diff options
author | drochner <drochner> | 2008-03-20 17:07:54 +0000 |
---|---|---|
committer | drochner <drochner> | 2008-03-20 17:07:54 +0000 |
commit | e49e7f2b2aa31a41419b7651b56bff20ca0c3d3f (patch) | |
tree | 1df9dd1aef8e3ec37b83c97cec7949f6d6d46b79 /textproc/icu | |
parent | 6080de2621995522f9b4200e2dd5e6fd7d771b5f (diff) | |
download | pkgsrc-e49e7f2b2aa31a41419b7651b56bff20ca0c3d3f.tar.gz |
fix RE vulnerabilities (CVE-2007-(4770|4771)), patch from redhat
via Gentoo bug #208001,
bump PKGREVISION
Diffstat (limited to 'textproc/icu')
-rw-r--r-- | textproc/icu/Makefile | 4 | ||||
-rw-r--r-- | textproc/icu/distinfo | 8 | ||||
-rw-r--r-- | textproc/icu/patches/patch-ba | 89 | ||||
-rw-r--r-- | textproc/icu/patches/patch-bb | 47 | ||||
-rw-r--r-- | textproc/icu/patches/patch-bc | 28 | ||||
-rw-r--r-- | textproc/icu/patches/patch-bd | 81 | ||||
-rw-r--r-- | textproc/icu/patches/patch-be | 56 | ||||
-rw-r--r-- | textproc/icu/patches/patch-bf | 12 |
8 files changed, 322 insertions, 3 deletions
diff --git a/textproc/icu/Makefile b/textproc/icu/Makefile index 0c8d83341d3..11ed8c22020 100644 --- a/textproc/icu/Makefile +++ b/textproc/icu/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.53 2007/03/31 15:36:57 obache Exp $ +# $NetBSD: Makefile,v 1.54 2008/03/20 17:07:54 drochner Exp $ # DISTNAME= icu4c-3_6-src PKGNAME= icu-3.6 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= ftp://ftp.software.ibm.com/software/globalization/icu/${PKGVERSION}/ EXTRACT_SUFX= .tgz diff --git a/textproc/icu/distinfo b/textproc/icu/distinfo index c71265cbe98..e771c1a2bfe 100644 --- a/textproc/icu/distinfo +++ b/textproc/icu/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2007/03/23 12:51:13 recht Exp $ +$NetBSD: distinfo,v 1.15 2008/03/20 17:07:54 drochner Exp $ SHA1 (icu4c-3_6-src.tgz) = b580c2802e74eb6af7e5e19b05c7d7c5d8c623f9 RMD160 (icu4c-3_6-src.tgz) = b227ac9ff6019362bc4d01c18433869b0e0ff1c2 @@ -7,3 +7,9 @@ SHA1 (patch-aa) = b7299b3aac54410cb686980788dd0b6b435ae069 SHA1 (patch-ab) = 32d2aeb38ed84352751d0f3d8db5d8b433ef03e4 SHA1 (patch-ae) = 69caf7c0c226a0b45158a9620f045e943f00b820 SHA1 (patch-af) = df50984a17111a69c517b26f303866f2d384e857 +SHA1 (patch-ba) = d22f39715b85fe73654b644237d1956091fb26e8 +SHA1 (patch-bb) = 57683caee8c4bb2743332847f78566d5a3934e80 +SHA1 (patch-bc) = 9fd76fb53c7a464883fe5cc21ffbc5b5ac117711 +SHA1 (patch-bd) = 197017d9fb0a6a542e567cfae4512bc38a25ff79 +SHA1 (patch-be) = 9cb76ab05393b8d698c2b77b58b3db6c7b0b199c +SHA1 (patch-bf) = d03b55651686aeab965747c400753c8b7b643d80 diff --git a/textproc/icu/patches/patch-ba b/textproc/icu/patches/patch-ba new file mode 100644 index 00000000000..064e925508a --- /dev/null +++ b/textproc/icu/patches/patch-ba @@ -0,0 +1,89 @@ +$NetBSD: patch-ba,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- common/uvectr32.cpp.orig 2003-08-27 03:01:30.000000000 +0200 ++++ common/uvectr32.cpp +@@ -1,6 +1,6 @@ + /* + ****************************************************************************** +-* Copyright (C) 1999-2003, International Business Machines Corporation and * ++* Copyright (C) 1999-2008, International Business Machines Corporation and * + * others. All Rights Reserved. * + ****************************************************************************** + * Date Name Description +@@ -26,6 +26,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(UVect + UVector32::UVector32(UErrorCode &status) : + count(0), + capacity(0), ++ maxCapacity(0), + elements(NULL) + { + _init(DEFUALT_CAPACITY, status); +@@ -34,6 +35,7 @@ UVector32::UVector32(UErrorCode &status) + UVector32::UVector32(int32_t initialCapacity, UErrorCode &status) : + count(0), + capacity(0), ++ maxCapacity(0), + elements(0) + { + _init(initialCapacity, status); +@@ -46,6 +48,9 @@ void UVector32::_init(int32_t initialCap + if (initialCapacity < 1) { + initialCapacity = DEFUALT_CAPACITY; + } ++ if (maxCapacity>0 && maxCapacity<initialCapacity) { ++ initialCapacity = maxCapacity; ++ } + elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity); + if (elements == 0) { + status = U_MEMORY_ALLOCATION_ERROR; +@@ -189,21 +194,35 @@ int32_t UVector32::indexOf(int32_t key, + UBool UVector32::expandCapacity(int32_t minimumCapacity, UErrorCode &status) { + if (capacity >= minimumCapacity) { + return TRUE; +- } else { +- int32_t newCap = capacity * 2; +- if (newCap < minimumCapacity) { +- newCap = minimumCapacity; +- } +- int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap); +- if (newElems == 0) { +- status = U_MEMORY_ALLOCATION_ERROR; +- return FALSE; +- } +- uprv_memcpy(newElems, elements, sizeof(elements[0]) * count); +- uprv_free(elements); +- elements = newElems; +- capacity = newCap; +- return TRUE; ++ } ++ if (maxCapacity>0 && minimumCapacity>maxCapacity) { ++ status = U_BUFFER_OVERFLOW_ERROR; ++ return FALSE; ++ } ++ int32_t newCap = capacity * 2; ++ if (newCap < minimumCapacity) { ++ newCap = minimumCapacity; ++ } ++ if (maxCapacity > 0 && newCap > maxCapacity) { ++ newCap = maxCapacity; ++ } ++ int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap); ++ if (newElems == 0) { ++ status = U_MEMORY_ALLOCATION_ERROR; ++ return FALSE; ++ } ++ uprv_memcpy(newElems, elements, sizeof(elements[0]) * count); ++ uprv_free(elements); ++ elements = newElems; ++ capacity = newCap; ++ return TRUE; ++} ++ ++void UVector32::setMaxCapacity(int32_t limit) { ++ U_ASSERT(limit >= 0); ++ maxCapacity = limit; ++ if (maxCapacity < 0) { ++ maxCapacity = 0; + } + } + diff --git a/textproc/icu/patches/patch-bb b/textproc/icu/patches/patch-bb new file mode 100644 index 00000000000..6afdd72306c --- /dev/null +++ b/textproc/icu/patches/patch-bb @@ -0,0 +1,47 @@ +$NetBSD: patch-bb,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- common/uvectr32.h.orig 2006-01-18 04:52:04.000000000 +0100 ++++ common/uvectr32.h +@@ -1,6 +1,6 @@ + /* + ********************************************************************** +-* Copyright (C) 1999-2006, International Business Machines ++* Copyright (C) 1999-2008, International Business Machines + * Corporation and others. All Rights Reserved. + ********************************************************************** + */ +@@ -61,6 +61,8 @@ private: + int32_t count; + + int32_t capacity; ++ ++ int32_t maxCapacity; // Limit beyond which capacity is not permitted to grow. + + int32_t* elements; + +@@ -162,6 +164,14 @@ public: + int32_t *getBuffer() const; + + /** ++ * Set the maximum allowed buffer capacity for this vector/stack. ++ * Default with no limit set is unlimited, go until malloc() fails. ++ * A Limit of zero means unlimited capacity. ++ * Units are vector elements (32 bits each), not bytes. ++ */ ++ void setMaxCapacity(int32_t limit); ++ ++ /** + * ICU "poor man's RTTI", returns a UClassID for this class. + */ + static UClassID U_EXPORT2 getStaticClassID(); +@@ -221,7 +231,9 @@ inline void UVector32::addElement(int32_ + } + + inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) { +- ensureCapacity(count+size, status); ++ if (ensureCapacity(count+size, status) == FALSE) { ++ return NULL; ++ } + int32_t *rp = elements+count; + count += size; + return rp; diff --git a/textproc/icu/patches/patch-bc b/textproc/icu/patches/patch-bc new file mode 100644 index 00000000000..1798d18abcb --- /dev/null +++ b/textproc/icu/patches/patch-bc @@ -0,0 +1,28 @@ +$NetBSD: patch-bc,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- i18n/regexcmp.cpp.orig 2006-02-02 05:37:14.000000000 +0100 ++++ i18n/regexcmp.cpp +@@ -1187,14 +1187,17 @@ UBool RegexCompile::doParseActions(EPars + // Because capture groups can be forward-referenced by back-references, + // we fill the operand with the capture group number. At the end + // of compilation, it will be changed to the variable's location. +- U_ASSERT(groupNum > 0); +- int32_t op; +- if (fModeFlags & UREGEX_CASE_INSENSITIVE) { +- op = URX_BUILD(URX_BACKREF_I, groupNum); ++ if (groupNum < 1) { ++ error(U_REGEX_INVALID_BACK_REF); + } else { +- op = URX_BUILD(URX_BACKREF, groupNum); ++ int32_t op; ++ if (fModeFlags & UREGEX_CASE_INSENSITIVE) { ++ op = URX_BUILD(URX_BACKREF_I, groupNum); ++ } else { ++ op = URX_BUILD(URX_BACKREF, groupNum); ++ } ++ fRXPat->fCompiledPat->addElement(op, *fStatus); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); + } + break; + diff --git a/textproc/icu/patches/patch-bd b/textproc/icu/patches/patch-bd new file mode 100644 index 00000000000..b4193efbf2a --- /dev/null +++ b/textproc/icu/patches/patch-bd @@ -0,0 +1,81 @@ +$NetBSD: patch-bd,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- i18n/rematch.cpp.orig 2005-08-25 20:02:20.000000000 +0200 ++++ i18n/rematch.cpp +@@ -30,6 +30,15 @@ + + U_NAMESPACE_BEGIN + ++// Limit the size of the back track stack, to avoid system failures caused ++// by heap exhaustion. Units are in 32 bit words, not bytes. ++// This value puts ICU's limits higher than most other regexp implementations, ++// which use recursion rather than the heap, and take more storage per ++// backtrack point. ++// This constant is _temporary_. Proper API to control the value will added. ++// ++static const int32_t BACKTRACK_STACK_CAPACITY = 8000000; ++ + //----------------------------------------------------------------------------- + // + // Constructor and Destructor +@@ -53,6 +62,8 @@ RegexMatcher::RegexMatcher(const RegexPa + } + if (fStack == NULL || fData == NULL) { + fDeferredStatus = U_MEMORY_ALLOCATION_ERROR; ++ } else { ++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); + } + + reset(*RegexStaticSets::gStaticSets->fEmptyString); +@@ -78,6 +89,8 @@ RegexMatcher::RegexMatcher(const Unicode + } + if (fStack == NULL || fData == NULL) { + status = U_MEMORY_ALLOCATION_ERROR; ++ } else { ++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); + } + reset(input); + } +@@ -102,6 +115,8 @@ RegexMatcher::RegexMatcher(const Unicode + } + if (fStack == NULL || fData == NULL) { + status = U_MEMORY_ALLOCATION_ERROR; ++ } else { ++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); + } + reset(*RegexStaticSets::gStaticSets->fEmptyString); + } +@@ -1015,6 +1030,14 @@ UBool RegexMatcher::isUWordBoundary(int3 + inline REStackFrame *RegexMatcher::StateSave(REStackFrame *fp, int32_t savePatIdx, int32_t frameSize, UErrorCode &status) { + // push storage for a new frame. + int32_t *newFP = fStack->reserveBlock(frameSize, status); ++ if (newFP == NULL) { ++ // Heap allocation error on attempted stack expansion. ++ // We need to return a writable stack frame, so just return the ++ // previous frame. The match operation will stop quickly ++ // becuase of the error status, after which the frame will never ++ // be looked at again. ++ return fp; ++ } + fp = (REStackFrame *)(newFP - frameSize); // in case of realloc of stack. + + // New stack frame = copy of old top frame. +@@ -1030,8 +1053,8 @@ inline REStackFrame *RegexMatcher::State + fp->fPatIdx = savePatIdx; + return (REStackFrame *)newFP; + } +- +- ++ ++ + //-------------------------------------------------------------------------------- + // + // MatchAt This is the actual matching engine. +@@ -2262,6 +2285,7 @@ GC_Done: + } + + if (U_FAILURE(status)) { ++ isMatch = FALSE; + break; + } + } diff --git a/textproc/icu/patches/patch-be b/textproc/icu/patches/patch-be new file mode 100644 index 00000000000..08d698736f4 --- /dev/null +++ b/textproc/icu/patches/patch-be @@ -0,0 +1,56 @@ +$NetBSD: patch-be,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- test/intltest/regextst.cpp.orig 2005-07-05 20:39:00.000000000 +0200 ++++ test/intltest/regextst.cpp +@@ -66,6 +66,10 @@ void RegexTest::runIndexedTest( int32_t + case 6: name = "PerlTests"; + if (exec) PerlTests(); + break; ++ case 7: name = "Bug 6149"; ++ if (exec) Bug6149(); ++ break; ++ + + + default: name = ""; +@@ -1637,6 +1641,13 @@ void RegexTest::Errors() { + // UnicodeSet containing a string + REGEX_ERR("abc[{def}]xyz", 1, 10, U_REGEX_SET_CONTAINS_STRING); + ++ ++ // Invalid Back Reference \0 ++ // For ICU 3.8 and earlier ++ // For ICU versions newer than 3.8, \0 introduces an octal escape. ++ // ++ REGEX_ERR("(ab)\\0", 1, 6, U_REGEX_INVALID_BACK_REF); ++ + } + + +@@ -2119,6 +2130,26 @@ void RegexTest::PerlTests() { + } + + ++//-------------------------------------------------------------- ++// ++// Bug6149 Verify limits to heap expansion for backtrack stack. ++// Use this pattern, ++// "(a?){1,}" ++// The zero-length match will repeat forever. ++// (That this goes into a loop is another bug) ++// ++//--------------------------------------------------------------- ++void RegexTest::Bug6149() { ++ UnicodeString pattern("(a?){1,}"); ++ UnicodeString s("xyz"); ++ uint32_t flags = 0; ++ UErrorCode status = U_ZERO_ERROR; ++ ++ RegexMatcher matcher(pattern, s, flags, status); ++ UBool result = false; ++ REGEX_ASSERT_FAIL(result=matcher.matches(status), U_BUFFER_OVERFLOW_ERROR); ++ REGEX_ASSERT(result == FALSE); ++ } + + #endif /* !UCONFIG_NO_REGULAR_EXPRESSIONS */ + diff --git a/textproc/icu/patches/patch-bf b/textproc/icu/patches/patch-bf new file mode 100644 index 00000000000..5095edab159 --- /dev/null +++ b/textproc/icu/patches/patch-bf @@ -0,0 +1,12 @@ +$NetBSD: patch-bf,v 1.1 2008/03/20 17:07:54 drochner Exp $ + +--- test/intltest/regextst.h.orig 2003-12-03 07:58:28.000000000 +0100 ++++ test/intltest/regextst.h +@@ -30,6 +30,7 @@ public: + virtual void Extended(); + virtual void Errors(); + virtual void PerlTests(); ++ virtual void Bug6149(); + + // The following functions are internal to the regexp tests. + virtual UBool doRegexLMTest(const char *pat, const char *text, UBool looking, UBool match, int line); |