Pullup ticket #4065 - requested by drochner devel/boost-headers: security patch Revisions pulled up: - devel/boost-headers/Makefile 1.24 - meta-pkgs/boost/distinfo 1.56 - meta-pkgs/boost/patches/patch-CVE-2013-0252_1 1.1 - meta-pkgs/boost/patches/patch-CVE-2013-0252_2 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Tue Feb 5 18:49:06 UTC 2013 Modified Files: pkgsrc/devel/boost-headers: Makefile pkgsrc/meta-pkgs/boost: distinfo Added Files: pkgsrc/meta-pkgs/boost/patches: patch-CVE-2013-0252_1 patch-CVE-2013-0252_2 Log Message: add patch from upstream to fix insuficcient validation of UTF-8 strings which is considered a security problem bump PKGREV for the affected header, didn't check yet where this header is compiled into (boost-1.53 is out, just added the patch for a possible pullup)diff -r1.23 -r1.23.2.1 pkgsrc/devel/boost-headers/Makefile
(tron)
@@ -1,21 +1,23 @@ | @@ -1,21 +1,23 @@ | |||
1 | # $NetBSD: Makefile,v 1.23 2012/11/07 21:04:10 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.23.2.1 2013/02/13 18:52:57 tron Exp $ | |
2 | 2 | |||
3 | BOOST_PACKAGE= headers | 3 | BOOST_PACKAGE= headers | |
4 | BOOST_COMMENT= (build-time headers) | 4 | BOOST_COMMENT= (build-time headers) | |
5 | BOOST_CONFIG= generate | 5 | BOOST_CONFIG= generate | |
6 | 6 | |||
7 | .include "../../meta-pkgs/boost/Makefile.common" | 7 | .include "../../meta-pkgs/boost/Makefile.common" | |
8 | 8 | |||
9 | PKGREVISION= 3 | |||
10 | ||||
9 | BJAM_ARGS+= --without-* # disable all libraries | 11 | BJAM_ARGS+= --without-* # disable all libraries | |
10 | 12 | |||
11 | .include "../../devel/boost-jam/bjam.mk" | 13 | .include "../../devel/boost-jam/bjam.mk" | |
12 | 14 | |||
13 | do-build: | 15 | do-build: | |
14 | 16 | |||
15 | do-install: bjam-install | 17 | do-install: bjam-install | |
16 | ${FIND} ${DESTDIR}${PREFIX}/include/boost \ | 18 | ${FIND} ${DESTDIR}${PREFIX}/include/boost \ | |
17 | -type f -print | ${XARGS} ${CHOWN} ${SHAREOWN}:${SHAREGRP} | 19 | -type f -print | ${XARGS} ${CHOWN} ${SHAREOWN}:${SHAREGRP} | |
18 | ${FIND} ${DESTDIR}${PREFIX}/include/boost \ | 20 | ${FIND} ${DESTDIR}${PREFIX}/include/boost \ | |
19 | -type d -print | ${XARGS} ${CHMOD} ${PKGDIRMODE} | 21 | -type d -print | ${XARGS} ${CHMOD} ${PKGDIRMODE} | |
20 | 22 | |||
21 | PTHREAD_OPTS+= require | 23 | PTHREAD_OPTS+= require |
@@ -1,18 +1,20 @@ | @@ -1,18 +1,20 @@ | |||
1 | $NetBSD: distinfo,v 1.50 2012/11/07 21:04:11 adam Exp $ | 1 | $NetBSD: distinfo,v 1.50.2.1 2013/02/13 18:52:57 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (boost_1_52_0.tar.bz2) = cddd6b4526a09152ddc5db856463eaa1dc29c5d9 | 3 | SHA1 (boost_1_52_0.tar.bz2) = cddd6b4526a09152ddc5db856463eaa1dc29c5d9 | |
4 | RMD160 (boost_1_52_0.tar.bz2) = 94f72f4553a88495f2052029fb2e90cf8366e75d | 4 | RMD160 (boost_1_52_0.tar.bz2) = 94f72f4553a88495f2052029fb2e90cf8366e75d | |
5 | Size (boost_1_52_0.tar.bz2) = 54421709 bytes | 5 | Size (boost_1_52_0.tar.bz2) = 54421709 bytes | |
6 | SHA1 (patch-CVE-2013-0252_1) = a6e50a3c3c5478d14c44f7c4fcf5838f50a8049a | |||
7 | SHA1 (patch-CVE-2013-0252_2) = cd1ffc46d9d5351d62aca749888e0a9229d4f2d0 | |||
6 | SHA1 (patch-aa) = 408a63a807aaa491130db018cd89bca6a427090d | 8 | SHA1 (patch-aa) = 408a63a807aaa491130db018cd89bca6a427090d | |
7 | SHA1 (patch-ab) = f1c95ae229465a4d2da76ce6ff88d76ace52fdd8 | 9 | SHA1 (patch-ab) = f1c95ae229465a4d2da76ce6ff88d76ace52fdd8 | |
8 | SHA1 (patch-ac) = 5ecd12564259e4ad9d439990e198b889762ec733 | 10 | SHA1 (patch-ac) = 5ecd12564259e4ad9d439990e198b889762ec733 | |
9 | SHA1 (patch-ad) = 0e5dc31c3425de94444f97a9b7dec97ed5967733 | 11 | SHA1 (patch-ad) = 0e5dc31c3425de94444f97a9b7dec97ed5967733 | |
10 | SHA1 (patch-ae) = 2fb49c90bbb3fd797ccdfaaf44c93494a5988f52 | 12 | SHA1 (patch-ae) = 2fb49c90bbb3fd797ccdfaaf44c93494a5988f52 | |
11 | SHA1 (patch-ag) = c406e9beb9260db7861b13a6eb4c386f23346eb1 | 13 | SHA1 (patch-ag) = c406e9beb9260db7861b13a6eb4c386f23346eb1 | |
12 | SHA1 (patch-ai) = 231db48819aa563b2082d95bb91d662b5d6cf779 | 14 | SHA1 (patch-ai) = 231db48819aa563b2082d95bb91d662b5d6cf779 | |
13 | SHA1 (patch-aq) = e5c7b72ffa2942ce401f3d9bf05498fd761df17a | 15 | SHA1 (patch-aq) = e5c7b72ffa2942ce401f3d9bf05498fd761df17a | |
14 | SHA1 (patch-ar) = 2fec2c51272cc4ee376e6538d8f1fd8561a7f0a3 | 16 | SHA1 (patch-ar) = 2fec2c51272cc4ee376e6538d8f1fd8561a7f0a3 | |
15 | SHA1 (patch-boost_foreach.hpp) = 7cd26c4983873bcac284ad400950e341c559f9a8 | 17 | SHA1 (patch-boost_foreach.hpp) = 7cd26c4983873bcac284ad400950e341c559f9a8 | |
16 | SHA1 (patch-boost_foreach_fwd.hpp) = 5accd68d559213a9677f7d1204e72dd082a42a41 | 18 | SHA1 (patch-boost_foreach_fwd.hpp) = 5accd68d559213a9677f7d1204e72dd082a42a41 | |
17 | SHA1 (patch-libs_context_build_Jamfile.v2) = 93cad3cc588c84e333688318df7250d14a3c302e | 19 | SHA1 (patch-libs_context_build_Jamfile.v2) = 93cad3cc588c84e333688318df7250d14a3c302e | |
18 | SHA1 (patch-libs_filesystem_src_unique_path.cpp) = 3666663305bba85871f2ef291dc117158c678643 | 20 | SHA1 (patch-libs_filesystem_src_unique_path.cpp) = 3666663305bba85871f2ef291dc117158c678643 |
$NetBSD: patch-CVE-2013-0252_1,v 1.2.2.2 2013/02/13 18:52:57 tron Exp $
https://svn.boost.org/trac/boost/ticket/7743
--- boost/locale/utf.hpp.orig 2012-05-02 13:49:25.000000000 +0000
+++ boost/locale/utf.hpp
@@ -219,16 +219,22 @@ namespace utf {
if(BOOST_LOCALE_UNLIKELY(p==e))
return incomplete;
tmp = *p++;
+ if (!is_trail(tmp))
+ return illegal;
c = (c << 6) | ( tmp & 0x3F);
case 2:
if(BOOST_LOCALE_UNLIKELY(p==e))
return incomplete;
tmp = *p++;
+ if (!is_trail(tmp))
+ return illegal;
c = (c << 6) | ( tmp & 0x3F);
case 1:
if(BOOST_LOCALE_UNLIKELY(p==e))
return incomplete;
tmp = *p++;
+ if (!is_trail(tmp))
+ return illegal;
c = (c << 6) | ( tmp & 0x3F);
}
$NetBSD: patch-CVE-2013-0252_2,v 1.2.2.2 2013/02/13 18:52:58 tron Exp $
--- libs/locale/test/test_codepage_converter.cpp.orig 2011-08-15 19:04:34.000000000 +0000
+++ libs/locale/test/test_codepage_converter.cpp
@@ -140,6 +140,20 @@ int main()
TEST_TO("\xf8\x90\x80\x80\x80",illegal); // 400 0000
TEST_TO("\xfd\xbf\xbf\xbf\xbf\xbf",illegal); // 7fff ffff
+ std::cout << "-- Invalid trail" << std::endl;
+ TEST_TO("\xC2\x7F",illegal);
+ TEST_TO("\xdf\x7F",illegal);
+ TEST_TO("\xe0\x7F\x80",illegal);
+ TEST_TO("\xef\xbf\x7F",illegal);
+ TEST_TO("\xe0\x7F\x80",illegal);
+ TEST_TO("\xef\xbf\x7F",illegal);
+ TEST_TO("\xf0\x7F\x80\x80",illegal);
+ TEST_TO("\xf4\x7f\xbf\xbf",illegal);
+ TEST_TO("\xf0\x90\x7F\x80",illegal);
+ TEST_TO("\xf4\x8f\x7F\xbf",illegal);
+ TEST_TO("\xf0\x90\x80\x7F",illegal);
+ TEST_TO("\xf4\x8f\xbf\x7F",illegal);
+
std::cout << "-- Invalid length" << std::endl;
/// Test that this actually works