pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/textproc/icu fix RE vulnerabilities (CVE-2007-(4770|47...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/2999b601b604
branches:  trunk
changeset: 539999:2999b601b604
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Thu Mar 20 17:07:54 2008 +0000

description:
fix RE vulnerabilities (CVE-2007-(4770|4771)), patch from redhat
via Gentoo bug #208001,
bump PKGREVISION

diffstat:

 textproc/icu/Makefile         |   4 +-
 textproc/icu/distinfo         |   8 +++-
 textproc/icu/patches/patch-ba |  89 +++++++++++++++++++++++++++++++++++++++++++
 textproc/icu/patches/patch-bb |  47 ++++++++++++++++++++++
 textproc/icu/patches/patch-bc |  28 +++++++++++++
 textproc/icu/patches/patch-bd |  81 +++++++++++++++++++++++++++++++++++++++
 textproc/icu/patches/patch-be |  56 +++++++++++++++++++++++++++
 textproc/icu/patches/patch-bf |  12 +++++
 8 files changed, 322 insertions(+), 3 deletions(-)

diffs (truncated from 371 to 300 lines):

diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/Makefile
--- a/textproc/icu/Makefile     Thu Mar 20 17:00:38 2008 +0000
+++ b/textproc/icu/Makefile     Thu Mar 20 17:07:54 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.53 2007/03/31 15:36:57 obache Exp $
+# $NetBSD: Makefile,v 1.54 2008/03/20 17:07:54 drochner Exp $
 #
 
 DISTNAME=      icu4c-3_6-src
 PKGNAME=       icu-3.6
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    textproc
 MASTER_SITES=  ftp://ftp.software.ibm.com/software/globalization/icu/${PKGVERSION}/
 EXTRACT_SUFX=  .tgz
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/distinfo
--- a/textproc/icu/distinfo     Thu Mar 20 17:00:38 2008 +0000
+++ b/textproc/icu/distinfo     Thu Mar 20 17:07:54 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/03/23 12:51:13 recht Exp $
+$NetBSD: distinfo,v 1.15 2008/03/20 17:07:54 drochner Exp $
 
 SHA1 (icu4c-3_6-src.tgz) = b580c2802e74eb6af7e5e19b05c7d7c5d8c623f9
 RMD160 (icu4c-3_6-src.tgz) = b227ac9ff6019362bc4d01c18433869b0e0ff1c2
@@ -7,3 +7,9 @@
 SHA1 (patch-ab) = 32d2aeb38ed84352751d0f3d8db5d8b433ef03e4
 SHA1 (patch-ae) = 69caf7c0c226a0b45158a9620f045e943f00b820
 SHA1 (patch-af) = df50984a17111a69c517b26f303866f2d384e857
+SHA1 (patch-ba) = d22f39715b85fe73654b644237d1956091fb26e8
+SHA1 (patch-bb) = 57683caee8c4bb2743332847f78566d5a3934e80
+SHA1 (patch-bc) = 9fd76fb53c7a464883fe5cc21ffbc5b5ac117711
+SHA1 (patch-bd) = 197017d9fb0a6a542e567cfae4512bc38a25ff79
+SHA1 (patch-be) = 9cb76ab05393b8d698c2b77b58b3db6c7b0b199c
+SHA1 (patch-bf) = d03b55651686aeab965747c400753c8b7b643d80
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-ba
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-ba     Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,89 @@
+$NetBSD: patch-ba,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.cpp.orig   2003-08-27 03:01:30.000000000 +0200
++++ common/uvectr32.cpp
+@@ -1,6 +1,6 @@
+ /*
+ ******************************************************************************
+-* Copyright (C) 1999-2003, International Business Machines Corporation and   *
++* Copyright (C) 1999-2008, International Business Machines Corporation and   *
+ * others. All Rights Reserved.                                               *
+ ******************************************************************************
+ *   Date        Name        Description
+@@ -26,6 +26,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(UVect
+ UVector32::UVector32(UErrorCode &status) :
+     count(0),
+     capacity(0),
++    maxCapacity(0),
+     elements(NULL)
+ {
+     _init(DEFUALT_CAPACITY, status);
+@@ -34,6 +35,7 @@ UVector32::UVector32(UErrorCode &status)
+ UVector32::UVector32(int32_t initialCapacity, UErrorCode &status) :
+     count(0),
+     capacity(0),
++    maxCapacity(0),
+     elements(0)
+ {
+     _init(initialCapacity, status);
+@@ -46,6 +48,9 @@ void UVector32::_init(int32_t initialCap
+     if (initialCapacity < 1) {
+         initialCapacity = DEFUALT_CAPACITY;
+     }
++    if (maxCapacity>0 && maxCapacity<initialCapacity) {
++        initialCapacity = maxCapacity;
++    }
+     elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity);
+     if (elements == 0) {
+         status = U_MEMORY_ALLOCATION_ERROR;
+@@ -189,21 +194,35 @@ int32_t UVector32::indexOf(int32_t key, 
+ UBool UVector32::expandCapacity(int32_t minimumCapacity, UErrorCode &status) {
+     if (capacity >= minimumCapacity) {
+         return TRUE;
+-    } else {
+-        int32_t newCap = capacity * 2;
+-        if (newCap < minimumCapacity) {
+-            newCap = minimumCapacity;
+-        }
+-        int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
+-        if (newElems == 0) {
+-            status = U_MEMORY_ALLOCATION_ERROR;
+-            return FALSE;
+-        }
+-        uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
+-        uprv_free(elements);
+-        elements = newElems;
+-        capacity = newCap;
+-        return TRUE;
++    }
++    if (maxCapacity>0 && minimumCapacity>maxCapacity) {
++        status = U_BUFFER_OVERFLOW_ERROR;
++        return FALSE;
++    }
++    int32_t newCap = capacity * 2;
++    if (newCap < minimumCapacity) {
++        newCap = minimumCapacity;
++    }
++    if (maxCapacity > 0 && newCap > maxCapacity) {
++        newCap = maxCapacity;
++    }
++    int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
++    if (newElems == 0) {
++        status = U_MEMORY_ALLOCATION_ERROR;
++        return FALSE;
++    }
++    uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
++    uprv_free(elements);
++    elements = newElems;
++    capacity = newCap;
++    return TRUE;
++}
++
++void UVector32::setMaxCapacity(int32_t limit) {
++    U_ASSERT(limit >= 0);
++    maxCapacity = limit;
++    if (maxCapacity < 0) {
++        maxCapacity = 0;
+     }
+ }
+ 
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bb
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bb     Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-bb,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.h.orig     2006-01-18 04:52:04.000000000 +0100
++++ common/uvectr32.h
+@@ -1,6 +1,6 @@
+ /*
+ **********************************************************************
+-*   Copyright (C) 1999-2006, International Business Machines
++*   Copyright (C) 1999-2008, International Business Machines
+ *   Corporation and others.  All Rights Reserved.
+ **********************************************************************
+ */
+@@ -61,6 +61,8 @@ private:
+     int32_t   count;
+ 
+     int32_t   capacity;
++    
++    int32_t   maxCapacity;   // Limit beyond which capacity is not permitted to grow.
+ 
+     int32_t*  elements;
+ 
+@@ -162,6 +164,14 @@ public:
+     int32_t *getBuffer() const;
+ 
+     /**
++     * Set the maximum allowed buffer capacity for this vector/stack.
++     * Default with no limit set is unlimited, go until malloc() fails.
++     * A Limit of zero means unlimited capacity.
++     * Units are vector elements (32 bits each), not bytes.
++     */
++    void setMaxCapacity(int32_t limit);
++
++    /**
+      * ICU "poor man's RTTI", returns a UClassID for this class.
+      */
+     static UClassID U_EXPORT2 getStaticClassID();
+@@ -221,7 +231,9 @@ inline void UVector32::addElement(int32_
+ }
+ 
+ inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) {
+-    ensureCapacity(count+size, status);
++    if (ensureCapacity(count+size, status) == FALSE) {
++        return NULL;
++    }
+     int32_t  *rp = elements+count;
+     count += size;
+     return rp;
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bc
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bc     Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-bc,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/regexcmp.cpp.orig     2006-02-02 05:37:14.000000000 +0100
++++ i18n/regexcmp.cpp
+@@ -1187,14 +1187,17 @@ UBool RegexCompile::doParseActions(EPars
+             // Because capture groups can be forward-referenced by back-references,
+             //  we fill the operand with the capture group number.  At the end
+             //  of compilation, it will be changed to the variable's location.
+-            U_ASSERT(groupNum > 0);
+-            int32_t  op;
+-            if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+-                op = URX_BUILD(URX_BACKREF_I, groupNum);
++            if (groupNum < 1) { 
++                error(U_REGEX_INVALID_BACK_REF);
+             } else {
+-                op = URX_BUILD(URX_BACKREF, groupNum);
++                int32_t  op;
++                if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
++                    op = URX_BUILD(URX_BACKREF_I, groupNum);
++                } else {
++                    op = URX_BUILD(URX_BACKREF, groupNum);
++                }
++                fRXPat->fCompiledPat->addElement(op, *fStatus);
+             }
+-            fRXPat->fCompiledPat->addElement(op, *fStatus);
+         }
+         break;
+ 
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-bd
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-bd     Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,81 @@
+$NetBSD: patch-bd,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/rematch.cpp.orig      2005-08-25 20:02:20.000000000 +0200
++++ i18n/rematch.cpp
+@@ -30,6 +30,15 @@
+ 
+ U_NAMESPACE_BEGIN
+ 
++// Limit the size of the back track stack, to avoid system failures caused
++//   by heap exhaustion.  Units are in 32 bit words, not bytes.
++// This value puts ICU's limits higher than most other regexp implementations,
++//  which use recursion rather than the heap, and take more storage per
++//  backtrack point.
++// This constant is _temporary_.  Proper API to control the value will added.
++//
++static const int32_t BACKTRACK_STACK_CAPACITY = 8000000;
++
+ //-----------------------------------------------------------------------------
+ //
+ //   Constructor and Destructor
+@@ -53,6 +62,8 @@ RegexMatcher::RegexMatcher(const RegexPa
+     }
+     if (fStack == NULL || fData == NULL) {
+         fDeferredStatus = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+         
+     reset(*RegexStaticSets::gStaticSets->fEmptyString);
+@@ -78,6 +89,8 @@ RegexMatcher::RegexMatcher(const Unicode
+     }
+     if (fStack == NULL || fData == NULL) {
+         status = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+     reset(input);
+ }
+@@ -102,6 +115,8 @@ RegexMatcher::RegexMatcher(const Unicode
+     }
+     if (fStack == NULL || fData == NULL) {
+         status = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+     reset(*RegexStaticSets::gStaticSets->fEmptyString);
+ }
+@@ -1015,6 +1030,14 @@ UBool RegexMatcher::isUWordBoundary(int3
+ inline REStackFrame *RegexMatcher::StateSave(REStackFrame *fp, int32_t savePatIdx, int32_t frameSize, UErrorCode &status) {
+     // push storage for a new frame. 
+     int32_t *newFP = fStack->reserveBlock(frameSize, status);
++    if (newFP == NULL) {
++        // Heap allocation error on attempted stack expansion.
++        // We need to return a writable stack frame, so just return the
++        //    previous frame.  The match operation will stop quickly
++        //    becuase of the error status, after which the frame will never
++        //    be looked at again.
++        return fp;
++    }
+     fp = (REStackFrame *)(newFP - frameSize);  // in case of realloc of stack.
+     
+     // New stack frame = copy of old top frame.
+@@ -1030,8 +1053,8 @@ inline REStackFrame *RegexMatcher::State
+     fp->fPatIdx = savePatIdx;
+     return (REStackFrame *)newFP;
+ }
+-    
+-            
++
++
+ //--------------------------------------------------------------------------------
+ //
+ //   MatchAt      This is the actual matching engine.
+@@ -2262,6 +2285,7 @@ GC_Done:
+         }
+ 
+         if (U_FAILURE(status)) {
++            isMatch = FALSE;
+             break;
+         }
+     }
diff -r 76127bdb7cf5 -r 2999b601b604 textproc/icu/patches/patch-be
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-be     Thu Mar 20 17:07:54 2008 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-be,v 1.1 2008/03/20 17:07:54 drochner Exp $



Home | Main Index | Thread Index | Old Index