Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654

icu.changeset_36724.patch

@@ -0,0 +1,39 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp	(revision 36723)
++++ icu/source/i18n/regexcmp.cpp	(revision 36724)
+@@ -2136,4 +2136,8 @@
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
++            if (URX_TYPE(maxML) != 0) {
++                error(U_REGEX_LOOK_BEHIND_LIMIT);
++                break;
++            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+@@ -2169,4 +2173,8 @@
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
++            if (URX_TYPE(maxML) != 0) {
++                error(U_REGEX_LOOK_BEHIND_LIMIT);
++                break;
++            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt	(revision 36723)
++++ icu/source/test/testdata/regextst.txt	(revision 36724)
+@@ -1201,4 +1201,12 @@
+ "A|B|\U00012345"                "hello <0>\U00012345</0>"
+ "A|B|\U00010000"                "hello \ud800"
++
++# Bug 11370
++#   Max match length computation of look-behind expression gives result that is too big to fit in the
++#   in the 24 bit operand portion of the compiled code. Expressions should fail to compile
++#   (Look-behind match length must be bounded. This case is treated as unbounded, an error.)
++
++"(?<!(0123456789a){10000000})x"         E  "no match"
++"(?<!\\ubeaf(\\ubeaf{11000}){11000})"   E  "no match"
+ 
+ #  Random debugging, Temporary

icu.changeset_36727.patch

@@ -0,0 +1,55 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp	(revision 36726)
++++ icu/source/i18n/regexcmp.cpp	(revision 36727)
+@@ -2340,5 +2340,13 @@
+     if (fIntervalUpper == 0) {
+         // Pathological case.  Attempt no matches, as if the block doesn't exist.
++        // Discard the generated code for the block.
++        // If the block included parens, discard the info pertaining to them as well.
+         fRXPat->fCompiledPat->setSize(topOfBlock);
++        if (fMatchOpenParen >= topOfBlock) {
++            fMatchOpenParen = -1;
++        }
++        if (fMatchCloseParen >= topOfBlock) {
++            fMatchCloseParen = -1;
++        }
+         return TRUE;
+     }
+Index: icu/source/i18n/regexcmp.h
+===================================================================
+--- icu/source/i18n/regexcmp.h	(revision 36726)
++++ icu/source/i18n/regexcmp.h	(revision 36727)
+@@ -188,5 +188,7 @@
+                                                      //   of the slot reserved for a state save
+                                                      //   at the start of the most recently processed
+-                                                     //   parenthesized block.
++                                                     //   parenthesized block. Updated when processing
++                                                     //   a close to the location for the corresponding open.
++
+     int32_t                       fMatchCloseParen;  // The position in the pattern of the first
+                                                      //   location after the most recently processed
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt	(revision 36726)
++++ icu/source/test/testdata/regextst.txt	(revision 36727)
+@@ -1202,4 +1202,13 @@
+ "A|B|\U00010000"                "hello \ud800"
+ 
++# Bug 11369
++#   Incorrect optimization of patterns with a zero length quantifier {0}
++
++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)"   "AAAAABBBBBCCCCCDDDDEEEEE"
++"(|b)ab(c)"                     "<0><1></1>ab<2>c</2></0>"
++"(|b){0}a{3}(D*)"               "<0>aaa<2></2></0>"
++"(|b){0,1}a{3}(D*)"             "<0><1></1>aaa<2></2></0>"
++"((|b){0})a{3}(D*)"             "<0><1></1>aaa<3></3></0>"
++
+ # Bug 11370
+ #   Max match length computation of look-behind expression gives result that is too big to fit in the
+@@ -1209,4 +1218,5 @@
+ "(?<!(0123456789a){10000000})x"         E  "no match"
+ "(?<!\\ubeaf(\\ubeaf{11000}){11000})"   E  "no match"
++
+ 
+ #  Random debugging, Temporary

icu.spec

@@ -1,6 +1,6 @@
 Name:      icu
 Version:   54.1
-Release:   2%{?dist}
+Release:   3%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@@ -15,7 +15,10 @@ Patch2: icu.8800.freeserif.crash.patch
 Patch3: icu.7601.Indic-ccmp.patch
 Patch4: gennorm2-man.patch
 Patch5: icuinfo-man.patch
-Patch6: icu.changeset_37086.patch
+Patch6: icu.changeset_36724.patch
+Patch7: icu.changeset_36727.patch
+Patch8: icu.changeset_36801.patch
+Patch9: icu.changeset_37086.patch
 
 %description
 Tools and utilities for developing with icu.
@@ -63,7 +66,10 @@ BuildArch: noarch
 %patch3 -p1 -b .icu7601.Indic-ccmp.patch
 %patch4 -p1 -b .gennorm2-man.patch
 %patch5 -p1 -b .icuinfo-man.patch
-%patch6 -p1 -b .icu.changeset_37086.patch
+%patch6 -p1 -b .icu.changeset_36724.patch
+%patch7 -p1 -b .icu.changeset_36727.patch
+%patch8 -p1 -b .icu.changeset_36801.patch
+%patch9 -p1 -b .icu.changeset_37086.patch
 
 %build
 cd source
@@ -172,6 +178,9 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{name}/html/*
 
 %changelog
+* Fri Apr 10 2015 Eike Rathke <erack@redhat.com> - 54.1-3
+- Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654
+
 * Mon Mar 09 2015 Eike Rathke <erack@redhat.com> - 54.1-2
 - Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591