pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/textproc/icu fix RE vulnerabilities (CVE-2007-(4770|47...
details: https://anonhg.NetBSD.org/pkgsrc/rev/2999b601b604
branches: trunk
changeset: 539999:2999b601b604
user: drochner <drochner%pkgsrc.org@localhost>
date: Thu Mar 20 17:07:54 2008 +0000
description:
fix RE vulnerabilities (CVE-2007-(4770|4771)), patch from redhat
via Gentoo bug #208001,
bump PKGREVISION
diffstat:
textproc/icu/Makefile | 4 +-
textproc/icu/distinfo | 8 +++-
textproc/icu/patches/patch-ba | 89 +++++++++++++++++++++++++++++++++++++++++++
textproc/icu/patches/patch-bb | 47 ++++++++++++++++++++++
textproc/icu/patches/patch-bc | 28 +++++++++++++
textproc/icu/patches/patch-bd | 81 +++++++++++++++++++++++++++++++++++++++
textproc/icu/patches/patch-be | 56 +++++++++++++++++++++++++++
textproc/icu/patches/patch-bf | 12 +++++
8 files changed, 322 insertions(+), 3 deletions(-)
diffs (truncated from 371 to 300 lines):
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/Makefile
--- a/textproc/icu/Makefile Thu Mar 20 17:00:38 2008 +0000
+++ b/textproc/icu/Makefile Thu Mar 20 17:07:54 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.53 2007/03/31 15:36:57 obache Exp $
+# $NetBSD: Makefile,v 1.54 2008/03/20 17:07:54 drochner Exp $
#
DISTNAME= icu4c-3_6-src
PKGNAME= icu-3.6
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= textproc
MASTER_SITES= ftp://ftp.software.ibm.com/software/globalization/icu/${PKGVERSION}/
EXTRACT_SUFX= .tgz
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/distinfo
--- a/textproc/icu/distinfo Thu Mar 20 17:00:38 2008 +0000
+++ b/textproc/icu/distinfo Thu Mar 20 17:07:54 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/03/23 12:51:13 recht Exp $
+$NetBSD: distinfo,v 1.15 2008/03/20 17:07:54 drochner Exp $
SHA1 (icu4c-3_6-src.tgz) = b580c2802e74eb6af7e5e19b05c7d7c5d8c623f9
RMD160 (icu4c-3_6-src.tgz) = b227ac9ff6019362bc4d01c18433869b0e0ff1c2
@@ -7,3 +7,9 @@
SHA1 (patch-ab) = 32d2aeb38ed84352751d0f3d8db5d8b433ef03e4
SHA1 (patch-ae) = 69caf7c0c226a0b45158a9620f045e943f00b820
SHA1 (patch-af) = df50984a17111a69c517b26f303866f2d384e857
+SHA1 (patch-ba) = d22f39715b85fe73654b644237d1956091fb26e8
+SHA1 (patch-bb) = 57683caee8c4bb2743332847f78566d5a3934e80
+SHA1 (patch-bc) = 9fd76fb53c7a464883fe5cc21ffbc5b5ac117711
+SHA1 (patch-bd) = 197017d9fb0a6a542e567cfae4512bc38a25ff79
+SHA1 (patch-be) = 9cb76ab05393b8d698c2b77b58b3db6c7b0b199c
+SHA1 (patch-bf) = d03b55651686aeab965747c400753c8b7b643d80
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-ba
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-ba Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,89 @@
+$NetBSD: patch-ba,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.cpp.orig 2003-08-27 03:01:30.000000000 +0200
++++ common/uvectr32.cpp
+@@ -1,6 +1,6 @@
+ /*
+ ******************************************************************************
+-* Copyright (C) 1999-2003, International Business Machines Corporation and *
++* Copyright (C) 1999-2008, International Business Machines Corporation and *
+ * others. All Rights Reserved. *
+ ******************************************************************************
+ * Date Name Description
+@@ -26,6 +26,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(UVect
+ UVector32::UVector32(UErrorCode &status) :
+ count(0),
+ capacity(0),
++ maxCapacity(0),
+ elements(NULL)
+ {
+ _init(DEFUALT_CAPACITY, status);
+@@ -34,6 +35,7 @@ UVector32::UVector32(UErrorCode &status)
+ UVector32::UVector32(int32_t initialCapacity, UErrorCode &status) :
+ count(0),
+ capacity(0),
++ maxCapacity(0),
+ elements(0)
+ {
+ _init(initialCapacity, status);
+@@ -46,6 +48,9 @@ void UVector32::_init(int32_t initialCap
+ if (initialCapacity < 1) {
+ initialCapacity = DEFUALT_CAPACITY;
+ }
++ if (maxCapacity>0 && maxCapacity<initialCapacity) {
++ initialCapacity = maxCapacity;
++ }
+ elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity);
+ if (elements == 0) {
+ status = U_MEMORY_ALLOCATION_ERROR;
+@@ -189,21 +194,35 @@ int32_t UVector32::indexOf(int32_t key,
+ UBool UVector32::expandCapacity(int32_t minimumCapacity, UErrorCode &status) {
+ if (capacity >= minimumCapacity) {
+ return TRUE;
+- } else {
+- int32_t newCap = capacity * 2;
+- if (newCap < minimumCapacity) {
+- newCap = minimumCapacity;
+- }
+- int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
+- if (newElems == 0) {
+- status = U_MEMORY_ALLOCATION_ERROR;
+- return FALSE;
+- }
+- uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
+- uprv_free(elements);
+- elements = newElems;
+- capacity = newCap;
+- return TRUE;
++ }
++ if (maxCapacity>0 && minimumCapacity>maxCapacity) {
++ status = U_BUFFER_OVERFLOW_ERROR;
++ return FALSE;
++ }
++ int32_t newCap = capacity * 2;
++ if (newCap < minimumCapacity) {
++ newCap = minimumCapacity;
++ }
++ if (maxCapacity > 0 && newCap > maxCapacity) {
++ newCap = maxCapacity;
++ }
++ int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
++ if (newElems == 0) {
++ status = U_MEMORY_ALLOCATION_ERROR;
++ return FALSE;
++ }
++ uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
++ uprv_free(elements);
++ elements = newElems;
++ capacity = newCap;
++ return TRUE;
++}
++
++void UVector32::setMaxCapacity(int32_t limit) {
++ U_ASSERT(limit >= 0);
++ maxCapacity = limit;
++ if (maxCapacity < 0) {
++ maxCapacity = 0;
+ }
+ }
+
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bb
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bb Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-bb,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.h.orig 2006-01-18 04:52:04.000000000 +0100
++++ common/uvectr32.h
+@@ -1,6 +1,6 @@
+ /*
+ **********************************************************************
+-* Copyright (C) 1999-2006, International Business Machines
++* Copyright (C) 1999-2008, International Business Machines
+ * Corporation and others. All Rights Reserved.
+ **********************************************************************
+ */
+@@ -61,6 +61,8 @@ private:
+ int32_t count;
+
+ int32_t capacity;
++
++ int32_t maxCapacity; // Limit beyond which capacity is not permitted to grow.
+
+ int32_t* elements;
+
+@@ -162,6 +164,14 @@ public:
+ int32_t *getBuffer() const;
+
+ /**
++ * Set the maximum allowed buffer capacity for this vector/stack.
++ * Default with no limit set is unlimited, go until malloc() fails.
++ * A Limit of zero means unlimited capacity.
++ * Units are vector elements (32 bits each), not bytes.
++ */
++ void setMaxCapacity(int32_t limit);
++
++ /**
+ * ICU "poor man's RTTI", returns a UClassID for this class.
+ */
+ static UClassID U_EXPORT2 getStaticClassID();
+@@ -221,7 +231,9 @@ inline void UVector32::addElement(int32_
+ }
+
+ inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) {
+- ensureCapacity(count+size, status);
++ if (ensureCapacity(count+size, status) == FALSE) {
++ return NULL;
++ }
+ int32_t *rp = elements+count;
+ count += size;
+ return rp;
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bc Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-bc,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/regexcmp.cpp.orig 2006-02-02 05:37:14.000000000 +0100
++++ i18n/regexcmp.cpp
+@@ -1187,14 +1187,17 @@ UBool RegexCompile::doParseActions(EPars
+ // Because capture groups can be forward-referenced by back-references,
+ // we fill the operand with the capture group number. At the end
+ // of compilation, it will be changed to the variable's location.
+- U_ASSERT(groupNum > 0);
+- int32_t op;
+- if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+- op = URX_BUILD(URX_BACKREF_I, groupNum);
++ if (groupNum < 1) {
++ error(U_REGEX_INVALID_BACK_REF);
+ } else {
+- op = URX_BUILD(URX_BACKREF, groupNum);
++ int32_t op;
++ if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
++ op = URX_BUILD(URX_BACKREF_I, groupNum);
++ } else {
++ op = URX_BUILD(URX_BACKREF, groupNum);
++ }
++ fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+ break;
+
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bd
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bd Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,81 @@
+$NetBSD: patch-bd,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/rematch.cpp.orig 2005-08-25 20:02:20.000000000 +0200
++++ i18n/rematch.cpp
+@@ -30,6 +30,15 @@
+
+ U_NAMESPACE_BEGIN
+
++// Limit the size of the back track stack, to avoid system failures caused
++// by heap exhaustion. Units are in 32 bit words, not bytes.
++// This value puts ICU's limits higher than most other regexp implementations,
++// which use recursion rather than the heap, and take more storage per
++// backtrack point.
++// This constant is _temporary_. Proper API to control the value will added.
++//
++static const int32_t BACKTRACK_STACK_CAPACITY = 8000000;
++
+ //-----------------------------------------------------------------------------
+ //
+ // Constructor and Destructor
+@@ -53,6 +62,8 @@ RegexMatcher::RegexMatcher(const RegexPa
+ }
+ if (fStack == NULL || fData == NULL) {
+ fDeferredStatus = U_MEMORY_ALLOCATION_ERROR;
++ } else {
++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+ }
+
+ reset(*RegexStaticSets::gStaticSets->fEmptyString);
+@@ -78,6 +89,8 @@ RegexMatcher::RegexMatcher(const Unicode
+ }
+ if (fStack == NULL || fData == NULL) {
+ status = U_MEMORY_ALLOCATION_ERROR;
++ } else {
++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+ }
+ reset(input);
+ }
+@@ -102,6 +115,8 @@ RegexMatcher::RegexMatcher(const Unicode
+ }
+ if (fStack == NULL || fData == NULL) {
+ status = U_MEMORY_ALLOCATION_ERROR;
++ } else {
++ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+ }
+ reset(*RegexStaticSets::gStaticSets->fEmptyString);
+ }
+@@ -1015,6 +1030,14 @@ UBool RegexMatcher::isUWordBoundary(int3
+ inline REStackFrame *RegexMatcher::StateSave(REStackFrame *fp, int32_t savePatIdx, int32_t frameSize, UErrorCode &status) {
+ // push storage for a new frame.
+ int32_t *newFP = fStack->reserveBlock(frameSize, status);
++ if (newFP == NULL) {
++ // Heap allocation error on attempted stack expansion.
++ // We need to return a writable stack frame, so just return the
++ // previous frame. The match operation will stop quickly
++ // becuase of the error status, after which the frame will never
++ // be looked at again.
++ return fp;
++ }
+ fp = (REStackFrame *)(newFP - frameSize); // in case of realloc of stack.
+
+ // New stack frame = copy of old top frame.
+@@ -1030,8 +1053,8 @@ inline REStackFrame *RegexMatcher::State
+ fp->fPatIdx = savePatIdx;
+ return (REStackFrame *)newFP;
+ }
+-
+-
++
++
+ //--------------------------------------------------------------------------------
+ //
+ // MatchAt This is the actual matching engine.
+@@ -2262,6 +2285,7 @@ GC_Done:
+ }
+
+ if (U_FAILURE(status)) {
++ isMatch = FALSE;
+ break;
+ }
+ }
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-be
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-be Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-be,v 1.1 2008/03/20 17:07:54 drochner Exp $
Home |
Main Index |
Thread Index |
Old Index