use for null pointer check */
+-
+- j = smallBuffer;
+- jSize = UPRV_LENGTHOF(smallBuffer);
++
+ if(U_FAILURE(*status)) {
+ return -1;
+@@ -2335,25 +2329,27 @@
+ t++;
+ }
+- j[n].q = (float)_uloc_strtod(t,NULL);
++ items[n].q = (float)_uloc_strtod(t,NULL);
+ } else {
+ /* no semicolon - it's 1.0 */
+- j[n].q = 1.0f;
++ items[n].q = 1.0f;
+ paramEnd = itemEnd;
+ }
+- j[n].dummy=0;
++ items[n].dummy=0;
+ /* eat spaces prior to semi */
+ for(t=(paramEnd-1);(paramEnd>s)&&isspace(*t);t--)
+ ;
+- /* Check for null pointer from uprv_strndup */
+- tempstr = uprv_strndup(s,(int32_t)((t+1)-s));
+- if (tempstr == NULL) {
+- *status = U_MEMORY_ALLOCATION_ERROR;
+- return -1;
+- }
+- j[n].locale = tempstr;
+- uloc_canonicalize(j[n].locale,tmp,UPRV_LENGTHOF(tmp),status);
+- if(strcmp(j[n].locale,tmp)) {
+- uprv_free(j[n].locale);
+- j[n].locale=uprv_strdup(tmp);
++ int32_t slen = ((t+1)-s);
++ if(slen > ULOC_FULLNAME_CAPACITY) {
++ *status = U_BUFFER_OVERFLOW_ERROR;
++ return -1; // too big
++ }
++ uprv_strncpy(items[n].locale, s, slen);
++ items[n].locale[slen]=0; // terminate
++ int32_t clen = uloc_canonicalize(items[n].locale, tmp, UPRV_LENGTHOF(tmp)-1, status);
++ if(U_FAILURE(*status)) return -1;
++ if((clen!=slen) || (uprv_strncmp(items[n].locale, tmp, slen))) {
++ // canonicalization had an effect- copy back
++ uprv_strncpy(items[n].locale, tmp, clen);
++ items[n].locale[clen] = 0; // terminate
+ }
+ #if defined(ULOC_DEBUG)
+@@ -2365,42 +2361,18 @@
+ s++;
+ }
+- if(n>=jSize) {
+- if(j==smallBuffer) { /* overflowed the small buffer. */
+- j = static_cast<_acceptLangItem *>(uprv_malloc(sizeof(j[0])*(jSize*2)));
+- if(j!=NULL) {
+- uprv_memcpy(j,smallBuffer,sizeof(j[0])*jSize);
+- }
++ if(n>=items.getCapacity()) { // If we need more items
++ if(NULL == items.resize(items.getCapacity()*2, items.getCapacity())) {
++ *status = U_MEMORY_ALLOCATION_ERROR;
++ return -1;
++ }
+ #if defined(ULOC_DEBUG)
+- fprintf(stderr,"malloced at size %d\n", jSize);
++ fprintf(stderr,"malloced at size %d\n", items.getCapacity());
+ #endif
+- } else {
+- j = static_cast<_acceptLangItem *>(uprv_realloc(j, sizeof(j[0])*jSize*2));
+-#if defined(ULOC_DEBUG)
+- fprintf(stderr,"re-alloced at size %d\n", jSize);
+-#endif
+- }
+- jSize *= 2;
+- if(j==NULL) {
+- *status = U_MEMORY_ALLOCATION_ERROR;
+- return -1;
+- }
+- }
+- }
+- uprv_sortArray(j, n, sizeof(j[0]), uloc_acceptLanguageCompare, NULL, TRUE, status);
++ }
++ }
++ uprv_sortArray(items.getAlias(), n, sizeof(items[0]), uloc_acceptLanguageCompare, NULL, TRUE, status);
++ LocalArray<const char*> strs(new const char*[n], *status);
+ if(U_FAILURE(*status)) {
+- if(j != smallBuffer) {
+-#if defined(ULOC_DEBUG)
+- fprintf(stderr,"freeing j %p\n", j);
+-#endif
+- uprv_free(j);
+- }
+- return -1;
+- }
+- strs = static_cast<char **>(uprv_malloc((size_t)(sizeof(strs[0])*n)));
+- /* Check for null pointer */
+- if (strs == NULL) {
+- uprv_free(j); /* Free to avoid memory leak */
+- *status = U_MEMORY_ALLOCATION_ERROR;
+- return -1;
++ return -1;
+ }
+ for(i=0;i<n;i++) {
+@@ -2408,18 +2380,8 @@
+ /*fprintf(stderr,"%d: s <%s> q <%g>\n", i, j[i].locale, j[i].q);*/
+ #endif
+- strs[i]=j[i].locale;
++ strs[i]=items[i].locale;
+ }
+ res = uloc_acceptLanguage(result, resultAvailable, outResult,
+- (const char**)strs, n, availableLocales, status);
+- for(i=0;i<n;i++) {
+- uprv_free(strs[i]);
+- }
+- uprv_free(strs);
+- if(j != smallBuffer) {
+-#if defined(ULOC_DEBUG)
+- fprintf(stderr,"freeing j %p\n", j);
+-#endif
+- uprv_free(j);
+- }
++ strs.getAlias(), n, availableLocales, status);
+ return res;
+ }
+Index: /icu/trunk/source/test/cintltst/cloctst.c
+===================================================================
+--- source/test/cintltst/cloctst.c (revision 39108)
++++ source/test/cintltst/cloctst.c (revision 39109)
+@@ -2778,14 +2778,18 @@
+ const char *expect; /**< The expected locale result */
+ UAcceptResult res; /**< The expected error code */
++ UErrorCode expectStatus; /**< expected status */
+ } tests[] = {
+- /*0*/{ 0, NULL, "mt_MT", ULOC_ACCEPT_VALID },
+- /*1*/{ 1, NULL, "en", ULOC_ACCEPT_VALID },
+- /*2*/{ 2, NULL, "en", ULOC_ACCEPT_FALLBACK },
+- /*3*/{ 3, NULL, "", ULOC_ACCEPT_FAILED },
+- /*4*/{ 4, NULL, "es", ULOC_ACCEPT_VALID },
+-
+- /*5*/{ 5, NULL, "en", ULOC_ACCEPT_VALID }, /* XF */
+- /*6*/{ 6, NULL, "ja", ULOC_ACCEPT_FALLBACK }, /* XF */
+- /*7*/{ 7, NULL, "zh", ULOC_ACCEPT_FALLBACK }, /* XF */
++ /*0*/{ 0, NULL, "mt_MT", ULOC_ACCEPT_VALID, U_ZERO_ERROR},
++ /*1*/{ 1, NULL, "en", ULOC_ACCEPT_VALID, U_ZERO_ERROR},
++ /*2*/{ 2, NULL, "en", ULOC_ACCEPT_FALLBACK, U_ZERO_ERROR},
++ /*3*/{ 3, NULL, "", ULOC_ACCEPT_FAILED, U_ZERO_ERROR},
++ /*4*/{ 4, NULL, "es", ULOC_ACCEPT_VALID, U_ZERO_ERROR},
++ /*5*/{ 5, NULL, "en", ULOC_ACCEPT_VALID, U_ZERO_ERROR}, /* XF */
++ /*6*/{ 6, NULL, "ja", ULOC_ACCEPT_FALLBACK, U_ZERO_ERROR}, /* XF */
++ /*7*/{ 7, NULL, "zh", ULOC_ACCEPT_FALLBACK, U_ZERO_ERROR}, /* XF */
++ /*8*/{ 8, NULL, "", ULOC_ACCEPT_FAILED, U_ZERO_ERROR }, /* */
++ /*9*/{ 9, NULL, "", ULOC_ACCEPT_FAILED, U_ZERO_ERROR }, /* */
++ /*10*/{10, NULL, "", ULOC_ACCEPT_FAILED, U_BUFFER_OVERFLOW_ERROR }, /* */
++ /*11*/{11, NULL, "", ULOC_ACCEPT_FAILED, U_BUFFER_OVERFLOW_ERROR }, /* */
+ };
+ const int32_t numTests = UPRV_LENGTHOF(tests);
+@@ -2803,8 +2807,23 @@
+ "xxx-yyy;q=.01, xxx-yyy;q=.01, xxx-yyy;q=.01, xx-yy;q=.1, "
+ "es",
+-
+ /*5*/ "zh-xx;q=0.9, en;q=0.6",
+ /*6*/ "ja-JA",
+ /*7*/ "zh-xx;q=0.9",
++ /*08*/ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", // 156
++ /*09*/ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB", // 157 (this hits U_STRING_NOT_TERMINATED_WARNING )
++ /*10*/ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABC", // 158
++ /*11*/ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", // 163 bytes
+ };
+
+@@ -2821,5 +2840,9 @@
+ uenum_close(available);
+ log_verbose(" got %s, %s [%s]\n", tmp[0]?tmp:"(EMPTY)", acceptResult(outResult), u_errorName(status));
+- if(outResult != tests[i].res) {
++ if(status != tests[i].expectStatus) {
++ log_err_status(status, "FAIL: expected status %s but got %s\n", u_errorName(tests[i].expectStatus), u_errorName(status));
++ } else if(U_SUCCESS(tests[i].expectStatus)) {
++ /* don't check content if expected failure */
++ if(outResult != tests[i].res) {
+ log_err_status(status, "FAIL: #%d: expected outResult of %s but got %s\n", i,
+ acceptResult( tests[i].res),
+@@ -2827,9 +2850,10 @@
+ log_info("test #%d: http[%s], ICU[%s], expect %s, %s\n",
+ i, http[tests[i].httpSet], tests[i].icuSet, tests[i].expect,acceptResult(tests[i].res));
+- }
+- if((outResult>0)&&uprv_strcmp(tmp, tests[i].expect)) {
+- log_err_status(status, "FAIL: #%d: expected %s but got %s\n", i, tests[i].expect, tmp);
+- log_info("test #%d: http[%s], ICU[%s], expect %s, %s\n",
+- i, http[tests[i].httpSet], tests[i].icuSet, tests[i].expect, acceptResult(tests[i].res));
++ }
++ if((outResult>0)&&uprv_strcmp(tmp, tests[i].expect)) {
++ log_err_status(status, "FAIL: #%d: expected %s but got %s\n", i, tests[i].expect, tmp);
++ log_info("test #%d: http[%s], ICU[%s], expect %s, %s\n",
++ i, http[tests[i].httpSet], tests[i].icuSet, tests[i].expect, acceptResult(tests[i].res));
++ }
+ }
+ }