GNU bug report logs - #40227
[PATCH] gnu: icu4c: Fix CVE-2020-10531.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 25 Mar 2020 18:37:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 40227 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 40227 <at> debbugs.gnu.org
Subject: Re: [bug#40227] [PATCH] gnu: icu4c: Fix CVE-2020-10531.
Date: Wed, 25 Mar 2020 21:23:33 +0100

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
> (icu4c/fixed): New variable.

[...]

> diff --git a/gnu/packages/patches/icu4c-CVE-2020-10531.patch b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
> new file mode 100644
> index 0000000000..e996783e75
> --- /dev/null
> +++ b/gnu/packages/patches/icu4c-CVE-2020-10531.patch
> @@ -0,0 +1,126 @@
> +Fix CVE-2020-10531:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
> +
> +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
> +From: Frank Tang <ftang <at> chromium.org>
> +Date: Sat, 1 Feb 2020 02:39:04 +0000
> +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
> +
> +See #971
> +---
> + icu4c/source/common/unistr.cpp          |  6 ++-
> + icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
> + icu4c/source/test/intltest/ustrtest.h   |  1 +
> + 3 files changed, 68 insertions(+), 1 deletion(-)

I'm not sure if the new test case as well as this git commit header is
necessary.  IMO it mostly adds noise to the patch.  I.e. the whole file
could be shortened to 6 lines + your comments at the top.

But no strong opinion, there is an argument to be made for preserving
upstream commits in their entirety too (I think).

So, LGTM either way.  Thank you!

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 142 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.