Mail archive
alpine-aports

[alpine-aports] [PATCH edge] main/icu: security upgrade to 58.2 - fixes #6548

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Tue, 20 Dec 2016 14:12:49 +0000

CVE-2016-7415 Stack based buffer overflow in locid.cpp
---
 main/icu/APKBUILD | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index a84f584f70..0cf163ecde 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
_at_@ -1,6 +1,7 @@
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=icu
-pkgver=57.1
+pkgver=58.2
 
 # convert x.y.z to x_y_z
 _ver=${pkgver//./_}
_at_@ -15,19 +16,25 @@ depends=
 makedepends=
 source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
 	icu-timezone.patch
-	CVE-2016-6293.patch
 	"
 
 # secfixes:
 #   57.1-r1:
 #     - CVE-2016-6293
 
-_builddir="$srcdir"/icu/source
+builddir="$srcdir"/icu/source
 
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	update_config_sub || return 1
 
+	# strtod_l() is not supported by musl; also xlocale.h is missing
+	# It is not possible to disable its use via configure switches or env vars
+	# so monkey patching is needed. Idea was stollen from openembedded
+	# https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/icu/icu.inc#L30
+	sed -i -e 's,DU_HAVE_STRTOD_L=1,DU_HAVE_STRTOD_L=0,' configure.ac
+	sed -i -e 's,DU_HAVE_STRTOD_L=1,DU_HAVE_STRTOD_L=0,' configure
+
 	local x
 	# https://bugs.icu-project.org/trac/ticket/6102
 	for x in ARFLAGS CFLAGS CPPFLAGS CXXFLAGS FFLAGS LDFLAGS; do
_at_@ -46,7 +53,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
_at_@ -60,7 +67,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make -j1 DESTDIR="$pkgdir" install || return 1
 	chmod +x "$pkgdir"/usr/bin/icu-config
 	install -Dm644 "$srcdir"/icu/license.html \
_at_@ -72,12 +79,9 @@ libs() {
 	replaces="icu"
 }
 
-md5sums="976734806026a4ef8bdd17937c8898b9  icu4c-57_1-src.tgz
-2c81d9c9a6ea0af5b7391e001f37a5e0  icu-timezone.patch
-7e65666fd48718440d819748118834ba  CVE-2016-6293.patch"
-sha256sums="ff8c67cb65949b1e7808f2359f2b80f722697048e90e7cfc382ec1fe229e9581  icu4c-57_1-src.tgz
-1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158  icu-timezone.patch
-4b7322fa2d222bf20e74f8fb5d31f3ee44f214fc4b17e60dd89cc6252348435e  CVE-2016-6293.patch"
-sha512sums="a3c701e9c81622db545bcf93f315c7b13159750f43f009d0aec59ceae3a8e1ccb751826d4b8a7387aca47f38bff2a85816b1a123b07d2bf731558c7b66e47b8a  icu4c-57_1-src.tgz
-40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825  icu-timezone.patch
-8fba91b583896c52c12a0c8327f12fb77826779e453f91752826143bfdd5d2a2abe8db9836cdb6e12bcd31b9c683c00163e7c787807209d2e87ee8558d6293fb  CVE-2016-6293.patch"
+md5sums="fac212b32b7ec7ab007a12dff1f3aea1  icu4c-58_2-src.tgz
+2c81d9c9a6ea0af5b7391e001f37a5e0  icu-timezone.patch"
+sha256sums="2b0a4410153a9b20de0e20c7d8b66049a72aef244b53683d0d7521371683da0c  icu4c-58_2-src.tgz
+1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158  icu-timezone.patch"
+sha512sums="5c21af748f48b392e6c0412bd0aee92162ea931820dcbfab4ec6e0299868504b303d88f7586cc95de55c777ac0dca3a29d6c8ca0892c646ebc864c8a5b5a162a  icu4c-58_2-src.tgz
+40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825  icu-timezone.patch"
-- 
2.11.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Tue Dec 20 2016 - 14:12:49 GMT