add patch from upstream to fix insuficcient validation of UTF-8 strings

which is considered a security problem
bump PKGREV for the affected header, didn't check yet where this
header is compiled into
(boost-1.53 is out, just added the patch for a possible pullup)

3 files changed, 57 insertions, 1 deletions

diff --git a/meta-pkgs/boost/distinfo b/meta-pkgs/boost/distinfo
index 2ee9f5413da..9321ab78987 100644
--- a/meta-pkgs/boost/distinfo
+++ b/meta-pkgs/boost/distinfo
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.55 2013/01/24 22:54:49 riz Exp $
+$NetBSD: distinfo,v 1.56 2013/02/05 18:49:05 drochner Exp $
 
 SHA1 (boost_1_52_0.tar.bz2) = cddd6b4526a09152ddc5db856463eaa1dc29c5d9
 RMD160 (boost_1_52_0.tar.bz2) = 94f72f4553a88495f2052029fb2e90cf8366e75d
 Size (boost_1_52_0.tar.bz2) = 54421709 bytes
+SHA1 (patch-CVE-2013-0252_1) = a6e50a3c3c5478d14c44f7c4fcf5838f50a8049a
+SHA1 (patch-CVE-2013-0252_2) = cd1ffc46d9d5351d62aca749888e0a9229d4f2d0
 SHA1 (patch-aa) = 408a63a807aaa491130db018cd89bca6a427090d
 SHA1 (patch-ab) = f1c95ae229465a4d2da76ce6ff88d76ace52fdd8
 SHA1 (patch-ac) = 5ecd12564259e4ad9d439990e198b889762ec733
diff --git a/meta-pkgs/boost/patches/patch-CVE-2013-0252_1 b/meta-pkgs/boost/patches/patch-CVE-2013-0252_1
new file mode 100644
index 00000000000..064b33978f6
--- /dev/null
+++ b/meta-pkgs/boost/patches/patch-CVE-2013-0252_1
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2013-0252_1,v 1.1 2013/02/05 18:49:05 drochner Exp $
+
+https://svn.boost.org/trac/boost/ticket/7743
+
+--- boost/locale/utf.hpp.orig	2012-05-02 13:49:25.000000000 +0000
++++ boost/locale/utf.hpp
+@@ -219,16 +219,22 @@ namespace utf {
+                 if(BOOST_LOCALE_UNLIKELY(p==e))
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             case 2:
+                 if(BOOST_LOCALE_UNLIKELY(p==e))
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             case 1:
+                 if(BOOST_LOCALE_UNLIKELY(p==e))
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             }
+ 
diff --git a/meta-pkgs/boost/patches/patch-CVE-2013-0252_2 b/meta-pkgs/boost/patches/patch-CVE-2013-0252_2
new file mode 100644
index 00000000000..cfe88b1f213
--- /dev/null
+++ b/meta-pkgs/boost/patches/patch-CVE-2013-0252_2
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2013-0252_2,v 1.1 2013/02/05 18:49:05 drochner Exp $
+
+--- libs/locale/test/test_codepage_converter.cpp.orig	2011-08-15 19:04:34.000000000 +0000
++++ libs/locale/test/test_codepage_converter.cpp
+@@ -140,6 +140,20 @@ int main()
+         TEST_TO("\xf8\x90\x80\x80\x80",illegal);  // 400 0000
+         TEST_TO("\xfd\xbf\xbf\xbf\xbf\xbf",illegal);  // 7fff ffff
+ 
++        std::cout << "-- Invalid trail" << std::endl;
++        TEST_TO("\xC2\x7F",illegal);
++        TEST_TO("\xdf\x7F",illegal);
++        TEST_TO("\xe0\x7F\x80",illegal);
++        TEST_TO("\xef\xbf\x7F",illegal);
++        TEST_TO("\xe0\x7F\x80",illegal);
++        TEST_TO("\xef\xbf\x7F",illegal);
++        TEST_TO("\xf0\x7F\x80\x80",illegal);
++        TEST_TO("\xf4\x7f\xbf\xbf",illegal);
++        TEST_TO("\xf0\x90\x7F\x80",illegal);
++        TEST_TO("\xf4\x8f\x7F\xbf",illegal);
++        TEST_TO("\xf0\x90\x80\x7F",illegal);
++        TEST_TO("\xf4\x8f\xbf\x7F",illegal);
++
+         std::cout << "-- Invalid length" << std::endl;
+ 
+         /// Test that this actually works