From 7a9956c8deebf90d4b6af9a3656cf3f09727f18a Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Thu, 8 Nov 2018 10:10:48 +0100 Subject: [PATCH] security: CVE-2018-18751 Resolves: rhbz#1647044 Version: 0.19.8.1-18 --- gettext-0.19.8.1-CVE-2018-18751.patch | 52 +++++++++++++++++++++++++++ gettext.spec | 7 +++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 gettext-0.19.8.1-CVE-2018-18751.patch diff --git a/gettext-0.19.8.1-CVE-2018-18751.patch b/gettext-0.19.8.1-CVE-2018-18751.patch new file mode 100644 index 0000000..72bf510 --- /dev/null +++ b/gettext-0.19.8.1-CVE-2018-18751.patch @@ -0,0 +1,52 @@ +From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 15 Sep 2016 13:57:24 +0200 +Subject: [PATCH] xgettext: Fix crash with *.po file input + +When xgettext was given two *.po files with the same msgid_plural, it +crashed with double-free. Problem reported by Davlet Panech in: +http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html + +praiskup: I dropped the testsuite part, otherwise we'd have to +'autoreconf -vif' the sources. + +diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y +index becf5e607..4428e7725 100644 +--- a/gettext-tools/src/po-gram-gen.y ++++ b/gettext-tools/src/po-gram-gen.y +@@ -221,14 +221,11 @@ message + check_obsolete ($1, $3); + check_obsolete ($1, $4); + if (!$1.obsolete || pass_obsolete_entries) +- { +- do_callback_message ($1.ctxt, string2, &$1.pos, $3.string, +- $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos, +- $1.prev_ctxt, +- $1.prev_id, $1.prev_id_plural, +- $1.obsolete); +- free ($3.string); +- } ++ do_callback_message ($1.ctxt, string2, &$1.pos, $3.string, ++ $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos, ++ $1.prev_ctxt, ++ $1.prev_id, $1.prev_id_plural, ++ $1.obsolete); + else + { + free_message_intro ($1); +diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c +index 571d18e1b..6af6d2025 100644 +--- a/gettext-tools/src/read-catalog.c ++++ b/gettext-tools/src/read-catalog.c +@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this, + appropriate. */ + mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len, + msgstr_pos); ++ if (msgid_plural != NULL) ++ free (msgid_plural); + mp->prev_msgctxt = prev_msgctxt; + mp->prev_msgid = prev_msgid; + mp->prev_msgid_plural = prev_msgid_plural; +-- +2.19.1 + diff --git a/gettext.spec b/gettext.spec index 05a8126..74d218c 100644 --- a/gettext.spec +++ b/gettext.spec @@ -8,7 +8,7 @@ Summary: GNU libraries and utilities for producing multi-lingual messages Name: gettext Version: 0.19.8.1 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv3+ and LGPLv2+ Group: Development/Tools URL: http://www.gnu.org/software/gettext/ @@ -22,6 +22,8 @@ Patch0: disable-gettext-runtime-test-lock.patch Patch1: gettext-po-send-mail.patch # Rhbz#1531476, upstream a0cab23332a254e3500cac2a3a984472d02180e5 Patch2: gettext-0.19.8-its-segfault.patch +# rhbz#1647044 +Patch3: gettext-0.19.8.1-CVE-2018-18751.patch Source2: msghack.py Source3: msghack.1 @@ -324,6 +326,9 @@ make check LIBUNISTRING=-lunistring %{_mandir}/man1/msghack.1* %changelog +* Thu Nov 08 2018 Pavel Raiskup - 0.19.8.1-18 +- fix CVE-2018-18751 (rhbz#1647044) + * Tue Jul 31 2018 Florian Weimer - 0.19.8.1-17 - Rebuild with fixed binutils