* [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531.
@ 2020-03-25 18:36 Leo Famulari
2020-03-25 20:23 ` Marius Bakke
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2020-03-25 18:36 UTC (permalink / raw)
To: 40227
* gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
(icu4c/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/icu4c.scm | 11 ++
.../patches/icu4c-CVE-2020-10531.patch | 126 ++++++++++++++++++
3 files changed, 138 insertions(+)
create mode 100644 gnu/packages/patches/icu4c-CVE-2020-10531.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 7cce60b7c0..c905bd3b37 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1033,6 +1033,7 @@ dist_patch_DATA = \
%D%/packages/patches/icecat-use-system-media-libs.patch \
%D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch \
%D%/packages/patches/icedtea-7-hotspot-gcc-segfault-workaround.patch \
+ %D%/packages/patches/icu4c-CVE-2020-10531.patch \
%D%/packages/patches/id3lib-CVE-2007-4460.patch \
%D%/packages/patches/id3lib-UTF16-writing-bug.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 922dfbd348..bc74da5942 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -56,6 +56,7 @@
(define-public icu4c
(package
(name "icu4c")
+ (replacement icu4c/fixed)
(version "64.2")
(source (origin
(method url-fetch)
@@ -105,6 +106,16 @@ C/C++ part.")
(license x11)
(home-page "http://site.icu-project.org/")))
+(define icu4c/fixed
+ (package
+ (inherit icu4c)
+ (source (origin
+ (inherit (package-source icu4c))
+ (patches (append
+ (origin-patches (package-source icu4c))
+ (search-patches
+ "icu4c-CVE-2020-10531.patch")))))))
+
(define-public java-icu4j
(package
(name "java-icu4j")
diff --git a/gnu/packages/patches/icu4c-CVE-2020-10531.patch b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
new file mode 100644
index 0000000000..e996783e75
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
@@ -0,0 +1,126 @@
+Fix CVE-2020-10531:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
+
+Patch copied from upstream source repository:
+
+https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
+
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+---
+ icu4c/source/common/unistr.cpp | 6 ++-
+ icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ icu4c/source/test/intltest/ustrtest.h | 1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- a/icu4c/source/common/unistr.cpp
++++ b/icu4c/source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+
+ // Check for append onto ourself
+ const UChar* oldArray = getArrayStart();
+diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- a/icu4c/source/test/intltest/ustrtest.cpp
++++ b/icu4c/source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
+ TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+ str.insert(2, sub);
+ assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- a/icu4c/source/test/intltest/ustrtest.h
++++ b/icu4c/source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+ void TestWCharPointers();
+ void TestNullPointers();
+ void TestUnicodeStringInsertAppendToSelf();
++ void TestLargeAppend();
+ };
+
+ #endif
--
2.26.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531.
2020-03-25 18:36 [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531 Leo Famulari
@ 2020-03-25 20:23 ` Marius Bakke
2020-03-25 21:54 ` bug#40227: " Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Marius Bakke @ 2020-03-25 20:23 UTC (permalink / raw)
To: Leo Famulari, 40227
[-- Attachment #1: Type: text/plain, Size: 1573 bytes --]
Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
> (icu4c/fixed): New variable.
[...]
> diff --git a/gnu/packages/patches/icu4c-CVE-2020-10531.patch b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
> new file mode 100644
> index 0000000000..e996783e75
> --- /dev/null
> +++ b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
> @@ -0,0 +1,126 @@
> +Fix CVE-2020-10531:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
> +
> +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
> +From: Frank Tang <ftang@chromium.org>
> +Date: Sat, 1 Feb 2020 02:39:04 +0000
> +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
> +
> +See #971
> +---
> + icu4c/source/common/unistr.cpp | 6 ++-
> + icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
> + icu4c/source/test/intltest/ustrtest.h | 1 +
> + 3 files changed, 68 insertions(+), 1 deletion(-)
I'm not sure if the new test case as well as this git commit header is
necessary. IMO it mostly adds noise to the patch. I.e. the whole file
could be shortened to 6 lines + your comments at the top.
But no strong opinion, there is an argument to be made for preserving
upstream commits in their entirety too (I think).
So, LGTM either way. Thank you!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#40227: [PATCH] gnu: icu4c: Fix CVE-2020-10531.
2020-03-25 20:23 ` Marius Bakke
@ 2020-03-25 21:54 ` Leo Famulari
2020-03-25 22:41 ` [bug#40227] " Marius Bakke
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2020-03-25 21:54 UTC (permalink / raw)
To: Marius Bakke; +Cc: 40227-done
[-- Attachment #1: Type: text/plain, Size: 575 bytes --]
On Wed, Mar 25, 2020 at 09:23:33PM +0100, Marius Bakke wrote:
> I'm not sure if the new test case as well as this git commit header is
> necessary. IMO it mostly adds noise to the patch. I.e. the whole file
> could be shortened to 6 lines + your comments at the top.
>
> But no strong opinion, there is an argument to be made for preserving
> upstream commits in their entirety too (I think).
>
> So, LGTM either way. Thank you!
I commented out the changes to the test suite and pushed as
7d57a190f6896c04b5dad66bf4360bc48a4052ff.
Thanks for the review!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531.
2020-03-25 21:54 ` bug#40227: " Leo Famulari
@ 2020-03-25 22:41 ` Marius Bakke
0 siblings, 0 replies; 4+ messages in thread
From: Marius Bakke @ 2020-03-25 22:41 UTC (permalink / raw)
To: Leo Famulari; +Cc: 40227-done
[-- Attachment #1: Type: text/plain, Size: 852 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Wed, Mar 25, 2020 at 09:23:33PM +0100, Marius Bakke wrote:
>> I'm not sure if the new test case as well as this git commit header is
>> necessary. IMO it mostly adds noise to the patch. I.e. the whole file
>> could be shortened to 6 lines + your comments at the top.
>>
>> But no strong opinion, there is an argument to be made for preserving
>> upstream commits in their entirety too (I think).
>>
>> So, LGTM either way. Thank you!
>
> I commented out the changes to the test suite and pushed as
> 7d57a190f6896c04b5dad66bf4360bc48a4052ff.
What I meant was that they could be omitted entirely to shorten the
patch (less lines to comb through for reviewers), but no worries! The
important thing is that we get the security fix, thanks for watching out
for those as always. :-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-03-25 22:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-25 18:36 [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531 Leo Famulari
2020-03-25 20:23 ` Marius Bakke
2020-03-25 21:54 ` bug#40227: " Leo Famulari
2020-03-25 22:41 ` [bug#40227] " Marius Bakke
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).