main/icu: fix CVE-2020-10531

see #11329
author: Leo <thinkabit.ukim@gmail.com> 2020-03-24 09:32:19 -0300
committer: Leo <thinkabit.ukim@gmail.com> 2020-03-24 18:22:18 -0300
commit: c352863a011aa92c700a861de9b92c6f7a923964 (patch)
tree: 24e54ccedea639070f972d6655b92dd2c27cd87a
parent: f6fc58556f31047a3a3e540d2d37372b251eafaf (diff)
download: alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.bz2
alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.xz
alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.zip
2 files changed, 112 insertions, 2 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index 1af5dbc75e..bbb903c758 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
@@ -6,7 +6,7 @@ pkgver=62.1
 # convert x.y.z to x_y_z
 _ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
 pkgdesc="International Components for Unicode library"
 url="http://www.icu-project.org/"
 arch="all"
@@ -17,9 +17,12 @@ depends_dev="$pkgname=$pkgver-r$pkgrel"
 checkdepends="diffutils"
 makedepends=
 source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
+        CVE-2020-10531.patch
        "
 # secfixes:
+#   62.1-r1:
+#     - CVE-2020-10531
 #   57.1-r1:
 #     - CVE-2016-6293
 #   58.1-r1:
@@ -90,4 +93,5 @@ libs() {
        replaces="icu"
 }
-sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a  icu4c-62_1-src.tgz"
+sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a  icu4c-62_1-src.tgz
+cf3718d9f6a43de4e9a49d20080a04146f6b62c094d2fbd3efd898d7670c9a5ed28736a2c1e71c773a3f807dfeb8c262feeea7b9ea66bb147f58056608d7c3d6  CVE-2020-10531.patch"
diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..f2eb712b1a
--- /dev/null
+++ b/main/icu/CVE-2020-10531.patch
@@ -0,0 +1,106 @@
+diff --git a/common/unistr.cpp b/common/unistr.cpp
+index 5d7cab2..78cf394 100644
+--- a/common/unistr.cpp
+++ b/common/unistr.cpp
+@@ -1544,7 +1544,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+       return *this;
+  }
+   // optimize append() onto a large-enough, owned string
+   if((newLength <= getCapacity() && isBufferWritable()) ||
+       cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
+diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
+index 4b7cb7a..c5e5a80 100644
+--- a/test/intltest/ustrtest.cpp
+++ b/test/intltest/ustrtest.cpp
+@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestUInt16Pointers);
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2248,3 +2249,64 @@ UnicodeStringTest::TestNullPointers() {
+     UnicodeString(u"def").extract(nullptr, 0, errorCode);
+     assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode);
+ }
+
+void UnicodeStringTest::TestLargeAppend() {
+    if(quick) return;
+
+    IcuTestErrorCode status(*this, "TestLargeAppend");
+    // Make a large UnicodeString
+    int32_t len = 0xAFFFFFF;
+    UnicodeString str;
+    char16_t *buf = str.getBuffer(len);
+    // A fast way to set buffer to valid Unicode.
+    // 4E4E is a valid unicode character
+    uprv_memset(buf, 0x4e, len * 2);
+    str.releaseBuffer(len);
+    UnicodeString dest;
+    // Append it 16 times
+    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
+    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
+    int64_t total = 0;
+    for (int32_t i = 0; i < 16; i++) {
+        dest.append(str);
+        total += len;
+        if (total <= INT32_MAX) {
+            assertFalse("dest is not bogus", dest.isBogus());
+        } else {
+            assertTrue("dest should be bogus", dest.isBogus());
+        }
+    }
+    dest.remove();
+    total = 0;
+    for (int32_t i = 0; i < 16; i++) {
+        dest.append(str);
+        total += len;
+        if (total + len <= INT32_MAX) {
+            assertFalse("dest is not bogus", dest.isBogus());
+        } else if (total <= INT32_MAX) {
+            // Check that a string of exactly the maximum size works
+            UnicodeString str2;
+            int32_t remain = INT32_MAX - total;
+            char16_t *buf2 = str2.getBuffer(remain);
+            if (buf2 == nullptr) {
+                // if somehow memory allocation fail, return the test
+                return;
+            }
+            uprv_memset(buf2, 0x4e, remain * 2);
+            str2.releaseBuffer(remain);
+            dest.append(str2);
+            total += remain;
+            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
+            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
+            assertFalse("dest is not bogus", dest.isBogus());
+
+            // Check that a string size+1 goes bogus
+            str2.truncate(1);
+            dest.append(str2);
+            total++;
+            assertTrue("dest should be bogus", dest.isBogus());
+        } else {
+            assertTrue("dest should be bogus", dest.isBogus());
+        }
+    }
+}
+diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
+index 4ba348c..d2d5ee1 100644
+--- a/test/intltest/ustrtest.h
+++ b/test/intltest/ustrtest.h
+@@ -96,6 +96,7 @@ public:
+     void TestUInt16Pointers();
+     void TestWCharPointers();
+     void TestNullPointers();
+    void TestLargeAppend();
+ };
+ 
+ #endif
author	Leo <thinkabit.ukim@gmail.com>	2020-03-24 09:32:19 -0300
committer	Leo <thinkabit.ukim@gmail.com>	2020-03-24 18:22:18 -0300
commit	c352863a011aa92c700a861de9b92c6f7a923964 (patch)
tree	24e54ccedea639070f972d6655b92dd2c27cd87a
parent	f6fc58556f31047a3a3e540d2d37372b251eafaf (diff)
download	alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.bz2 alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.xz alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.zip

diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD index 1af5dbc75e..bbb903c758 100644 --- a/main/icu/APKBUILD +++ b/main/icu/APKBUILD
@@ -6,7 +6,7 @@ pkgver=62.1
6	# convert x.y.z to x_y_z	6	# convert x.y.z to x_y_z
7	_ver=${pkgver//./_}	7	_ver=${pkgver//./_}
8		8
9	pkgrel=0	9	pkgrel=1
10	pkgdesc="International Components for Unicode library"	10	pkgdesc="International Components for Unicode library"
11	url="http://www.icu-project.org/"	11	url="http://www.icu-project.org/"
12	arch="all"	12	arch="all"
@@ -17,9 +17,12 @@ depends_dev="$pkgname=$pkgver-r$pkgrel"
17	checkdepends="diffutils"	17	checkdepends="diffutils"
18	makedepends=	18	makedepends=
19	source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz	19	source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
		20	CVE-2020-10531.patch
20	"	21	"
21		22
22	# secfixes:	23	# secfixes:
		24	# 62.1-r1:
		25	# - CVE-2020-10531
23	# 57.1-r1:	26	# 57.1-r1:
24	# - CVE-2016-6293	27	# - CVE-2016-6293
25	# 58.1-r1:	28	# 58.1-r1:
@@ -90,4 +93,5 @@ libs() {
90	replaces="icu"	93	replaces="icu"
91	}	94	}
92		95
93	sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz"	96	sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz
		97	cf3718d9f6a43de4e9a49d20080a04146f6b62c094d2fbd3efd898d7670c9a5ed28736a2c1e71c773a3f807dfeb8c262feeea7b9ea66bb147f58056608d7c3d6 CVE-2020-10531.patch"


diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch new file mode 100644 index 0000000000..f2eb712b1a --- /dev/null +++ b/main/icu/CVE-2020-10531.patch
@@ -0,0 +1,106 @@
		1	diff --git a/common/unistr.cpp b/common/unistr.cpp
		2	index 5d7cab2..78cf394 100644
		3	--- a/common/unistr.cpp
		4	+++ b/common/unistr.cpp
		5	@@ -1544,7 +1544,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
		6	}
		7
		8	int32_t oldLength = length();
		9	- int32_t newLength = oldLength + srcLength;
		10	+ int32_t newLength;
		11	+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
		12	+ setToBogus();
		13	+ return *this;
		14	+ }
		15	// optimize append() onto a large-enough, owned string
		16	if((newLength <= getCapacity() && isBufferWritable()) \|\|
		17	cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
		18	diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
		19	index 4b7cb7a..c5e5a80 100644
		20	--- a/test/intltest/ustrtest.cpp
		21	+++ b/test/intltest/ustrtest.cpp
		22	@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
		23	TESTCASE_AUTO(TestUInt16Pointers);
		24	TESTCASE_AUTO(TestWCharPointers);
		25	TESTCASE_AUTO(TestNullPointers);
		26	+ TESTCASE_AUTO(TestLargeAppend);
		27	TESTCASE_AUTO_END;
		28	}
		29
		30	@@ -2248,3 +2249,64 @@ UnicodeStringTest::TestNullPointers() {
		31	UnicodeString(u"def").extract(nullptr, 0, errorCode);
		32	assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode);
		33	}
		34	+
		35	+void UnicodeStringTest::TestLargeAppend() {
		36	+ if(quick) return;
		37	+
		38	+ IcuTestErrorCode status(*this, "TestLargeAppend");
		39	+ // Make a large UnicodeString
		40	+ int32_t len = 0xAFFFFFF;
		41	+ UnicodeString str;
		42	+ char16_t *buf = str.getBuffer(len);
		43	+ // A fast way to set buffer to valid Unicode.
		44	+ // 4E4E is a valid unicode character
		45	+ uprv_memset(buf, 0x4e, len * 2);
		46	+ str.releaseBuffer(len);
		47	+ UnicodeString dest;
		48	+ // Append it 16 times
		49	+ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
		50	+ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
		51	+ int64_t total = 0;
		52	+ for (int32_t i = 0; i < 16; i++) {
		53	+ dest.append(str);
		54	+ total += len;
		55	+ if (total <= INT32_MAX) {
		56	+ assertFalse("dest is not bogus", dest.isBogus());
		57	+ } else {
		58	+ assertTrue("dest should be bogus", dest.isBogus());
		59	+ }
		60	+ }
		61	+ dest.remove();
		62	+ total = 0;
		63	+ for (int32_t i = 0; i < 16; i++) {
		64	+ dest.append(str);
		65	+ total += len;
		66	+ if (total + len <= INT32_MAX) {
		67	+ assertFalse("dest is not bogus", dest.isBogus());
		68	+ } else if (total <= INT32_MAX) {
		69	+ // Check that a string of exactly the maximum size works
		70	+ UnicodeString str2;
		71	+ int32_t remain = INT32_MAX - total;
		72	+ char16_t *buf2 = str2.getBuffer(remain);
		73	+ if (buf2 == nullptr) {
		74	+ // if somehow memory allocation fail, return the test
		75	+ return;
		76	+ }
		77	+ uprv_memset(buf2, 0x4e, remain * 2);
		78	+ str2.releaseBuffer(remain);
		79	+ dest.append(str2);
		80	+ total += remain;
		81	+ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
		82	+ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
		83	+ assertFalse("dest is not bogus", dest.isBogus());
		84	+
		85	+ // Check that a string size+1 goes bogus
		86	+ str2.truncate(1);
		87	+ dest.append(str2);
		88	+ total++;
		89	+ assertTrue("dest should be bogus", dest.isBogus());
		90	+ } else {
		91	+ assertTrue("dest should be bogus", dest.isBogus());
		92	+ }
		93	+ }
		94	+}
		95	diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
		96	index 4ba348c..d2d5ee1 100644
		97	--- a/test/intltest/ustrtest.h
		98	+++ b/test/intltest/ustrtest.h
		99	@@ -96,6 +96,7 @@ public:
		100	void TestUInt16Pointers();
		101	void TestWCharPointers();
		102	void TestNullPointers();
		103	+ void TestLargeAppend();
		104	};
		105
		106	#endif