aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-04-02 17:06:24 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2020-04-02 17:06:39 +0200
commit248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86 (patch)
tree803851ee86deee0922b58058dd72565054cd423e
parentd6095f7dc165058ba032d27622224dc4ed2a78cc (diff)
downloadaports-248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86.tar.gz
aports-248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86.tar.bz2
aports-248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86.tar.xz
main/icu: fix CVE-2020-10531
fixes #11329
-rw-r--r--main/icu/APKBUILD10
-rw-r--r--main/icu/CVE-2020-10531.patch132
2 files changed, 139 insertions, 3 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index 60aba72565..acf2d04f99 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
@@ -6,7 +6,7 @@ pkgver=60.2
# convert x.y.z to x_y_z
_ver=${pkgver//./_}
-pkgrel=2
+pkgrel=3
pkgdesc="International Components for Unicode library"
url="http://www.icu-project.org/"
arch="all"
@@ -16,9 +16,12 @@ depends=
checkdepends="diffutils"
makedepends=
source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
+ CVE-2020-10531.patch
"
# secfixes:
+# 60.2-r3:
+# - CVE-2020-10531
# 57.1-r1:
# - CVE-2016-6293
# 58.1-r1:
@@ -58,7 +61,7 @@ build() {
--disable-samples \
--enable-static \
--mandir=/usr/share/man
- make
+ make VERBOSE=1
}
check() {
@@ -87,4 +90,5 @@ libs() {
replaces="icu"
}
-sha512sums="8e718e66c13e7f25714404c46b91ed6305efff1df70c328be2ec743023a7719016dae72a5fa0a05d6f5599983590a2044ff72d3453a048d987ab546d0416d694 icu4c-60_2-src.tgz"
+sha512sums="8e718e66c13e7f25714404c46b91ed6305efff1df70c328be2ec743023a7719016dae72a5fa0a05d6f5599983590a2044ff72d3453a048d987ab546d0416d694 icu4c-60_2-src.tgz
+9d7a7fe59b89978b2f649539532891525672f9c1678d09218e34e06dbf7339dafc5b71a80ef3801deb5573a6e729e83061333b723f1c138e109c55458b36e21a CVE-2020-10531.patch"
diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..3daeecd4ab
--- /dev/null
+++ b/main/icu/CVE-2020-10531.patch
@@ -0,0 +1,132 @@
+Backported of:
+
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp
+index 1bfb71a..e8a7f12 100644
+--- a/common/unistr.cpp
++++ b/common/unistr.cpp
+@@ -75,6 +75,17 @@ print(const UChar *s,
+ // END DEBUGGING
+ #endif
+
++// Adding this function as support of CVE-2020-10531
++// since this version has not uprv_add32_overflow
++// implement it here.
++UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) {
++ auto a64 = static_cast<int64_t>(a);
++ auto b64 = static_cast<int64_t>(b);
++ int64_t res64 = a64 + b64;
++ *res = static_cast<int32_t>(res64);
++ return res64 != *res;
++}
++
+ // Local function definitions for now
+
+ // need to copy areas that may overlap
+@@ -1546,7 +1557,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+ // optimize append() onto a large-enough, owned string
+ if((newLength <= getCapacity() && isBufferWritable()) ||
+ cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
+diff --git a/source/test/intltest/ustrtest.cpp b/source/test/intltest/ustrtest.cpp
+index b361e20..9b613d3 100644
+--- a/test/intltest/ustrtest.cpp
++++ b/test/intltest/ustrtest.cpp
+@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestUInt16Pointers);
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2253,3 +2254,64 @@ UnicodeStringTest::TestNullPointers() {
+ UnicodeString(u"def").extract(nullptr, 0, errorCode);
+ assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git a/source/test/intltest/ustrtest.h b/source/test/intltest/ustrtest.h
+index 4ba348c..d2d5ee1 100644
+--- a/test/intltest/ustrtest.h
++++ b/test/intltest/ustrtest.h
+@@ -96,6 +96,7 @@ public:
+ void TestUInt16Pointers();
+ void TestWCharPointers();
+ void TestNullPointers();
++ void TestLargeAppend();
+ };
+
+ #endif