Mail archive
alpine-aports

[alpine-aports] [PATCH edge] main/icu: security upgrade to 58.1 - fixes #6548

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Tue, 20 Dec 2016 13:48:46 +0000

CVE-2016-7415 Stack based buffer overflow in locid.cpp
---
 main/icu/APKBUILD | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index a84f584f70..c7755041b0 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
_at_@ -1,6 +1,7 @@
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=icu
-pkgver=57.1
+pkgver=58.1
 
 # convert x.y.z to x_y_z
 _ver=${pkgver//./_}
_at_@ -15,19 +16,25 @@ depends=
 makedepends=
 source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
 	icu-timezone.patch
-	CVE-2016-6293.patch
 	"
 
 # secfixes:
 #   57.1-r1:
 #     - CVE-2016-6293
 
-_builddir="$srcdir"/icu/source
+builddir="$srcdir"/icu/source
 
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	update_config_sub || return 1
 
+	# strtod_l() is not supported by musl; also xlocale.h is missing
+	# It is not possible to disable its use via configure switches or env vars
+	# so monkey patching is needed. Idea was stollen from openembedded
+	# https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/icu/icu.inc#L30
+	sed -i -e 's,DU_HAVE_STRTOD_L=1,DU_HAVE_STRTOD_L=0,' configure.ac
+	sed -i -e 's,DU_HAVE_STRTOD_L=1,DU_HAVE_STRTOD_L=0,' configure
+
 	local x
 	# https://bugs.icu-project.org/trac/ticket/6102
 	for x in ARFLAGS CFLAGS CPPFLAGS CXXFLAGS FFLAGS LDFLAGS; do
_at_@ -46,7 +53,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
_at_@ -60,7 +67,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make -j1 DESTDIR="$pkgdir" install || return 1
 	chmod +x "$pkgdir"/usr/bin/icu-config
 	install -Dm644 "$srcdir"/icu/license.html \
_at_@ -72,12 +79,9 @@ libs() {
 	replaces="icu"
 }
 
-md5sums="976734806026a4ef8bdd17937c8898b9  icu4c-57_1-src.tgz
-2c81d9c9a6ea0af5b7391e001f37a5e0  icu-timezone.patch
-7e65666fd48718440d819748118834ba  CVE-2016-6293.patch"
-sha256sums="ff8c67cb65949b1e7808f2359f2b80f722697048e90e7cfc382ec1fe229e9581  icu4c-57_1-src.tgz
-1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158  icu-timezone.patch
-4b7322fa2d222bf20e74f8fb5d31f3ee44f214fc4b17e60dd89cc6252348435e  CVE-2016-6293.patch"
-sha512sums="a3c701e9c81622db545bcf93f315c7b13159750f43f009d0aec59ceae3a8e1ccb751826d4b8a7387aca47f38bff2a85816b1a123b07d2bf731558c7b66e47b8a  icu4c-57_1-src.tgz
-40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825  icu-timezone.patch
-8fba91b583896c52c12a0c8327f12fb77826779e453f91752826143bfdd5d2a2abe8db9836cdb6e12bcd31b9c683c00163e7c787807209d2e87ee8558d6293fb  CVE-2016-6293.patch"
+md5sums="1901302aaff1c1633ef81862663d2917  icu4c-58_1-src.tgz
+2c81d9c9a6ea0af5b7391e001f37a5e0  icu-timezone.patch"
+sha256sums="0eb46ba3746a9c2092c8ad347a29b1a1b4941144772d13a88667a7b11ea30309  icu4c-58_1-src.tgz
+1c3c432228ee254af7adc995d65b65a4c9dac3b868fe1e49fe588a0ffa55a158  icu-timezone.patch"
+sha512sums="59b2a76834192a35125fda326587e613ef4486152cf0278c6f22568d4ae02c4b2d897efcea2654ef2b11bd1c3154aecd38cb68a70f69430736f343689f94c155  icu4c-58_1-src.tgz
+40489c36e28e160f08e045acab6c19cdb712ad3b7f87f67099deac7d579aaf13d8841cd3278a6bb0e998b5c34a378348a13fcc8bb14c9c4eb4f6adbd10d66825  icu-timezone.patch"
-- 
2.11.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Tue Dec 20 2016 - 13:48:46 GMT