Wed Feb 13 18:52:58 2013 UTC ()

Pullup ticket #4065 - requested by drochner
devel/boost-headers: security patch

Revisions pulled up:
- devel/boost-headers/Makefile                                  1.24
- meta-pkgs/boost/distinfo                                      1.56
- meta-pkgs/boost/patches/patch-CVE-2013-0252_1                 1.1
- meta-pkgs/boost/patches/patch-CVE-2013-0252_2                 1.1

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Feb  5 18:49:06 UTC 2013

   Modified Files:
           pkgsrc/devel/boost-headers: Makefile
           pkgsrc/meta-pkgs/boost: distinfo
   Added Files:
           pkgsrc/meta-pkgs/boost/patches: patch-CVE-2013-0252_1
               patch-CVE-2013-0252_2

   Log Message:
   add patch from upstream to fix insuficcient validation of UTF-8 strings
   which is considered a security problem
   bump PKGREV for the affected header, didn't check yet where this
   header is compiled into
   (boost-1.53 is out, just added the patch for a possible pullup)


(tron)

diff -r1.23 -r1.23.2.1 pkgsrc/devel/boost-headers/Makefile
diff -r1.50 -r1.50.2.1 pkgsrc/meta-pkgs/boost/distinfo
diff -r0 -r1.2.2.2 pkgsrc/meta-pkgs/boost/patches/patch-CVE-2013-0252_1
diff -r0 -r1.2.2.2 pkgsrc/meta-pkgs/boost/patches/patch-CVE-2013-0252_2

--- pkgsrc/devel/boost-headers/Makefile 2012/11/07 21:04:10 1.23
+++ pkgsrc/devel/boost-headers/Makefile 2013/02/13 18:52:57 1.23.2.1

 @@ -1,21 +1,23 @@
-# $NetBSD: Makefile,v 1.23 2012/11/07 21:04:10 adam Exp $
+# $NetBSD: Makefile,v 1.23.2.1 2013/02/13 18:52:57 tron Exp $
 BOOST_PACKAGE=		headers
 BOOST_COMMENT=		(build-time headers)
 BOOST_CONFIG=		generate
 .include "../../meta-pkgs/boost/Makefile.common"
 PKGREVISION=	3
 BJAM_ARGS+=		--without-* # disable all libraries
 .include "../../devel/boost-jam/bjam.mk"
 do-build:
 do-install: bjam-install
 	${FIND} ${DESTDIR}${PREFIX}/include/boost \
 		-type f -print | ${XARGS} ${CHOWN} ${SHAREOWN}:${SHAREGRP}
 	${FIND} ${DESTDIR}${PREFIX}/include/boost \
 		-type d -print | ${XARGS} ${CHMOD} ${PKGDIRMODE}
 PTHREAD_OPTS+=		require

--- pkgsrc/meta-pkgs/boost/distinfo 2012/11/07 21:04:11 1.50
+++ pkgsrc/meta-pkgs/boost/distinfo 2013/02/13 18:52:57 1.50.2.1

 @@ -1,18 +1,20 @@
-$NetBSD: distinfo,v 1.50 2012/11/07 21:04:11 adam Exp $
+$NetBSD: distinfo,v 1.50.2.1 2013/02/13 18:52:57 tron Exp $
 SHA1 (boost_1_52_0.tar.bz2) = cddd6b4526a09152ddc5db856463eaa1dc29c5d9
 RMD160 (boost_1_52_0.tar.bz2) = 94f72f4553a88495f2052029fb2e90cf8366e75d
 Size (boost_1_52_0.tar.bz2) = 54421709 bytes
 SHA1 (patch-CVE-2013-0252_1) = a6e50a3c3c5478d14c44f7c4fcf5838f50a8049a
 SHA1 (patch-CVE-2013-0252_2) = cd1ffc46d9d5351d62aca749888e0a9229d4f2d0
 SHA1 (patch-aa) = 408a63a807aaa491130db018cd89bca6a427090d
 SHA1 (patch-ab) = f1c95ae229465a4d2da76ce6ff88d76ace52fdd8
 SHA1 (patch-ac) = 5ecd12564259e4ad9d439990e198b889762ec733
 SHA1 (patch-ad) = 0e5dc31c3425de94444f97a9b7dec97ed5967733
 SHA1 (patch-ae) = 2fb49c90bbb3fd797ccdfaaf44c93494a5988f52
 SHA1 (patch-ag) = c406e9beb9260db7861b13a6eb4c386f23346eb1
 SHA1 (patch-ai) = 231db48819aa563b2082d95bb91d662b5d6cf779
 SHA1 (patch-aq) = e5c7b72ffa2942ce401f3d9bf05498fd761df17a
 SHA1 (patch-ar) = 2fec2c51272cc4ee376e6538d8f1fd8561a7f0a3
 SHA1 (patch-boost_foreach.hpp) = 7cd26c4983873bcac284ad400950e341c559f9a8
 SHA1 (patch-boost_foreach_fwd.hpp) = 5accd68d559213a9677f7d1204e72dd082a42a41
 SHA1 (patch-libs_context_build_Jamfile.v2) = 93cad3cc588c84e333688318df7250d14a3c302e
 SHA1 (patch-libs_filesystem_src_unique_path.cpp) = 3666663305bba85871f2ef291dc117158c678643

$NetBSD: patch-CVE-2013-0252_1,v 1.2.2.2 2013/02/13 18:52:57 tron Exp $

https://svn.boost.org/trac/boost/ticket/7743

--- boost/locale/utf.hpp.orig	2012-05-02 13:49:25.000000000 +0000
+++ boost/locale/utf.hpp
@@ -219,16 +219,22 @@ namespace utf {
                 if(BOOST_LOCALE_UNLIKELY(p==e))
                     return incomplete;
                 tmp = *p++;
+                if (!is_trail(tmp))
+                    return illegal;
                 c = (c << 6) | ( tmp & 0x3F);
             case 2:
                 if(BOOST_LOCALE_UNLIKELY(p==e))
                     return incomplete;
                 tmp = *p++;
+                if (!is_trail(tmp))
+                    return illegal;
                 c = (c << 6) | ( tmp & 0x3F);
             case 1:
                 if(BOOST_LOCALE_UNLIKELY(p==e))
                     return incomplete;
                 tmp = *p++;
+                if (!is_trail(tmp))
+                    return illegal;
                 c = (c << 6) | ( tmp & 0x3F);
             }

$NetBSD: patch-CVE-2013-0252_2,v 1.2.2.2 2013/02/13 18:52:58 tron Exp $

--- libs/locale/test/test_codepage_converter.cpp.orig	2011-08-15 19:04:34.000000000 +0000
+++ libs/locale/test/test_codepage_converter.cpp
@@ -140,6 +140,20 @@ int main()
         TEST_TO("\xf8\x90\x80\x80\x80",illegal);  // 400 0000
         TEST_TO("\xfd\xbf\xbf\xbf\xbf\xbf",illegal);  // 7fff ffff
 
+        std::cout << "-- Invalid trail" << std::endl;
+        TEST_TO("\xC2\x7F",illegal);
+        TEST_TO("\xdf\x7F",illegal);
+        TEST_TO("\xe0\x7F\x80",illegal);
+        TEST_TO("\xef\xbf\x7F",illegal);
+        TEST_TO("\xe0\x7F\x80",illegal);
+        TEST_TO("\xef\xbf\x7F",illegal);
+        TEST_TO("\xf0\x7F\x80\x80",illegal);
+        TEST_TO("\xf4\x7f\xbf\xbf",illegal);
+        TEST_TO("\xf0\x90\x7F\x80",illegal);
+        TEST_TO("\xf4\x8f\x7F\xbf",illegal);
+        TEST_TO("\xf0\x90\x80\x7F",illegal);
+        TEST_TO("\xf4\x8f\xbf\x7F",illegal);
+
         std::cout << "-- Invalid length" << std::endl;
 
         /// Test that this actually works