summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--gnu-system.am2
-rw-r--r--gnu/packages/icu4c.scm4
-rw-r--r--gnu/packages/patches/icu4c-CVE-2014-6585.patch21
-rw-r--r--gnu/packages/patches/icu4c-CVE-2015-1270.patch15
4 files changed, 41 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 8fa25d2000..9decf3eaf3 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -504,6 +504,8 @@ dist_patch_DATA =						\
   gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \
   gnu/packages/patches/icecat-freetype-2.6.patch		\
   gnu/packages/patches/icecat-libvpx-1.4.patch			\
+  gnu/packages/patches/icu4c-CVE-2014-6585.patch		\
+  gnu/packages/patches/icu4c-CVE-2015-1270.patch		\
   gnu/packages/patches/icu4c-CVE-2015-4760.patch		\
   gnu/packages/patches/imagemagick-test-segv.patch		\
   gnu/packages/patches/irrlicht-mesa-10.patch			\
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 46e5d12049..d442b5e69a 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -38,7 +38,9 @@
                    "-src.tgz"))
             (sha256
              (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1"))
-            (patches (list (search-patch "icu4c-CVE-2015-4760.patch")))))
+            (patches (map search-patch '("icu4c-CVE-2014-6585.patch"
+                                         "icu4c-CVE-2015-1270.patch"
+                                         "icu4c-CVE-2015-4760.patch")))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
diff --git a/gnu/packages/patches/icu4c-CVE-2014-6585.patch b/gnu/packages/patches/icu4c-CVE-2014-6585.patch
new file mode 100644
index 0000000000..d21a0d0ba1
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2014-6585.patch
@@ -0,0 +1,21 @@
+Copied from Debian.
+
+description: out-of-bounds read
+origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6585
+
+--- a/source/layout/LETableReference.h
++++ b/source/layout/LETableReference.h
+@@ -322,7 +322,12 @@ LE_TRACE_TR("INFO: new RTAO")
+   }
+   
+   const T& operator()(le_uint32 i, LEErrorCode &success) const {
+-    return *getAlias(i,success);
++    const T *ret = getAlias(i,success);
++    if (LE_FAILURE(success) || ret==NULL) {
++      return *(new T());
++    } else {
++      return *ret;
++    }
+   }
+ 
+   size_t getOffsetFor(le_uint32 i, LEErrorCode &success) const {
diff --git a/gnu/packages/patches/icu4c-CVE-2015-1270.patch b/gnu/packages/patches/icu4c-CVE-2015-1270.patch
new file mode 100644
index 0000000000..2a7658d36e
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2015-1270.patch
@@ -0,0 +1,15 @@
+Copied from Debian.
+
+diff --git a/source/common/ucnv_io.cpp b/source/common/ucnv_io.cpp
+index 5dd35d8..4424664 100644
+--- a/source/common/ucnv_io.cpp
++++ b/source/common/ucnv_io.cpp
+@@ -744,7 +744,7 @@ ucnv_io_getConverterName(const char *alias, UBool *containsOption, UErrorCode *p
+              * the name begins with 'x-'. If it does, strip it off and try
+              * again.  This behaviour is similar to how ICU4J does it.
+              */
+-            if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') {
++            if (aliasTmp[0] == 'x' && aliasTmp[1] == '-') {
+                 aliasTmp = aliasTmp+2;
+             } else {
+                 break;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-22 12:36:09 +0000