Hello community, here is the log from the commit of package icu for openSUSE:11.3 checked in at Mon Jan 16 15:22:47 CET 2012. -------- --- old-versions/11.3/all/icu/icu.changes 2010-04-20 16:34:35.000000000 +0200 +++ 11.3/icu/icu.changes 2012-01-13 00:01:40.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Jan 12 22:31:06 UTC 2012 - sshaw@decriptor.com + +- Add icu-CVE-2010-4409.patch to fix symbol value check + (bnc#657910) +- Fix out of bounds access (bnc#736146) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/icu Destination is old-versions/11.3/UPDATES/all/icu calling whatdependson for 11.3-i586 New: ---- icu-CVE-2010-4409.patch icu-CVE-2011-4599.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icu.spec ++++++ --- /var/tmp/diff_new_pack.9yDxdz/_old 2012-01-16 15:22:06.000000000 +0100 +++ /var/tmp/diff_new_pack.9yDxdz/_new 2012-01-16 15:22:06.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package icu (Version 4.2) +# spec file for package icu # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,12 +23,16 @@ License: IBM PL Group: System/Libraries Version: 4.2 -Release: 2 +Release: 7.<RELEASE2> Requires: libicu = %{version} Url: http://ibm.com/software/globalization/icu Source0: icu4c-4_2-src.tar.bz2 Source1: icu4c-4_2-docs.tar.bz2 Source3: SuSEconfig.icu +# PATCH-FIX-UPSTREAM bnc657910 icu-CVE-2010-4409.patch stshaw@suse.com -- Taken from ICU Changeset 29683 +Patch0: icu-CVE-2010-4409.patch +# PATCH-FIX-UPSTREAM bnc736146 icu-CVE-2011-4599.patch stshaw@suse.com -- canonicalize2.patch from ICU#8984 +Patch1: icu-CVE-2011-4599.patch # PATCH-FIX-OPENSUSE icu-remove-datetime.patch vuntz@novell.com -- Do not put date/time in icu-config (needed for build-compare) Patch99: icu-remove-datetime.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -142,6 +146,8 @@ %prep %setup -q -n icu -a1 +%patch0 -p1 +%patch1 -p1 %patch99 -p1 %build ++++++ icu-CVE-2010-4409.patch ++++++ Index: icu/source/i18n/unum.cpp =================================================================== --- icu.orig/source/i18n/unum.cpp +++ icu/source/i18n/unum.cpp @@ -755,7 +755,7 @@ unum_getSymbol(const UNumberFormat *fmt, return 0; } - if(fmt==NULL || (uint16_t)symbol>=UNUM_FORMAT_SYMBOL_COUNT) { + if(fmt==NULL || symbol< 0 || symbol>=UNUM_FORMAT_SYMBOL_COUNT) { *status=U_ILLEGAL_ARGUMENT_ERROR; return 0; } @@ -782,7 +782,7 @@ unum_setSymbol(UNumberFormat *fmt, return; } - if(fmt==NULL || (uint16_t)symbol>=UNUM_FORMAT_SYMBOL_COUNT || value==NULL || length<-1) { + if(fmt==NULL || symbol< 0 || symbol>=UNUM_FORMAT_SYMBOL_COUNT || value==NULL || length<-1) { *status=U_ILLEGAL_ARGUMENT_ERROR; return; } ++++++ icu-CVE-2011-4599.patch ++++++ Index: icu/source/common/uloc.c =================================================================== --- icu.orig/source/common/uloc.c +++ icu/source/common/uloc.c @@ -1736,7 +1736,7 @@ _canonicalize(const char* localeID, int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n); len -= variantLen; if (variantLen > 0) { - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */ --len; } addKeyword = VARIANT_MAP[j].keyword; @@ -1744,7 +1744,7 @@ _canonicalize(const char* localeID, break; } } - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */ --len; } } ++++++ icu-remove-datetime.patch ++++++ --- /var/tmp/diff_new_pack.9yDxdz/_old 2012-01-16 15:22:06.000000000 +0100 +++ /var/tmp/diff_new_pack.9yDxdz/_new 2012-01-16 15:22:06.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- icu.orig/source/Makefile.in +++ icu/source/Makefile.in -@@ -190,7 +190,6 @@ $(top_builddir)/config/icu-config: $(top +@@ -216,7 +216,6 @@ $(top_builddir)/config/icu-config: $(top sed -f $(top_srcdir)/config/make2sh.sed < $(top_builddir)/config/Makefile.inc | grep -v '#M#' | uniq >> $@ sed -f $(top_srcdir)/config/make2sh.sed < @platform_make_fragment@ | grep -v '#M#' | uniq >> $@ cat $(top_srcdir)/config/icu-config-bottom >> $@ continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org