[notify] libidn: Secutiry fix for CVE-2017-14062. closes FS#1554

2018-01-16 17:55:52 +01:00 · 2018-01-16 17:55:52 +01:00 · c9ed075b25
commit c9ed075b25
parent 13acc56286
5 changed files with 47 additions and 5 deletions
--- a/libidn/.md5sum
+++ b/libidn/.md5sum
@ -1 +1,2 @@
+cd02b28cd6b74d7e55055651003dfcf4  CVE-2017-14062.patch
 a9aa7e003665de9c82bd3f9fc6ccf308  libidn-1.33.tar.gz
--- a/libidn/.md5sum.orig
+++ b/libidn/.md5sum.orig
@ -0,0 +1,2 @@
+e4b03c6bcff3e11ea54adc6540fb7d07  CVE-2017-14062.patch
+a9aa7e003665de9c82bd3f9fc6ccf308  libidn-1.33.tar.gz
--- a/libidn/.signature
+++ b/libidn/.signature
@ -1,5 +1,6 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/av7D78bcxVpHFwVnVvsVbntH7q1tpLUcuW3hTn3rajwbAMu7aCDa5jJTJKeUZ+bNVmNaMcQS9s0TZJeQDMU5As=
-SHA256 (Pkgfile) = e83f48874e414a81a255ce4ad151bd737bc12e30af115f0894a14ff272205ecd
+RWSE3ohX2g5d/XzfkvpoUogWAcNTzXOg8hIykW9+oa298BOCD/60VV/zBtCGx/1AC/ulsdgOM4qV46JvoWtWNKviPjm7dkAPdA4=
+SHA256 (Pkgfile) = 3b2004727e755c55320c76255d6b8b1c2260c08244832e8cc4b9c59e3fbc004b
 SHA256 (.footprint) = 8b7ff628d35d714b967f076a8e848cc7c6963129dc2ef9064b13e64e4a9ecf1d
 SHA256 (libidn-1.33.tar.gz) = 44a7aab635bb721ceef6beecc4d49dfd19478325e1b47f3196f7d2acc4930e19
+SHA256 (CVE-2017-14062.patch) = 9dd36fddcfe60b8feb958bab4538054134187a52c98c15ec43362b63eaf69ac4
--- a/libidn/CVE-2017-14062.patch
+++ b/libidn/CVE-2017-14062.patch
@ -0,0 +1,29 @@
+--- a/lib/punycode.c	2016-01-14 21:42:33.000000000 +0800
+++ b/lib/punycode.c	2018-01-12 11:36:58.027226633 +0800
+@@ -88,11 +88,11 @@ enum
+ /* point (for use in representing integers) in the range 0 to */
+ /* base-1, or base if cp does not represent a value.          */
+ 
+-static punycode_uint
+-decode_digit (punycode_uint cp)
+static unsigned
+decode_digit (int cp)
+ {
+-  return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+-    cp - 97 < 26 ? cp - 97 : base;
+  return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+    cp - 97 < 26 ? cp - 97 : base);
+ }
+ 
+ /* encode_digit(d,flag) returns the basic code point whose value      */
+--- a/tests/tst_idna.c	2016-01-14 21:42:33.000000000 +0800
+++ b/tests/tst_idna.c	2018-01-12 11:36:58.027226633 +0800
+@@ -211,7 +211,7 @@ static const struct idna idna[] = {
+     'x', 'n', '-', '-', 'f', 'o', 0x3067},
+    IDNA_ACE_PREFIX "too long too long too long too long too long too "
+    "long too long too long too long too long ", 0,
+-   IDNA_CONTAINS_ACE_PREFIX, IDNA_PUNYCODE_ERROR}
+   IDNA_CONTAINS_ACE_PREFIX, IDNA_INVALID_LENGTH}
+ };
+ 
+ void
--- a/libidn/Pkgfile
+++ b/libidn/Pkgfile
@ -5,12 +5,17 @@

 name=libidn
 version=1.33
-release=1
-source=(http://ftp.gnu.org/gnu/$name/$name-$version.tar.gz)
+release=2
+source=(http://ftp.gnu.org/gnu/$name/$name-$version.tar.gz
+        CVE-2017-14062.patch)

 build() {
 	cd $name-$version

+	patch -p1 -i $SRC/CVE-2017-14062.patch
+	sed -i '/^SUBDIRS/s/doc//' Makefile.am
+
+	autoreconf
 	./configure \
 		--prefix=/usr \
 		--disable-nls \
@ -18,5 +23,9 @@ build() {

 	make
 	make DESTDIR=$PKG install
-	rm -r $PKG/usr/share/info
+
+	install -d $PKG/usr/share/man/man{1,3}
+	install -m 0644 doc/*.1 $PKG/usr/share/man/man1
+	install -m 0644 doc/man/*.3 $PKG/usr/share/man/man3
+
 }