~ruther/guix-local

65d54af49f31a808a8481f34a95887eba4c8bb57 — Mark H Weaver 10 years ago 257abeb 
gnu: icu4c: Add fixes for CVE-2014-6585 and CVE-2015-1270.

* gnu/packages/patches/icu4c-CVE-2014-6585.patch,
  gnu/packages/patches/icu4c-CVE-2015-1270.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/icu4c.scm (icu4c)[source]: Add patches.
patch browse .tar.gz 
4 files changed, 41 insertions(+), 1 deletions(-)

M gnu-system.am
M gnu/packages/icu4c.scm
A gnu/packages/patches/icu4c-CVE-2014-6585.patch
A gnu/packages/patches/icu4c-CVE-2015-1270.patch

M gnu-system.am => gnu-system.am +2 -0
@@ 504,6 504,8 @@ dist_patch_DATA =						\
  gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \
  gnu/packages/patches/icecat-freetype-2.6.patch		\
  gnu/packages/patches/icecat-libvpx-1.4.patch			\
  gnu/packages/patches/icu4c-CVE-2014-6585.patch		\
  gnu/packages/patches/icu4c-CVE-2015-1270.patch		\
  gnu/packages/patches/icu4c-CVE-2015-4760.patch		\
  gnu/packages/patches/imagemagick-test-segv.patch		\
  gnu/packages/patches/irrlicht-mesa-10.patch			\


M gnu/packages/icu4c.scm => gnu/packages/icu4c.scm +3 -1
@@ 38,7 38,9 @@
                   "-src.tgz"))
            (sha256
             (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1"))
            (patches (list (search-patch "icu4c-CVE-2015-4760.patch")))))
            (patches (map search-patch '("icu4c-CVE-2014-6585.patch"
                                         "icu4c-CVE-2015-1270.patch"
                                         "icu4c-CVE-2015-4760.patch")))))
   (build-system gnu-build-system)
   (inputs
    `(("perl" ,perl)))


A gnu/packages/patches/icu4c-CVE-2014-6585.patch => gnu/packages/patches/icu4c-CVE-2014-6585.patch +21 -0
@@ 0,0 1,21 @@
Copied from Debian.

description: out-of-bounds read
origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6585

--- a/source/layout/LETableReference.h
+++ b/source/layout/LETableReference.h
@@ -322,7 +322,12 @@ LE_TRACE_TR("INFO: new RTAO")
   }
   
   const T& operator()(le_uint32 i, LEErrorCode &success) const {
-    return *getAlias(i,success);
+    const T *ret = getAlias(i,success);
+    if (LE_FAILURE(success) || ret==NULL) {
+      return *(new T());
+    } else {
+      return *ret;
+    }
   }
 
   size_t getOffsetFor(le_uint32 i, LEErrorCode &success) const {


A gnu/packages/patches/icu4c-CVE-2015-1270.patch => gnu/packages/patches/icu4c-CVE-2015-1270.patch +15 -0
@@ 0,0 1,15 @@
Copied from Debian.

diff --git a/source/common/ucnv_io.cpp b/source/common/ucnv_io.cpp
index 5dd35d8..4424664 100644
--- a/source/common/ucnv_io.cpp
+++ b/source/common/ucnv_io.cpp
@@ -744,7 +744,7 @@ ucnv_io_getConverterName(const char *alias, UBool *containsOption, UErrorCode *p
              * the name begins with 'x-'. If it does, strip it off and try
              * again.  This behaviour is similar to how ICU4J does it.
              */
-            if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') {
+            if (aliasTmp[0] == 'x' && aliasTmp[1] == '-') {
                 aliasTmp = aliasTmp+2;
             } else {
                 break;