diff options
| -rw-r--r-- | gnu-system.am | 2 | ||||
| -rw-r--r-- | gnu/packages/icu4c.scm | 4 | ||||
| -rw-r--r-- | gnu/packages/patches/icu4c-CVE-2014-6585.patch | 21 | ||||
| -rw-r--r-- | gnu/packages/patches/icu4c-CVE-2015-1270.patch | 15 |
4 files changed, 41 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index 8fa25d2000..9decf3eaf3 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -504,6 +504,8 @@ dist_patch_DATA = \ gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \ gnu/packages/patches/icecat-freetype-2.6.patch \ gnu/packages/patches/icecat-libvpx-1.4.patch \ + gnu/packages/patches/icu4c-CVE-2014-6585.patch \ + gnu/packages/patches/icu4c-CVE-2015-1270.patch \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ gnu/packages/patches/imagemagick-test-segv.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm index 46e5d12049..d442b5e69a 100644 --- a/gnu/packages/icu4c.scm +++ b/gnu/packages/icu4c.scm @@ -38,7 +38,9 @@ "-src.tgz")) (sha256 (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1")) - (patches (list (search-patch "icu4c-CVE-2015-4760.patch"))))) + (patches (map search-patch '("icu4c-CVE-2014-6585.patch" + "icu4c-CVE-2015-1270.patch" + "icu4c-CVE-2015-4760.patch"))))) (build-system gnu-build-system) (inputs `(("perl" ,perl))) diff --git a/gnu/packages/patches/icu4c-CVE-2014-6585.patch b/gnu/packages/patches/icu4c-CVE-2014-6585.patch new file mode 100644 index 0000000000..d21a0d0ba1 --- /dev/null +++ b/gnu/packages/patches/icu4c-CVE-2014-6585.patch @@ -0,0 +1,21 @@ +Copied from Debian. + +description: out-of-bounds read +origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6585 + +--- a/source/layout/LETableReference.h ++++ b/source/layout/LETableReference.h +@@ -322,7 +322,12 @@ LE_TRACE_TR("INFO: new RTAO") + } + + const T& operator()(le_uint32 i, LEErrorCode &success) const { +- return *getAlias(i,success); ++ const T *ret = getAlias(i,success); ++ if (LE_FAILURE(success) || ret==NULL) { ++ return *(new T()); ++ } else { ++ return *ret; ++ } + } + + size_t getOffsetFor(le_uint32 i, LEErrorCode &success) const { diff --git a/gnu/packages/patches/icu4c-CVE-2015-1270.patch b/gnu/packages/patches/icu4c-CVE-2015-1270.patch new file mode 100644 index 0000000000..2a7658d36e --- /dev/null +++ b/gnu/packages/patches/icu4c-CVE-2015-1270.patch @@ -0,0 +1,15 @@ +Copied from Debian. + +diff --git a/source/common/ucnv_io.cpp b/source/common/ucnv_io.cpp +index 5dd35d8..4424664 100644 +--- a/source/common/ucnv_io.cpp ++++ b/source/common/ucnv_io.cpp +@@ -744,7 +744,7 @@ ucnv_io_getConverterName(const char *alias, UBool *containsOption, UErrorCode *p + * the name begins with 'x-'. If it does, strip it off and try + * again. This behaviour is similar to how ICU4J does it. + */ +- if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') { ++ if (aliasTmp[0] == 'x' && aliasTmp[1] == '-') { + aliasTmp = aliasTmp+2; + } else { + break; |