Hello community, here is the log from the commit of package icu for openSUSE:11.4 checked in at Mon Jan 16 15:38:21 CET 2012.
-------- --- old-versions/11.4/all/icu/icu.changes 2011-01-14 14:15:06.000000000 +0100 +++ 11.4/icu/icu.changes 2012-01-12 23:44:35.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Jan 12 22:31:06 UTC 2012 - [email protected] + +- Add icu-CVE-2010-4409.patch to fix symbol value check + (bnc#657910) +- Fix out of bounds access (bnc#736146) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/icu Destination is old-versions/11.4/UPDATES/all/icu calling whatdependson for 11.4-i586 New: ---- icu-CVE-2010-4409.patch icu-CVE-2011-4599.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icu.spec ++++++ --- /var/tmp/diff_new_pack.NE4WdV/_old 2012-01-16 15:22:55.000000000 +0100 +++ /var/tmp/diff_new_pack.NE4WdV/_new 2012-01-16 15:22:55.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package icu # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ License: IBM PL Group: System/Libraries Version: 4.4.2 -Release: 1 +Release: 4.<RELEASE5> Requires: libicu = %{version} Url: http://ibm.com/software/globalization/icu Source0: icu4c-4_4_2-src.tar.bz2 @@ -33,6 +33,10 @@ Patch0: pkgdata.diff # PATCH-FIX-UPSTREAM icu44-rpmlint.diff -- http://bugs.icu-project.org/trac/ticket/7808 Patch1: icu44-rpmlint.diff +# PATCH-FIX-UPSTREAM bnc657910 icu-CVE-2010-4409.patch [email protected] -- Taken from ICU Changeset 29683 +Patch2: icu-CVE-2010-4409.patch +# PATCH-FIX-UPSTREAM bnc736146 icu-CVE-2011-4599.patch [email protected] -- canonicalize2.patch from ICU#8984 +Patch3: icu-CVE-2011-4599.patch # PATCH-FIX-OPENSUSE icu-remove-datetime.patch [email protected] -- Do not put date/time in icu-config (needed for build-compare) Patch99: icu-remove-datetime.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -148,6 +152,8 @@ %setup -q -n icu -a1 %patch0 -p0 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch99 -p1 %build ++++++ icu-CVE-2010-4409.patch ++++++ Index: icu/source/i18n/unum.cpp =================================================================== --- icu.orig/source/i18n/unum.cpp +++ icu/source/i18n/unum.cpp @@ -755,7 +755,7 @@ unum_getSymbol(const UNumberFormat *fmt, return 0; } - if(fmt==NULL || (uint16_t)symbol>=UNUM_FORMAT_SYMBOL_COUNT) { + if(fmt==NULL || symbol< 0 || symbol>=UNUM_FORMAT_SYMBOL_COUNT) { *status=U_ILLEGAL_ARGUMENT_ERROR; return 0; } @@ -782,7 +782,7 @@ unum_setSymbol(UNumberFormat *fmt, return; } - if(fmt==NULL || (uint16_t)symbol>=UNUM_FORMAT_SYMBOL_COUNT || value==NULL || length<-1) { + if(fmt==NULL || symbol< 0 || symbol>=UNUM_FORMAT_SYMBOL_COUNT || value==NULL || length<-1) { *status=U_ILLEGAL_ARGUMENT_ERROR; return; } ++++++ icu-CVE-2011-4599.patch ++++++ Index: icu/source/common/uloc.c =================================================================== --- icu.orig/source/common/uloc.c +++ icu/source/common/uloc.c @@ -1736,7 +1736,7 @@ _canonicalize(const char* localeID, int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n); len -= variantLen; if (variantLen > 0) { - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */ --len; } addKeyword = VARIANT_MAP[j].keyword; @@ -1744,7 +1744,7 @@ _canonicalize(const char* localeID, break; } } - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */ --len; } } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
