From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:47174) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jHAtl-00072r-Ip for guix-patches@gnu.org; Wed, 25 Mar 2020 14:37:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jHAtj-0007RL-9h for guix-patches@gnu.org; Wed, 25 Mar 2020 14:37:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51766) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jHAtj-0007RH-6f for guix-patches@gnu.org; Wed, 25 Mar 2020 14:37:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jHAti-0004CL-2j for guix-patches@gnu.org; Wed, 25 Mar 2020 14:37:02 -0400 Subject: [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531. Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:47129) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jHAt5-0006xM-R1 for guix-patches@gnu.org; Wed, 25 Mar 2020 14:36:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jHAt2-0007Hf-Es for guix-patches@gnu.org; Wed, 25 Mar 2020 14:36:23 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40117) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jHAt1-0007Fd-E5 for guix-patches@gnu.org; Wed, 25 Mar 2020 14:36:20 -0400 Received: from jasmine.lan (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 11107328005D for ; Wed, 25 Mar 2020 14:36:15 -0400 (EDT) From: Leo Famulari Date: Wed, 25 Mar 2020 14:36:03 -0400 Message-Id: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 40227@debbugs.gnu.org * gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/icu4c.scm (icu4c)[replacement]: New field. (icu4c/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/icu4c.scm | 11 ++ .../patches/icu4c-CVE-2020-10531.patch | 126 ++++++++++++++++++ 3 files changed, 138 insertions(+) create mode 100644 gnu/packages/patches/icu4c-CVE-2020-10531.patch diff --git a/gnu/local.mk b/gnu/local.mk index 7cce60b7c0..c905bd3b37 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1033,6 +1033,7 @@ dist_patch_DATA = \ %D%/packages/patches/icecat-use-system-media-libs.patch \ %D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch \ %D%/packages/patches/icedtea-7-hotspot-gcc-segfault-workaround.patch \ + %D%/packages/patches/icu4c-CVE-2020-10531.patch \ %D%/packages/patches/id3lib-CVE-2007-4460.patch \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm index 922dfbd348..bc74da5942 100644 --- a/gnu/packages/icu4c.scm +++ b/gnu/packages/icu4c.scm @@ -56,6 +56,7 @@ (define-public icu4c (package (name "icu4c") + (replacement icu4c/fixed) (version "64.2") (source (origin (method url-fetch) @@ -105,6 +106,16 @@ C/C++ part.") (license x11) (home-page "http://site.icu-project.org/"))) +(define icu4c/fixed + (package + (inherit icu4c) + (source (origin + (inherit (package-source icu4c)) + (patches (append + (origin-patches (package-source icu4c)) + (search-patches + "icu4c-CVE-2020-10531.patch"))))))) + (define-public java-icu4j (package (name "java-icu4j") diff --git a/gnu/packages/patches/icu4c-CVE-2020-10531.patch b/gnu/packages/patches/icu4c-CVE-2020-10531.patch new file mode 100644 index 0000000000..e996783e75 --- /dev/null +++ b/gnu/packages/patches/icu4c-CVE-2020-10531.patch @@ -0,0 +1,126 @@ +Fix CVE-2020-10531: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531 + +Patch copied from upstream source repository: + +https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca + +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001 +From: Frank Tang +Date: Sat, 1 Feb 2020 02:39:04 +0000 +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append + +See #971 +--- + icu4c/source/common/unistr.cpp | 6 ++- + icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++ + icu4c/source/test/intltest/ustrtest.h | 1 + + 3 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp +index 901bb3358ba..077b4d6ef20 100644 +--- a/icu4c/source/common/unistr.cpp ++++ b/icu4c/source/common/unistr.cpp +@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng + } + + int32_t oldLength = length(); +- int32_t newLength = oldLength + srcLength; ++ int32_t newLength; ++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { ++ setToBogus(); ++ return *this; ++ } + + // Check for append onto ourself + const UChar* oldArray = getArrayStart(); +diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp +index b6515ea813c..ad38bdf53a3 100644 +--- a/icu4c/source/test/intltest/ustrtest.cpp ++++ b/icu4c/source/test/intltest/ustrtest.cpp +@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & + TESTCASE_AUTO(TestWCharPointers); + TESTCASE_AUTO(TestNullPointers); + TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf); ++ TESTCASE_AUTO(TestLargeAppend); + TESTCASE_AUTO_END; + } + +@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() { + str.insert(2, sub); + assertEquals("", u"abbcdcde", str); + } ++ ++void UnicodeStringTest::TestLargeAppend() { ++ if(quick) return; ++ ++ IcuTestErrorCode status(*this, "TestLargeAppend"); ++ // Make a large UnicodeString ++ int32_t len = 0xAFFFFFF; ++ UnicodeString str; ++ char16_t *buf = str.getBuffer(len); ++ // A fast way to set buffer to valid Unicode. ++ // 4E4E is a valid unicode character ++ uprv_memset(buf, 0x4e, len * 2); ++ str.releaseBuffer(len); ++ UnicodeString dest; ++ // Append it 16 times ++ // 0xAFFFFFF times 16 is 0xA4FFFFF1, ++ // which is greater than INT32_MAX, which is 0x7FFFFFFF. ++ int64_t total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++ dest.remove(); ++ total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total + len <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else if (total <= INT32_MAX) { ++ // Check that a string of exactly the maximum size works ++ UnicodeString str2; ++ int32_t remain = INT32_MAX - total; ++ char16_t *buf2 = str2.getBuffer(remain); ++ if (buf2 == nullptr) { ++ // if somehow memory allocation fail, return the test ++ return; ++ } ++ uprv_memset(buf2, 0x4e, remain * 2); ++ str2.releaseBuffer(remain); ++ dest.append(str2); ++ total += remain; ++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); ++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); ++ assertFalse("dest is not bogus", dest.isBogus()); ++ ++ // Check that a string size+1 goes bogus ++ str2.truncate(1); ++ dest.append(str2); ++ total++; ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++} +diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h +index 218befdcc68..4a356a92c7a 100644 +--- a/icu4c/source/test/intltest/ustrtest.h ++++ b/icu4c/source/test/intltest/ustrtest.h +@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest { + void TestWCharPointers(); + void TestNullPointers(); + void TestUnicodeStringInsertAppendToSelf(); ++ void TestLargeAppend(); + }; + + #endif -- 2.26.0