From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:36542) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jHCZJ-0007zQ-CG for guix-patches@gnu.org; Wed, 25 Mar 2020 16:24:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jHCZG-0001PF-VY for guix-patches@gnu.org; Wed, 25 Mar 2020 16:24:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51821) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jHCZG-0001PA-Op for guix-patches@gnu.org; Wed, 25 Mar 2020 16:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jHCZG-00078t-Jv for guix-patches@gnu.org; Wed, 25 Mar 2020 16:24:02 -0400 Subject: [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531. Resent-Message-ID: From: Marius Bakke In-Reply-To: References: Date: Wed, 25 Mar 2020 21:23:33 +0100 Message-ID: <87v9msyyii.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari , 40227@debbugs.gnu.org --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/icu4c.scm (icu4c)[replacement]: New field. > (icu4c/fixed): New variable. [...] > diff --git a/gnu/packages/patches/icu4c-CVE-2020-10531.patch b/gnu/packages/patches/icu4c-CVE-2020-10531.patch > new file mode 100644 > index 0000000000..e996783e75 > --- /dev/null > +++ b/gnu/packages/patches/icu4c-CVE-2020-10531.patch > @@ -0,0 +1,126 @@ > +Fix CVE-2020-10531: > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531 > + > +Patch copied from upstream source repository: > + > +https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca > + > +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001 > +From: Frank Tang > +Date: Sat, 1 Feb 2020 02:39:04 +0000 > +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append > + > +See #971 > +--- > + icu4c/source/common/unistr.cpp | 6 ++- > + icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++ > + icu4c/source/test/intltest/ustrtest.h | 1 + > + 3 files changed, 68 insertions(+), 1 deletion(-) I'm not sure if the new test case as well as this git commit header is necessary. IMO it mostly adds noise to the patch. I.e. the whole file could be shortened to 6 lines + your comments at the top. But no strong opinion, there is an argument to be made for preserving upstream commits in their entirety too (I think). So, LGTM either way. Thank you! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl57vcYACgkQoqBt8qM6 VPqWPAgAlRC4x83a1FfWz4ThARLooj9aJlSKbI78N4dLFU8dqf9+j1FJ+ylwGRgR GHRJjdcdSbly0CaeNcdHXHA4t93aDxAMrEWfRoKiv/d4AbAO/jNAjvyIq+erczcb +9zCoAQYj8T174ck2QEPlT+KL5pA6jctEX7Z2JaFqtJ5qaXta7uFqLssytrT1v6t LsWByTwIbI76FokXb2Ni/6lAqokrbfRQTDVXTwPWKO83iaNlTWaNoINRfCUy7Vgm WbSFJEcUhOhziWyLI62VMBVyffqfGMXhftN8RJq1+iEgBxSgtafD2gowsZP3Onu9 r0AuPRZdfRO8Ta+wYZc3HNezQwwSTA== =FWl5 -----END PGP SIGNATURE----- --=-=-=--