Fri Aug 14 17:07:03 2020 UTC ()

Pullup ticket #6294 - requested by wiz
textproc/hunspell: security fix

Revisions pulled up:
- textproc/hunspell/Makefile                                    1.32
- textproc/hunspell/distinfo                                    1.13
- textproc/hunspell/patches/patch-src_hunspell_suggestmgr.cxx   1.1

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Aug  3 11:19:28 UTC 2020

   Modified Files:
   	pkgsrc/textproc/hunspell: Makefile distinfo
   Added Files:
   	pkgsrc/textproc/hunspell/patches: patch-src_hunspell_suggestmgr.cxx

   Log Message:
   hunspell: fix CVE-2019-16707 using upstream patch

   Bump PKGREVISION.


(bsiegert)

diff -r1.31 -r1.31.8.1 pkgsrc/textproc/hunspell/Makefile
diff -r1.12 -r1.12.14.1 pkgsrc/textproc/hunspell/distinfo
diff -r0 -r1.1.2.2 pkgsrc/textproc/hunspell/patches/patch-src_hunspell_suggestmgr.cxx

--- pkgsrc/textproc/hunspell/Makefile 2019/08/11 13:23:24 1.31
+++ pkgsrc/textproc/hunspell/Makefile 2020/08/14 17:07:02 1.31.8.1

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.31 2019/08/11 13:23:24 wiz Exp $
+# $NetBSD: Makefile,v 1.31.8.1 2020/08/14 17:07:02 bsiegert Exp $
 DISTNAME=	hunspell-1.7.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	${MASTER_SITE_GITHUB:=hunspell/}
 GITHUB_TAG=	v${PKGVERSION_NOREV}
 MAINTAINER=	ahoka@NetBSD.org
 HOMEPAGE=	https://hunspell.github.io/
 COMMENT=	Improved spellchecker
 LICENSE=	mpl-1.1 OR gnu-lgpl-v2.1 OR gnu-gpl-v2
 GNU_CONFIGURE=		yes
 USE_LIBTOOL=		yes
 USE_TOOLS+=		pkg-config perl:run autoreconf autoconf automake
 USE_PKGLOCALEDIR=	yes

--- pkgsrc/textproc/hunspell/distinfo 2018/11/16 13:02:20 1.12
+++ pkgsrc/textproc/hunspell/distinfo 2020/08/14 17:07:02 1.12.14.1

 @@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.12 2018/11/16 13:02:20 bsiegert Exp $
+$NetBSD: distinfo,v 1.12.14.1 2020/08/14 17:07:02 bsiegert Exp $
 SHA1 (hunspell-1.7.0.tar.gz) = e42ea8342a191b9cd7da57d0d6ad4ae1566c5dcc
 RMD160 (hunspell-1.7.0.tar.gz) = 52c7dbf21f460a0b61ea7d0378ef314773887fde
 SHA512 (hunspell-1.7.0.tar.gz) = 8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903
 Size (hunspell-1.7.0.tar.gz) = 482156 bytes
 SHA1 (patch-aa) = 8c6102ddb2e449b6f1abc23f679e0f6f38bfd0b5
 SHA1 (patch-ab) = ee127b1d8f55ceefa807c2fa440885b4fa5d029c
 SHA1 (patch-ac) = c25cdfe80452cb4ca9850354c9fa8581c787c086
 SHA1 (patch-src_hunspell_suggestmgr.cxx) = e1460987dd787720d9783cdf6cd2b060a68d74da
 SHA1 (patch-src_tools_Makefile.am) = e5f67855c48e04fe12deb90904c9c27e2441a8cf

$NetBSD: patch-src_hunspell_suggestmgr.cxx,v 1.1.2.2 2020/08/14 17:07:02 bsiegert Exp $

Fix CVE-2019-16707
https://github.com/hunspell/hunspell/commit/ac938e2ecb48ab4dd21298126c7921689d60571b#diff-783289d6b6330291ec79bf507002106e

--- src/hunspell/suggestmgr.cxx.orig	2018-11-12 20:38:56.000000000 +0000
+++ src/hunspell/suggestmgr.cxx
@@ -2040,7 +2040,7 @@ int SuggestMgr::leftcommonsubstring(
   int l2 = su2.size();
   // decapitalize dictionary word
   if (complexprefixes) {
-    if (su1[l1 - 1] == su2[l2 - 1])
+    if (l1 && l2 && su1[l1 - 1] == su2[l2 - 1])
       return 1;
   } else {
     unsigned short idx = su2.empty() ? 0 : (su2[0].h << 8) + su2[0].l;