Pullup ticket #5909 - requested by spz

textproc/icu: security fix Revisions pulled up: - textproc/icu/Makefile 1.121 - textproc/icu/distinfo 1.81 - textproc/icu/patches/patch-CVE-2018-18928 1.1 --- Module Name: pkgsrc Committed By: spz Date: Wed Feb 13 20:51:57 UTC 2019 Modified Files: pkgsrc/textproc/icu: Makefile distinfo Added Files: pkgsrc/textproc/icu/patches: patch-CVE-2018-18928 Log Message: add patch for CVE-2018-18928 from upstream
author: bsiegert <bsiegert@pkgsrc.org> 2019-02-16 11:43:16 +0000
committer: bsiegert <bsiegert@pkgsrc.org> 2019-02-16 11:43:16 +0000
commit: 77110ff51f7d73efa28948d5b77b4783ab545ba5 (patch)
tree: 73a5824ef17f9553a289d5ab041f9de319ccb4e6
parent: ee567dd5f7e98d41278c5285a7eb8920b74718b7 (diff)
download: pkgsrc-77110ff51f7d73efa28948d5b77b4783ab545ba5.tar.gz
3 files changed, 53 insertions, 3 deletions
diff --git a/textproc/icu/Makefile b/textproc/icu/Makefile
index 479e65ce92b..0bff0667f30 100644
--- a/textproc/icu/Makefile
+++ b/textproc/icu/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.120 2018/12/18 15:23:07 kamil Exp $
+# $NetBSD: Makefile,v 1.120.2.1 2019/02/16 11:43:16 bsiegert Exp $
 
 DISTNAME=	icu4c-63_1-src
 PKGNAME=	${DISTNAME:S/4c//:S/-src//:S/_/./g}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/
 EXTRACT_SUFX=	.tgz
diff --git a/textproc/icu/distinfo b/textproc/icu/distinfo
index 34441bf2d59..abe261301b7 100644
--- a/textproc/icu/distinfo
+++ b/textproc/icu/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.80 2018/12/11 10:15:55 abs Exp $
+$NetBSD: distinfo,v 1.80.2.1 2019/02/16 11:43:16 bsiegert Exp $
 
 SHA1 (icu4c-63_1-src.tgz) = ad523232f19af1c698c6489f8e15f7e9824f1662
 RMD160 (icu4c-63_1-src.tgz) = 5c895a6e2b135978df59e135ed772747aec0065f
 SHA512 (icu4c-63_1-src.tgz) = 9ab407ed840a00cdda7470dcc4c40299a125ad246ae4d019c4b1ede54781157fd63af015a8228cd95dbc47e4d15a0932b2c657489046a19788e5e8266eac079c
 Size (icu4c-63_1-src.tgz) = 23746939 bytes
+SHA1 (patch-CVE-2018-18928) = 74e8248c215bcb5ca98a63d161dc5516531a83b3
 SHA1 (patch-Makefile.in) = 67440d3af9b62b8c0be258c490255ba17f778ab4
 SHA1 (patch-acinclude.m4) = f7de1a16aad0ca77c4bbc457ba76b6171199ce09
 SHA1 (patch-common_putil.cpp) = 6aa70b8698d663d3c798bafd9010a824c9609c20
diff --git a/textproc/icu/patches/patch-CVE-2018-18928 b/textproc/icu/patches/patch-CVE-2018-18928
new file mode 100644
index 00000000000..f460a04828e
--- /dev/null
+++ b/textproc/icu/patches/patch-CVE-2018-18928
@@ -0,0 +1,49 @@
+$NetBSD: patch-CVE-2018-18928,v 1.1.2.2 2019/02/16 11:43:16 bsiegert Exp $
+
+fix for CVE-2018-18928 from
+https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51
+
+--- i18n/fmtable.cpp.orig	2018-09-29 00:34:42.000000000 +0000
++++ i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetChar
+       // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+       if (fDecimalQuantity->isZero()) {
+         fDecimalStr->append("0", -1, status);
+-      } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++      } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+       } else {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+
+--- i18n/number_decimalquantity.cpp.orig	2018-10-01 22:39:56.000000000 +0000
++++ i18n/number_decimalquantity.cpp
+@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScienti
+     }
+     result.append(u'E');
+     int32_t _scale = upperPos + scale;
+-    if (_scale < 0) {
++    if (_scale == INT32_MIN) {
++        result.append({u"-2147483648", -1});
++        return result;
++    } else if (_scale < 0) {
+         _scale *= -1;
+         result.append(u'-');
+     } else {
+
+--- test/intltest/numfmtst.cpp.orig	2018-10-01 22:39:56.000000000 +0000
++++ test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_Scienti
+     assertEquals(u"Should not overflow and should parse only the first exponent",
+                  u"1E-2147483647",
+                  {sp.data(), sp.length(), US_INV});
++
++    // Test edge case overflow of exponent
++    result = Formattable();
++    nf->parse(u".0003e-2147483644", result, status);
++    sp = result.getDecimalNumber(status);
++    assertEquals(u"Should not overflow",
++                 u"3E-2147483648",
++                 {sp.data(), sp.length(), US_INV});
+ }
+ 
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
author	bsiegert <bsiegert@pkgsrc.org>	2019-02-16 11:43:16 +0000
committer	bsiegert <bsiegert@pkgsrc.org>	2019-02-16 11:43:16 +0000
commit	77110ff51f7d73efa28948d5b77b4783ab545ba5 (patch)
tree	73a5824ef17f9553a289d5ab041f9de319ccb4e6
parent	ee567dd5f7e98d41278c5285a7eb8920b74718b7 (diff)
download	pkgsrc-77110ff51f7d73efa28948d5b77b4783ab545ba5.tar.gz