CVS commit: pkgsrc/textproc/icu

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/textproc/icu
From: "S.P.Zeidler" <spz%netbsd.org@localhost>
Date: Wed, 13 Feb 2019 20:51:57 +0000

Module Name:    pkgsrc
Committed By:   spz
Date:           Wed Feb 13 20:51:57 UTC 2019

Modified Files:
        pkgsrc/textproc/icu: Makefile distinfo
Added Files:
        pkgsrc/textproc/icu/patches: patch-CVE-2018-18928

Log Message:
add patch for CVE-2018-18928 from upstream


To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 pkgsrc/textproc/icu/Makefile
cvs rdiff -u -r1.80 -r1.81 pkgsrc/textproc/icu/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/textproc/icu/patches/patch-CVE-2018-18928

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/icu/Makefile
diff -u pkgsrc/textproc/icu/Makefile:1.120 pkgsrc/textproc/icu/Makefile:1.121
--- pkgsrc/textproc/icu/Makefile:1.120  Tue Dec 18 15:23:07 2018
+++ pkgsrc/textproc/icu/Makefile        Wed Feb 13 20:51:57 2019
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.120 2018/12/18 15:23:07 kamil Exp $
+# $NetBSD: Makefile,v 1.121 2019/02/13 20:51:57 spz Exp $
 
 DISTNAME=      icu4c-63_1-src
 PKGNAME=       ${DISTNAME:S/4c//:S/-src//:S/_/./g}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    textproc
 MASTER_SITES=  http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/
 EXTRACT_SUFX=  .tgz

Index: pkgsrc/textproc/icu/distinfo
diff -u pkgsrc/textproc/icu/distinfo:1.80 pkgsrc/textproc/icu/distinfo:1.81
--- pkgsrc/textproc/icu/distinfo:1.80   Tue Dec 11 10:15:55 2018
+++ pkgsrc/textproc/icu/distinfo        Wed Feb 13 20:51:57 2019
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.80 2018/12/11 10:15:55 abs Exp $
+$NetBSD: distinfo,v 1.81 2019/02/13 20:51:57 spz Exp $
 
 SHA1 (icu4c-63_1-src.tgz) = ad523232f19af1c698c6489f8e15f7e9824f1662
 RMD160 (icu4c-63_1-src.tgz) = 5c895a6e2b135978df59e135ed772747aec0065f
 SHA512 (icu4c-63_1-src.tgz) = 9ab407ed840a00cdda7470dcc4c40299a125ad246ae4d019c4b1ede54781157fd63af015a8228cd95dbc47e4d15a0932b2c657489046a19788e5e8266eac079c
 Size (icu4c-63_1-src.tgz) = 23746939 bytes
+SHA1 (patch-CVE-2018-18928) = 74e8248c215bcb5ca98a63d161dc5516531a83b3
 SHA1 (patch-Makefile.in) = 67440d3af9b62b8c0be258c490255ba17f778ab4
 SHA1 (patch-acinclude.m4) = f7de1a16aad0ca77c4bbc457ba76b6171199ce09
 SHA1 (patch-common_putil.cpp) = 6aa70b8698d663d3c798bafd9010a824c9609c20

Added files:

Index: pkgsrc/textproc/icu/patches/patch-CVE-2018-18928
diff -u /dev/null pkgsrc/textproc/icu/patches/patch-CVE-2018-18928:1.1
--- /dev/null   Wed Feb 13 20:51:57 2019
+++ pkgsrc/textproc/icu/patches/patch-CVE-2018-18928    Wed Feb 13 20:51:57 2019
@@ -0,0 +1,49 @@
+$NetBSD: patch-CVE-2018-18928,v 1.1 2019/02/13 20:51:57 spz Exp $
+
+fix for CVE-2018-18928 from
+https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51
+
+--- i18n/fmtable.cpp.orig      2018-09-29 00:34:42.000000000 +0000
++++ i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetChar
+       // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+       if (fDecimalQuantity->isZero()) {
+         fDecimalStr->append("0", -1, status);
+-      } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++      } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+       } else {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+
+--- i18n/number_decimalquantity.cpp.orig       2018-10-01 22:39:56.000000000 +0000
++++ i18n/number_decimalquantity.cpp
+@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScienti
+     }
+     result.append(u'E');
+     int32_t _scale = upperPos + scale;
+-    if (_scale < 0) {
++    if (_scale == INT32_MIN) {
++        result.append({u"-2147483648", -1});
++        return result;
++    } else if (_scale < 0) {
+         _scale *= -1;
+         result.append(u'-');
+     } else {
+
+--- test/intltest/numfmtst.cpp.orig    2018-10-01 22:39:56.000000000 +0000
++++ test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_Scienti
+     assertEquals(u"Should not overflow and should parse only the first exponent",
+                  u"1E-2147483647",
+                  {sp.data(), sp.length(), US_INV});
++
++    // Test edge case overflow of exponent
++    result = Formattable();
++    nf->parse(u".0003e-2147483644", result, status);
++    sp = result.getDecimalNumber(status);
++    assertEquals(u"Should not overflow",
++                 u"3E-2147483648",
++                 {sp.data(), sp.length(), US_INV});
+ }
+ 
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/converters/libetonyek
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/converters/libetonyek
Indexes:

Home | Main Index | Thread Index | Old Index