diff --git a/backport-CVE-2020-21913.patch b/backport-CVE-2020-21913.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ddad697bd6490eaadce8ca6cc845c5d0ff04bb0 --- /dev/null +++ b/backport-CVE-2020-21913.patch @@ -0,0 +1,66 @@ +From 657c326d4b8a6c4c6721957320fc8c3c68670cfb Mon Sep 17 00:00:00 2001 +From: Jeff Genovy <29107334+jefgen@users.noreply.github.com> +Date: Tue, 15 Oct 2019 00:05:52 -0700 +Subject: [PATCH] ICU-20850 Use LocalMemory for cmd to prevent use after free + +Conflict:NA +Reference:https://github.com/unicode-org/icu/pull/886/commits/657c326d4b8a6c4c6721957320fc8c3c68670cfb +--- + source/tools/pkgdata/pkgdata.cpp | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/source/tools/pkgdata/pkgdata.cpp b/source/tools/pkgdata/pkgdata.cpp +index ffcf459..cf2c51c 100644 +--- a/source/tools/pkgdata/pkgdata.cpp ++++ b/source/tools/pkgdata/pkgdata.cpp +@@ -66,6 +66,8 @@ U_DEFINE_LOCAL_OPEN_POINTER(LocalPipeFilePointer, FILE, pclose); + + #endif + ++using icu::LocalMemory; ++ + static void loadLists(UPKGOptions *o, UErrorCode *status); + + static int32_t pkg_executeOptions(UPKGOptions *o); +@@ -1506,9 +1508,7 @@ static int32_t pkg_generateLibraryFile(const char *targetDir, const char mode, c + + static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode, const char *gencFilePath) { + char tempObjectFile[SMALL_BUFFER_MAX_SIZE] = ""; +- char *cmd; + int32_t result = 0; +- + int32_t length = 0; + + /* Remove the ending .s and replace it with .o for the new object file. */ +@@ -1518,22 +1518,22 @@ static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode + length = uprv_strlen(pkgDataFlags[COMPILER]) + uprv_strlen(pkgDataFlags[LIBFLAGS]) + + uprv_strlen(tempObjectFile) + uprv_strlen(gencFilePath) + BUFFER_PADDING_SIZE; + +- cmd = (char *)uprv_malloc(sizeof(char) * length); +- if (cmd == NULL) { ++ LocalMemory cmd((char *)uprv_malloc(sizeof(char) * length)); ++ if (cmd.isNull()) { + return -1; + } + + /* Generate the object file. */ +- sprintf(cmd, "%s %s -o %s %s", ++ sprintf(cmd.getAlias(), "%s %s -o %s %s", + pkgDataFlags[COMPILER], + pkgDataFlags[LIBFLAGS], + tempObjectFile, + gencFilePath); + +- result = runCommand(cmd); +- uprv_free(cmd); ++ result = runCommand(cmd.getAlias()); ++ + if (result != 0) { +- fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd); ++ fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd.getAlias()); + return result; + } + +-- +2.27.0 + diff --git a/icu.spec b/icu.spec index c306609373b98647d942ce1c078d801193f857d4..1bfb318929668b571073d6880d64afa4e86ec4e2 100644 --- a/icu.spec +++ b/icu.spec @@ -1,6 +1,6 @@ Name: icu Version: 62.1 -Release: 5 +Release: 6 Summary: International Components for Unicode License: MIT and UCD and Public Domain URL: http://site.icu-project.org/ @@ -15,6 +15,7 @@ Patch2: icuinfo-man.patch Patch6000: icu-fix-memory-leak.patch Patch6001: CVE-2020-10531.patch +Patch6002: backport-CVE-2020-21913.patch %description Tools and utilities for developing with icu. @@ -129,6 +130,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l %changelog +* Fri Oct 22 2021 wangkerong - 62.1-6 +- fix CVE-2020-21913 + * Fri Mar 20 2020 gulining - 62.1-5 - fix CVE-2020-10531