diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2019-02-16 11:43:16 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2019-02-16 11:43:16 +0000 |
commit | 77110ff51f7d73efa28948d5b77b4783ab545ba5 (patch) | |
tree | 73a5824ef17f9553a289d5ab041f9de319ccb4e6 | |
parent | ee567dd5f7e98d41278c5285a7eb8920b74718b7 (diff) | |
download | pkgsrc-77110ff51f7d73efa28948d5b77b4783ab545ba5.tar.gz |
Pullup ticket #5909 - requested by spz
textproc/icu: security fix
Revisions pulled up:
- textproc/icu/Makefile 1.121
- textproc/icu/distinfo 1.81
- textproc/icu/patches/patch-CVE-2018-18928 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Wed Feb 13 20:51:57 UTC 2019
Modified Files:
pkgsrc/textproc/icu: Makefile distinfo
Added Files:
pkgsrc/textproc/icu/patches: patch-CVE-2018-18928
Log Message:
add patch for CVE-2018-18928 from upstream
-rw-r--r-- | textproc/icu/Makefile | 4 | ||||
-rw-r--r-- | textproc/icu/distinfo | 3 | ||||
-rw-r--r-- | textproc/icu/patches/patch-CVE-2018-18928 | 49 |
3 files changed, 53 insertions, 3 deletions
diff --git a/textproc/icu/Makefile b/textproc/icu/Makefile index 479e65ce92b..0bff0667f30 100644 --- a/textproc/icu/Makefile +++ b/textproc/icu/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.120 2018/12/18 15:23:07 kamil Exp $ +# $NetBSD: Makefile,v 1.120.2.1 2019/02/16 11:43:16 bsiegert Exp $ DISTNAME= icu4c-63_1-src PKGNAME= ${DISTNAME:S/4c//:S/-src//:S/_/./g} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/ EXTRACT_SUFX= .tgz diff --git a/textproc/icu/distinfo b/textproc/icu/distinfo index 34441bf2d59..abe261301b7 100644 --- a/textproc/icu/distinfo +++ b/textproc/icu/distinfo @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.80 2018/12/11 10:15:55 abs Exp $ +$NetBSD: distinfo,v 1.80.2.1 2019/02/16 11:43:16 bsiegert Exp $ SHA1 (icu4c-63_1-src.tgz) = ad523232f19af1c698c6489f8e15f7e9824f1662 RMD160 (icu4c-63_1-src.tgz) = 5c895a6e2b135978df59e135ed772747aec0065f SHA512 (icu4c-63_1-src.tgz) = 9ab407ed840a00cdda7470dcc4c40299a125ad246ae4d019c4b1ede54781157fd63af015a8228cd95dbc47e4d15a0932b2c657489046a19788e5e8266eac079c Size (icu4c-63_1-src.tgz) = 23746939 bytes +SHA1 (patch-CVE-2018-18928) = 74e8248c215bcb5ca98a63d161dc5516531a83b3 SHA1 (patch-Makefile.in) = 67440d3af9b62b8c0be258c490255ba17f778ab4 SHA1 (patch-acinclude.m4) = f7de1a16aad0ca77c4bbc457ba76b6171199ce09 SHA1 (patch-common_putil.cpp) = 6aa70b8698d663d3c798bafd9010a824c9609c20 diff --git a/textproc/icu/patches/patch-CVE-2018-18928 b/textproc/icu/patches/patch-CVE-2018-18928 new file mode 100644 index 00000000000..f460a04828e --- /dev/null +++ b/textproc/icu/patches/patch-CVE-2018-18928 @@ -0,0 +1,49 @@ +$NetBSD: patch-CVE-2018-18928,v 1.1.2.2 2019/02/16 11:43:16 bsiegert Exp $ + +fix for CVE-2018-18928 from +https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51 + +--- i18n/fmtable.cpp.orig 2018-09-29 00:34:42.000000000 +0000 ++++ i18n/fmtable.cpp +@@ -734,7 +734,7 @@ CharString *Formattable::internalGetChar + // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). + if (fDecimalQuantity->isZero()) { + fDecimalStr->append("0", -1, status); +- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { ++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); + } else { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); + +--- i18n/number_decimalquantity.cpp.orig 2018-10-01 22:39:56.000000000 +0000 ++++ i18n/number_decimalquantity.cpp +@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScienti + } + result.append(u'E'); + int32_t _scale = upperPos + scale; +- if (_scale < 0) { ++ if (_scale == INT32_MIN) { ++ result.append({u"-2147483648", -1}); ++ return result; ++ } else if (_scale < 0) { + _scale *= -1; + result.append(u'-'); + } else { + +--- test/intltest/numfmtst.cpp.orig 2018-10-01 22:39:56.000000000 +0000 ++++ test/intltest/numfmtst.cpp +@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_Scienti + assertEquals(u"Should not overflow and should parse only the first exponent", + u"1E-2147483647", + {sp.data(), sp.length(), US_INV}); ++ ++ // Test edge case overflow of exponent ++ result = Formattable(); ++ nf->parse(u".0003e-2147483644", result, status); ++ sp = result.getDecimalNumber(status); ++ assertEquals(u"Should not overflow", ++ u"3E-2147483648", ++ {sp.data(), sp.length(), US_INV}); + } + + void NumberFormatTest::Test13840_ParseLongStringCrash() { |