pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/textproc/icu add patch for CVE-2018-18928 from upstream
details: https://anonhg.NetBSD.org/pkgsrc/rev/42d6a135d5a3
branches: trunk
changeset: 319477:42d6a135d5a3
user: spz <spz%pkgsrc.org@localhost>
date: Wed Feb 13 20:51:57 2019 +0000
description:
add patch for CVE-2018-18928 from upstream
diffstat:
textproc/icu/Makefile | 4 +-
textproc/icu/distinfo | 3 +-
textproc/icu/patches/patch-CVE-2018-18928 | 49 +++++++++++++++++++++++++++++++
3 files changed, 53 insertions(+), 3 deletions(-)
diffs (82 lines):
diff -r 47f94fd00045 -r 42d6a135d5a3 textproc/icu/Makefile
--- a/textproc/icu/Makefile Wed Feb 13 20:32:12 2019 +0000
+++ b/textproc/icu/Makefile Wed Feb 13 20:51:57 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.120 2018/12/18 15:23:07 kamil Exp $
+# $NetBSD: Makefile,v 1.121 2019/02/13 20:51:57 spz Exp $
DISTNAME= icu4c-63_1-src
PKGNAME= ${DISTNAME:S/4c//:S/-src//:S/_/./g}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= textproc
MASTER_SITES= http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/
EXTRACT_SUFX= .tgz
diff -r 47f94fd00045 -r 42d6a135d5a3 textproc/icu/distinfo
--- a/textproc/icu/distinfo Wed Feb 13 20:32:12 2019 +0000
+++ b/textproc/icu/distinfo Wed Feb 13 20:51:57 2019 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.80 2018/12/11 10:15:55 abs Exp $
+$NetBSD: distinfo,v 1.81 2019/02/13 20:51:57 spz Exp $
SHA1 (icu4c-63_1-src.tgz) = ad523232f19af1c698c6489f8e15f7e9824f1662
RMD160 (icu4c-63_1-src.tgz) = 5c895a6e2b135978df59e135ed772747aec0065f
SHA512 (icu4c-63_1-src.tgz) = 9ab407ed840a00cdda7470dcc4c40299a125ad246ae4d019c4b1ede54781157fd63af015a8228cd95dbc47e4d15a0932b2c657489046a19788e5e8266eac079c
Size (icu4c-63_1-src.tgz) = 23746939 bytes
+SHA1 (patch-CVE-2018-18928) = 74e8248c215bcb5ca98a63d161dc5516531a83b3
SHA1 (patch-Makefile.in) = 67440d3af9b62b8c0be258c490255ba17f778ab4
SHA1 (patch-acinclude.m4) = f7de1a16aad0ca77c4bbc457ba76b6171199ce09
SHA1 (patch-common_putil.cpp) = 6aa70b8698d663d3c798bafd9010a824c9609c20
diff -r 47f94fd00045 -r 42d6a135d5a3 textproc/icu/patches/patch-CVE-2018-18928
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/icu/patches/patch-CVE-2018-18928 Wed Feb 13 20:51:57 2019 +0000
@@ -0,0 +1,49 @@
+$NetBSD: patch-CVE-2018-18928,v 1.1 2019/02/13 20:51:57 spz Exp $
+
+fix for CVE-2018-18928 from
+https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51
+
+--- i18n/fmtable.cpp.orig 2018-09-29 00:34:42.000000000 +0000
++++ i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetChar
+ // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+ if (fDecimalQuantity->isZero()) {
+ fDecimalStr->append("0", -1, status);
+- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+ } else {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+
+--- i18n/number_decimalquantity.cpp.orig 2018-10-01 22:39:56.000000000 +0000
++++ i18n/number_decimalquantity.cpp
+@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScienti
+ }
+ result.append(u'E');
+ int32_t _scale = upperPos + scale;
+- if (_scale < 0) {
++ if (_scale == INT32_MIN) {
++ result.append({u"-2147483648", -1});
++ return result;
++ } else if (_scale < 0) {
+ _scale *= -1;
+ result.append(u'-');
+ } else {
+
+--- test/intltest/numfmtst.cpp.orig 2018-10-01 22:39:56.000000000 +0000
++++ test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_Scienti
+ assertEquals(u"Should not overflow and should parse only the first exponent",
+ u"1E-2147483647",
+ {sp.data(), sp.length(), US_INV});
++
++ // Test edge case overflow of exponent
++ result = Formattable();
++ nf->parse(u".0003e-2147483644", result, status);
++ sp = result.getDecimalNumber(status);
++ assertEquals(u"Should not overflow",
++ u"3E-2147483648",
++ {sp.data(), sp.length(), US_INV});
+ }
+
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
Home |
Main Index |
Thread Index |
Old Index