Resolves: rhbz#1646703 CVE-2018-18928

2018-11-06 12:33:18 +01:00 · 2018-11-06 12:33:18 +01:00 · 7148b867f7
commit 7148b867f7
parent 6abff1c197
2 changed files with 56 additions and 1 deletions
--- a/icu.spec
+++ b/icu.spec
@ -2,7 +2,7 @@

 Name:      icu
 Version:   62.1
-Release:   2%{?dist}
+Release:   3%{?dist}
 Summary:   International Components for Unicode

 License:   MIT and UCD and Public Domain
@ -17,6 +17,7 @@ Requires: lib%{name}%{?_isa} = %{version}-%{release}

 Patch4: gennorm2-man.patch
 Patch5: icuinfo-man.patch
+Patch6: rhbz1646703-icu4c-ICU-20246-integer-overflow.patch
 Patch100: armv7hl-disable-tests.patch

 %description
@ -60,6 +61,7 @@ BuildArch: noarch
 %setup -q -n %{name}
 %patch4 -p1 -b .gennorm2-man.patch
 %patch5 -p1 -b .icuinfo-man.patch
+%patch6 -p2 -b .rhbz1646703-icu4c-ICU-20246-integer-overflow.patch
 %ifarch armv7hl
 %patch100 -p1 -b .armv7hl-disable-tests.patch
 %endif
@ -187,6 +189,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l


 %changelog
+* Tue Nov 06 2018 Eike Rathke <erack@redhat.com> - 62.1-3
+- Resolves: rhbz#1646703 CVE-2018-18928
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 62.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

--- a/rhbz1646703-icu4c-ICU-20246-integer-overflow.patch
+++ b/rhbz1646703-icu4c-ICU-20246-integer-overflow.patch
@ -0,0 +1,50 @@
+From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
+From: Shane Carr <shane@unicode.org>
+Date: Mon, 29 Oct 2018 23:52:44 -0700
+Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
+
+---
+ icu4c/source/i18n/fmtable.cpp                          |  2 +-
+ icu4c/source/i18n/number_decimalquantity.cpp           |  5 ++++-
+ icu4c/source/test/intltest/numfmtst.cpp                |  8 ++++++++
+ .../icu/impl/number/DecimalQuantity_AbstractBCD.java   |  5 ++++-
+ .../impl/number/DecimalQuantity_DualStorageBCD.java    | 10 +++++++++-
+ .../com/ibm/icu/dev/test/format/NumberFormatTest.java  |  5 +++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+
+erAck:
+* obviously removed the icu4j *.java patch parts
+* stripped the icu4c/source/test/intltest/numfmtst.cpp part because it
+  added code to a test that does not exist yet in ICU 62.1
+    * TODO: when upgrading to ICU 63.1 add that back in from
+      https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51.patch
+
+diff --git a/icu4c/source/i18n/fmtable.cpp b/icu4c/source/i18n/fmtable.cpp
+index 45c7024fc29..8601d95f4a6 100644
+--- a/icu4c/source/i18n/fmtable.cpp
+++ b/icu4c/source/i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
+       // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+       if (fDecimalQuantity->isZero()) {
+         fDecimalStr->append("0", -1, status);
+-      } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+      } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+       } else {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+diff --git a/icu4c/source/i18n/number_decimalquantity.cpp b/icu4c/source/i18n/number_decimalquantity.cpp
+index 47b930a564b..d5dd7ae694c 100644
+--- a/icu4c/source/i18n/number_decimalquantity.cpp
+++ b/icu4c/source/i18n/number_decimalquantity.cpp
+@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
+     }
+     result.append(u'E');
+     int32_t _scale = upperPos + scale;
+-    if (_scale < 0) {
+    if (_scale == INT32_MIN) {
+        result.append({u"-2147483648", -1});
+        return result;
+    } else if (_scale < 0) {
+         _scale *= -1;
+         result.append(u'-');
+     } else {