GNU bug report logs - #28968
[PATCH] gnu: icu4c: Fix CVE-2017-14952.

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Tue, 24 Oct 2017 16:37:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28968 in the body.
You can then email your comments to 28968 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28968; Package guix-patches. (Tue, 24 Oct 2017 16:37:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 24 Oct 2017 16:37:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: icu4c: Fix CVE-2017-14952.
Date: Tue, 24 Oct 2017 12:36:30 -0400

* gnu/packages/patches/icu4c-CVE-2017-14952.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
(icu4c-fixed): New variable.
---
 gnu/local.mk                                    |  1 +
 gnu/packages/icu4c.scm                          | 10 ++++++++++
 gnu/packages/patches/icu4c-CVE-2017-14952.patch | 18 ++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 gnu/packages/patches/icu4c-CVE-2017-14952.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6b70300ff..d02b25072 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -734,6 +734,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hydra-disable-darcs-test.patch		\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
   %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch	\
+  %D%/packages/patches/icu4c-CVE-2017-14952.patch		\
   %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch	\
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 346128585..55bc9f203 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -32,6 +32,7 @@
 (define-public icu4c
   (package
    (name "icu4c")
+   (replacement icu4c-fixed)
    (version "58.2")
    (source (origin
             (method url-fetch)
@@ -70,6 +71,15 @@ C/C++ part.")
    (license x11)
    (home-page "http://site.icu-project.org/")))
 
+(define icu4c-fixed
+  (package
+    (inherit icu4c)
+    (source (origin
+              (inherit (package-source icu4c))
+              (patches (append
+                         (origin-patches (package-source icu4c))
+                         (search-patches "icu4c-CVE-2017-14952.patch")))))))
+
 (define-public java-icu4j
   (package
     (name "java-icu4j")
diff --git a/gnu/packages/patches/icu4c-CVE-2017-14952.patch b/gnu/packages/patches/icu4c-CVE-2017-14952.patch
new file mode 100644
index 000000000..564f69d01
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2017-14952.patch
@@ -0,0 +1,18 @@
+Fix CVE-2017-14952:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
+
+Patch copied from upstream source repository:
+
+http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp#file0
+
+Index: trunk/icu4c/source/i18n/zonemeta.cpp
+===================================================================
+--- icu/source/i18n/zonemeta.cpp	(revision 40283)
++++ icu/source/i18n/zonemeta.cpp	(revision 40324)
+@@ -691,5 +691,4 @@
+                     if (U_FAILURE(status)) {
+                         delete mzMappings;
+-                        deleteOlsonToMetaMappingEntry(entry);
+                         uprv_free(entry);
+                         break;
-- 
2.14.3

Information forwarded to guix-patches <at> gnu.org:
bug#28968; Package guix-patches. (Tue, 24 Oct 2017 16:56:01 GMT) Full text and rfc822 format available.

Message #8 received at 28968 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 28968 <at> debbugs.gnu.org
Subject: Re: [bug#28968] [PATCH] gnu: icu4c: Fix CVE-2017-14952.
Date: Tue, 24 Oct 2017 09:55:13 -0700

Leo Famulari <leo <at> famulari.name> skribis:

> * gnu/packages/patches/icu4c-CVE-2017-14952.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
> (icu4c-fixed): New variable.

LGTM, thank you!

Ludo’.

bug closed, send any further explanations to 28968 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Tue, 24 Oct 2017 17:12:01 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 22 Nov 2017 12:24:03 GMT) Full text and rfc822 format available.

This bug report was last modified 7 years and 212 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #28968 [PATCH] gnu: icu4c: Fix CVE-2017-14952.

GNU bug report logs - #28968
[PATCH] gnu: icu4c: Fix CVE-2017-14952.