Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 19 Apr 2017 23:54:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26571 in the body.
You can then email your comments to 26571 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#26571; Package guix-patches.
(Wed, 19 Apr 2017 23:54:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>:guix-patches <at> gnu.org.
(Wed, 19 Apr 2017 23:54:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Date: Wed, 19 Apr 2017 19:52:13 -0400
* gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/icu4c.scm | 3 +-
.../icu4c-CVE-2017-7867-CVE-2017-7868.patch | 164 +++++++++++++++++++++
3 files changed, 167 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6e0c3eb42..90268c485 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -657,6 +657,7 @@ dist_patch_DATA = \
%D%/packages/patches/hypre-ldflags.patch \
%D%/packages/patches/icecat-avoid-bundled-libraries.patch \
%D%/packages/patches/icecat-binutils.patch \
+ %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch \
%D%/packages/patches/icu4c-reset-keyword-list-iterator.patch \
%D%/packages/patches/id3lib-CVE-2007-4460.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 2b5144100..9f465b102 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -73,4 +73,5 @@ C/C++ part.")
(source (origin
(inherit (package-source icu4c))
(patches
- (search-patches "icu4c-reset-keyword-list-iterator.patch"))))))
+ (search-patches "icu4c-CVE-2017-7867-CVE-2017-7868.patch"
+ "icu4c-reset-keyword-list-iterator.patch"))))))
diff --git a/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
new file mode 100644
index 000000000..4db8f2799
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
@@ -0,0 +1,164 @@
+Fix CVE-2017-7867 and CVE-2017-7868:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868
+
+Patch copied from upstream source repository:
+
+http://bugs.icu-project.org/trac/changeset/39671
+
+Index: icu/source/common/utext.cpp
+===================================================================
+--- icu/source/common/utext.cpp (revision 39670)
++++ icu/source/common/utext.cpp (revision 39671)
+@@ -848,7 +848,13 @@
+
+ // Chunk size.
+-// Must be less than 85, because of byte mapping from UChar indexes to native indexes.
+-// Worst case is three native bytes to one UChar. (Supplemenaries are 4 native bytes
+-// to two UChars.)
++// Must be less than 42 (256/6), because of byte mapping from UChar indexes to native indexes.
++// Worst case there are six UTF-8 bytes per UChar.
++// obsolete 6 byte form fd + 5 trails maps to fffd
++// obsolete 5 byte form fc + 4 trails maps to fffd
++// non-shortest 4 byte forms maps to fffd
++// normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
++// mapToUChars array size must allow for the worst case, 6.
++// This could be brought down to 4, by treating fd and fc as pure illegal,
++// rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
+ //
+ enum { UTF8_TEXT_CHUNK_SIZE=32 };
+@@ -890,5 +896,5 @@
+ // one for a supplementary starting in the last normal position,
+ // and one for an entry for the buffer limit position.
+- uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
++ uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
+ // correspoding offset in filled part of buf.
+ int32_t align;
+@@ -1033,4 +1039,5 @@
+ u8b = (UTF8Buf *)ut->p; // the current buffer
+ mapIndex = ix - u8b->toUCharsMapStart;
++ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+ ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+ return TRUE;
+@@ -1299,4 +1306,8 @@
+ // If index is at the end, there is no character there to look at.
+ if (ix != ut->b) {
++ // Note: this function will only move the index back if it is on a trail byte
++ // and there is a preceding lead byte and the sequence from the lead
++ // through this trail could be part of a valid UTF-8 sequence
++ // Otherwise the index remains unchanged.
+ U8_SET_CP_START(s8, 0, ix);
+ }
+@@ -1312,5 +1323,8 @@
+ uint8_t *mapToNative = u8b->mapToNative;
+ uint8_t *mapToUChars = u8b->mapToUChars;
+- int32_t toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
++ int32_t toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
++ // Note that toUCharsMapStart can be negative. Happens when the remaining
++ // text from current position to the beginning is less than the buffer size.
++ // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
+ int32_t destIx = UTF8_TEXT_CHUNK_SIZE+2; // Start in the overflow region
+ // at end of buffer to leave room
+@@ -1339,4 +1353,5 @@
+ // Special case ASCII range for speed.
+ buf[destIx] = (UChar)c;
++ U_ASSERT(toUCharsMapStart <= srcIx);
+ mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
+ mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
+@@ -1368,4 +1383,5 @@
+ mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
+ } while (sIx >= srcIx);
++ U_ASSERT(toUCharsMapStart <= (srcIx+1));
+
+ // Set native indexing limit to be the current position.
+@@ -1542,4 +1558,5 @@
+ U_ASSERT(index<=ut->chunkNativeLimit);
+ int32_t mapIndex = index - u8b->toUCharsMapStart;
++ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+ int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+ U_ASSERT(offset>=0 && offset<=ut->chunkLength);
+Index: icu/source/test/intltest/utxttest.cpp
+===================================================================
+--- icu/source/test/intltest/utxttest.cpp (revision 39670)
++++ icu/source/test/intltest/utxttest.cpp (revision 39671)
+@@ -68,4 +68,6 @@
+ case 7: name = "Ticket12130";
+ if (exec) Ticket12130(); break;
++ case 8: name = "Ticket12888";
++ if (exec) Ticket12888(); break;
+ default: name = ""; break;
+ }
+@@ -1584,2 +1586,62 @@
+ utext_close(&ut);
+ }
++
++// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
++// six byte utf-8 forms. Original implementation had an assumption that
++// there would be at most three utf-8 bytes per UTF-16 code unit.
++// The five and six byte sequences map to a single replacement character.
++
++void UTextTest::Ticket12888() {
++ const char *badString =
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
++
++ UErrorCode status = U_ZERO_ERROR;
++ LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
++ TEST_SUCCESS(status);
++ for (;;) {
++ UChar32 c = utext_next32(ut.getAlias());
++ if (c == U_SENTINEL) {
++ break;
++ }
++ }
++ int32_t endIdx = utext_getNativeIndex(ut.getAlias());
++ if (endIdx != (int32_t)strlen(badString)) {
++ errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
++ return;
++ }
++
++ for (int32_t prevIndex = endIdx; prevIndex>0;) {
++ UChar32 c = utext_previous32(ut.getAlias());
++ int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
++ if (c != 0xfffd) {
++ errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
++ __FILE__, __LINE__, 0xfffd, c, currentIndex);
++ break;
++ }
++ if (currentIndex != prevIndex - 6) {
++ errln("%s:%d: wrong index. Expected, actual = %d, %d",
++ __FILE__, __LINE__, prevIndex - 6, currentIndex);
++ break;
++ }
++ prevIndex = currentIndex;
++ }
++}
+Index: icu/source/test/intltest/utxttest.h
+===================================================================
+--- icu/source/test/intltest/utxttest.h (revision 39670)
++++ icu/source/test/intltest/utxttest.h (revision 39671)
+@@ -39,4 +39,5 @@
+ void Ticket10983();
+ void Ticket12130();
++ void Ticket12888();
+
+ private:
--
2.12.2
guix-patches <at> gnu.org:bug#26571; Package guix-patches.
(Thu, 20 Apr 2017 12:18:02 GMT) Full text and rfc822 format available.Message #8 received at 26571 <at> debbugs.gnu.org (full text, mbox):
From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 26571 <at> debbugs.gnu.org
Subject: Re: bug#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Date: Thu, 20 Apr 2017 14:16:49 +0200
Leo Famulari <leo <at> famulari.name> skribis: > * gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it. LGTM. Thank you! Ludo’.
Leo Famulari <leo <at> famulari.name>:Leo Famulari <leo <at> famulari.name>:Message #13 received at 26571-done <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
Cc: 26571-done <at> debbugs.gnu.org
Subject: Re: bug#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Date: Thu, 20 Apr 2017 12:00:19 -0400
[Message part 1 (text/plain, inline)]
On Thu, Apr 20, 2017 at 02:16:49PM +0200, Ludovic Courtès wrote: > Leo Famulari <leo <at> famulari.name> skribis: > > > * gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it. > > LGTM. > > Thank you! Thanks for the review! Pushed as e795a3d2ce482d808f94e5be148e90d81c3765e0
[signature.asc (application/pgp-signature, inline)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Fri, 19 May 2017 11:24:04 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.