commit: 864e6a833c7eca237bdd792a831948c2b5b8d6c6 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Fri Nov 9 02:10:01 2018 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Fri Nov 9 02:10:01 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=864e6a83
dev-libs/icu: Fix CVE-2018-18928 Bug: https://bugs.gentoo.org/670456 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> dev-libs/icu/files/icu-63.1-CVE-2018-18928.patch | 62 +++++++++ dev-libs/icu/icu-63.1-r1.ebuild | 161 +++++++++++++++++++++++ 2 files changed, 223 insertions(+) diff --git a/dev-libs/icu/files/icu-63.1-CVE-2018-18928.patch b/dev-libs/icu/files/icu-63.1-CVE-2018-18928.patch new file mode 100644 index 00000000000..bbbef9e793d --- /dev/null +++ b/dev-libs/icu/files/icu-63.1-CVE-2018-18928.patch @@ -0,0 +1,62 @@ +From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001 +From: Shane Carr <[email protected]> +Date: Mon, 29 Oct 2018 23:52:44 -0700 +Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing. + +--- + i18n/fmtable.cpp | 2 +- + i18n/number_decimalquantity.cpp | 5 ++++- + test/intltest/numfmtst.cpp | 8 ++++++++ + .../icu/impl/number/DecimalQuantity_AbstractBCD.java | 5 ++++- + .../impl/number/DecimalQuantity_DualStorageBCD.java | 10 +++++++++- + .../com/ibm/icu/dev/test/format/NumberFormatTest.java | 5 +++++ + 6 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp +index 45c7024fc29..8601d95f4a6 100644 +--- a/i18n/fmtable.cpp ++++ b/i18n/fmtable.cpp +@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) { + // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). + if (fDecimalQuantity->isZero()) { + fDecimalStr->append("0", -1, status); +- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { ++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); + } else { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); +diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp +index 47b930a564b..d5dd7ae694c 100644 +--- a/i18n/number_decimalquantity.cpp ++++ b/i18n/number_decimalquantity.cpp +@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const { + } + result.append(u'E'); + int32_t _scale = upperPos + scale; +- if (_scale < 0) { ++ if (_scale == INT32_MIN) { ++ result.append({u"-2147483648", -1}); ++ return result; ++ } else if (_scale < 0) { + _scale *= -1; + result.append(u'-'); + } else { +diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp +index 34355939113..8d52dc122bf 100644 +--- a/test/intltest/numfmtst.cpp ++++ b/test/intltest/numfmtst.cpp +@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() { + assertEquals(u"Should not overflow and should parse only the first exponent", + u"1E-2147483647", + {sp.data(), sp.length(), US_INV}); ++ ++ // Test edge case overflow of exponent ++ result = Formattable(); ++ nf->parse(u".0003e-2147483644", result, status); ++ sp = result.getDecimalNumber(status); ++ assertEquals(u"Should not overflow", ++ u"3E-2147483648", ++ {sp.data(), sp.length(), US_INV}); + } + + void NumberFormatTest::Test13840_ParseLongStringCrash() { diff --git a/dev-libs/icu/icu-63.1-r1.ebuild b/dev-libs/icu/icu-63.1-r1.ebuild new file mode 100644 index 00000000000..7e60191de4e --- /dev/null +++ b/dev-libs/icu/icu-63.1-r1.ebuild @@ -0,0 +1,161 @@ +# Copyright 1999-2018 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit flag-o-matic toolchain-funcs autotools multilib-minimal + +DESCRIPTION="International Components for Unicode" +HOMEPAGE="http://www.icu-project.org/"; +SRC_URI="http://download.icu-project.org/files/icu4c/${PV/_/}/icu4c-${PV//./_}-src.tgz"; + +LICENSE="BSD" + +SLOT="0/${PV}" + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris ~x86-winnt" +IUSE="debug doc examples static-libs" + +DEPEND=" + doc? ( app-doc/doxygen[dot] ) +" +BDEPEND=" + virtual/pkgconfig +" + +S="${WORKDIR}/${PN}/source" + +MULTILIB_CHOST_TOOLS=( + /usr/bin/icu-config +) + +PATCHES=( + "${FILESDIR}/${PN}-58.1-remove-bashisms.patch" + "${FILESDIR}/${PN}-58.2-darwin.patch" + "${FILESDIR}/${P}-CVE-2018-18928.patch" +) + +pkg_pretend() { + if tc-is-gcc ; then + if [[ $(gcc-major-version) == 4 && $(gcc-minor-version) -lt 9 \ + || $(gcc-major-version) -lt 4 ]] ; then + die "You need at least sys-devel/gcc-4.9" + fi + fi +} + +src_prepare() { + # apply patches + default + + local variable + + # Disable renaming as it is stupid thing to do + sed -i \ + -e "s/#define U_DISABLE_RENAMING 0/#define U_DISABLE_RENAMING 1/" \ + common/unicode/uconfig.h || die + + # Fix linking of icudata + sed -i \ + -e "s:LDFLAGSICUDT=-nodefaultlibs -nostdlib:LDFLAGSICUDT=:" \ + config/mh-linux || die + + # Append doxygen configuration to configure + sed -i \ + -e 's:icudefs.mk:icudefs.mk Doxyfile:' \ + configure.ac || die + + eautoreconf +} + +src_configure() { + # Use C++14 + append-cxxflags -std=c++14 + + if tc-is-gcc ; then + if [[ $(gcc-major-version) == 4 && $(gcc-minor-version) -lt 9 \ + || $(gcc-major-version) -lt 4 ]] ; then + die "You need at least sys-devel/gcc-4.9" + fi + fi + + if tc-is-cross-compiler; then + mkdir "${WORKDIR}"/host || die + pushd "${WORKDIR}"/host >/dev/null || die + + CFLAGS="" CXXFLAGS="" ASFLAGS="" LDFLAGS="" \ + CC="$(tc-getBUILD_CC)" CXX="$(tc-getBUILD_CXX)" AR="$(tc-getBUILD_AR)" \ + RANLIB="$(tc-getBUILD_RANLIB)" LD="$(tc-getBUILD_LD)" \ + "${S}"/configure --disable-renaming --disable-debug \ + --disable-samples --enable-static || die + emake + + popd >/dev/null || die + fi + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myeconfargs=( + --disable-renaming + --disable-samples + --disable-layoutex + $(use_enable debug) + $(use_enable static-libs static) + $(multilib_native_use_enable examples samples) + ) + + tc-is-cross-compiler && myeconfargs+=( + --with-cross-build="${WORKDIR}"/host + ) + + # icu tries to use clang by default + tc-export CC CXX + + # make sure we configure with the same shell as we run icu-config + # with, or ECHO_N, ECHO_T and ECHO_C will be wrongly defined + export CONFIG_SHELL="${EPREFIX}/bin/sh" + # probably have no /bin/sh in prefix-chain + [[ -x ${CONFIG_SHELL} ]] || CONFIG_SHELL="${BASH}" + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" +} + +multilib_src_compile() { + default + + if multilib_is_native_abi && use doc; then + doxygen -u Doxyfile || die + doxygen Doxyfile || die + fi +} + +multilib_src_test() { + # INTLTEST_OPTS: intltest options + # -e: Exhaustive testing + # -l: Reporting of memory leaks + # -v: Increased verbosity + # IOTEST_OPTS: iotest options + # -e: Exhaustive testing + # -v: Increased verbosity + # CINTLTST_OPTS: cintltst options + # -e: Exhaustive testing + # -v: Increased verbosity + emake -j1 VERBOSE="1" check +} + +multilib_src_install() { + default + + if multilib_is_native_abi && use doc; then + docinto html + dodoc -r doc/html/* + fi +} + +multilib_src_install_all() { + einstalldocs + docinto html + dodoc ../readme.html +}
