From beceadd90045a8204f7d4ca85888ed8951a4849d Mon Sep 17 00:00:00 2001 From: tron Date: Mon, 9 Mar 2015 19:31:21 +0000 Subject: Pullup ticket #4636 - requested by spz textproc/icu: security patch Revisions pulled up: - textproc/icu/Makefile 1.96 - textproc/icu/distinfo 1.52 - textproc/icu/patches/patch-CVE-2014-7923+7926 1.1 --- Module Name: pkgsrc Committed By: spz Date: Fri Mar 6 14:43:15 UTC 2015 Modified Files: pkgsrc/textproc/icu: Makefile distinfo Added Files: pkgsrc/textproc/icu/patches: patch-CVE-2014-7923+7926 Log Message: add patch for CVE-2014-7923 and CVE-2014-7926 found at https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb --- textproc/icu/Makefile | 4 +- textproc/icu/distinfo | 3 +- textproc/icu/patches/patch-CVE-2014-7923+7926 | 85 +++++++++++++++++++++++++++ 3 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 textproc/icu/patches/patch-CVE-2014-7923+7926 diff --git a/textproc/icu/Makefile b/textproc/icu/Makefile index 65d05e97cbb..6f55dbb5d7e 100644 --- a/textproc/icu/Makefile +++ b/textproc/icu/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.95 2014/10/07 16:47:14 adam Exp $ +# $NetBSD: Makefile,v 1.95.2.1 2015/03/09 19:31:21 tron Exp $ DISTNAME= icu4c-54_1-src PKGNAME= ${DISTNAME:S/4c//:S/-src//:S/_/./g} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/ EXTRACT_SUFX= .tgz diff --git a/textproc/icu/distinfo b/textproc/icu/distinfo index fb0f1f72f1f..d9c03e706ca 100644 --- a/textproc/icu/distinfo +++ b/textproc/icu/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.51 2014/10/26 19:46:48 bsiegert Exp $ +$NetBSD: distinfo,v 1.51.2.1 2015/03/09 19:31:21 tron Exp $ SHA1 (icu4c-54_1-src.tgz) = 8c752490bbf31cea26e20246430cee67d48abe34 RMD160 (icu4c-54_1-src.tgz) = b1440e1a3330b12336742c881863a8de6a6d2235 Size (icu4c-54_1-src.tgz) = 25485678 bytes +SHA1 (patch-CVE-2014-7923+7926) = cb5e355c6e5b4860c581a9743706b800d56dadf2 SHA1 (patch-aa) = fd5c513e75ca17a46be4ed010455bda63731afff SHA1 (patch-ab) = 32f0e4c241535e37e4cad9b871ed3d36b4184199 SHA1 (patch-ac) = e7cee161315321d2580074054d87714b55319886 diff --git a/textproc/icu/patches/patch-CVE-2014-7923+7926 b/textproc/icu/patches/patch-CVE-2014-7923+7926 new file mode 100644 index 00000000000..91c1922e94d --- /dev/null +++ b/textproc/icu/patches/patch-CVE-2014-7923+7926 @@ -0,0 +1,85 @@ +$NetBSD: patch-CVE-2014-7923+7926,v 1.1.2.2 2015/03/09 19:31:21 tron Exp $ + +patches for CVE-2014-7923 and CVE-2014-7926 from +https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb + +--- i18n/regexcmp.cpp.orig 2014-10-03 16:10:36.000000000 +0000 ++++ i18n/regexcmp.cpp +@@ -2132,6 +2132,10 @@ void RegexCompile::handleCloseParen() { + int32_t patEnd = fRXPat->fCompiledPat->size() - 1; + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; +@@ -2165,6 +2169,10 @@ void RegexCompile::handleCloseParen() { + int32_t patEnd = fRXPat->fCompiledPat->size() - 1; + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; +@@ -2328,7 +2336,15 @@ UBool RegexCompile::compileInlineInterva + int32_t topOfBlock = blockTopLoc(FALSE); + if (fIntervalUpper == 0) { + // Pathological case. Attempt no matches, as if the block doesn't exist. ++ // Discard the generated code for the block. ++ // If the block included parens, discard the info pertaining to them as well. + fRXPat->fCompiledPat->setSize(topOfBlock); ++ if (fMatchOpenParen >= topOfBlock) { ++ fMatchOpenParen = -1; ++ } ++ if (fMatchCloseParen >= topOfBlock) { ++ fMatchCloseParen = -1; ++ } + return TRUE; + } + +--- i18n/regexcmp.h.orig 2014-10-03 16:10:36.000000000 +0000 ++++ i18n/regexcmp.h +@@ -187,7 +187,9 @@ private: + int32_t fMatchOpenParen; // The position in the compiled pattern + // of the slot reserved for a state save + // at the start of the most recently processed +- // parenthesized block. ++ // parenthesized block. Updated when processing ++ // a close to the location for the corresponding open. ++ + int32_t fMatchCloseParen; // The position in the pattern of the first + // location after the most recently processed + // parenthesized block. +--- test/testdata/regextst.txt.orig 2014-10-03 16:09:58.000000000 +0000 ++++ test/testdata/regextst.txt +@@ -1178,6 +1178,24 @@ + "(?<=a{1,})bc" E "aaaa<0>bcdef" # U_REGEX_LOOK_BEHIND_LIMIT error. + "(?<=(?:){11})bc" "<0>bc" # Empty (?:) expression. + ++# Bug 11369 ++# Incorrect optimization of patterns with a zero length quantifier {0} ++ ++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE" ++"(|b)ab(c)" "<0><1>ab<2>c" ++"(|b){0}a{3}(D*)" "<0>aaa<2>" ++"(|b){0,1}a{3}(D*)" "<0><1>aaa<2>" ++"((|b){0})a{3}(D*)" "<0><1>aaa<3>" ++ ++# Bug 11370 ++# Max match length computation of look-behind expression gives result that is too big to fit in the ++# in the 24 bit operand portion of the compiled code. Expressions should fail to compile ++# (Look-behind match length must be bounded. This case is treated as unbounded, an error.) ++ ++"(?