[notify] libidn: Secutiry fix for CVE-2017-14062. closes FS#1554

5 files changed, 47 insertions, 5 deletions

diff --git a/libidn/.md5sum b/libidn/.md5sum
index 7f3221526..7313e94c9 100644
--- a/libidn/.md5sum
+++ b/libidn/.md5sum
@@ -1 +1,2 @@
+cd02b28cd6b74d7e55055651003dfcf4  CVE-2017-14062.patch
 a9aa7e003665de9c82bd3f9fc6ccf308  libidn-1.33.tar.gz
diff --git a/libidn/.md5sum.orig b/libidn/.md5sum.orig
new file mode 100644
index 000000000..9132f3c89
--- /dev/null
+++ b/libidn/.md5sum.orig
@@ -0,0 +1,2 @@
+e4b03c6bcff3e11ea54adc6540fb7d07  CVE-2017-14062.patch
+a9aa7e003665de9c82bd3f9fc6ccf308  libidn-1.33.tar.gz
diff --git a/libidn/.signature b/libidn/.signature
index a748a76f1..50c0763ef 100644
--- a/libidn/.signature
+++ b/libidn/.signature
@@ -1,5 +1,6 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/av7D78bcxVpHFwVnVvsVbntH7q1tpLUcuW3hTn3rajwbAMu7aCDa5jJTJKeUZ+bNVmNaMcQS9s0TZJeQDMU5As=
-SHA256 (Pkgfile) = e83f48874e414a81a255ce4ad151bd737bc12e30af115f0894a14ff272205ecd
+RWSE3ohX2g5d/XzfkvpoUogWAcNTzXOg8hIykW9+oa298BOCD/60VV/zBtCGx/1AC/ulsdgOM4qV46JvoWtWNKviPjm7dkAPdA4=
+SHA256 (Pkgfile) = 3b2004727e755c55320c76255d6b8b1c2260c08244832e8cc4b9c59e3fbc004b
 SHA256 (.footprint) = 8b7ff628d35d714b967f076a8e848cc7c6963129dc2ef9064b13e64e4a9ecf1d
 SHA256 (libidn-1.33.tar.gz) = 44a7aab635bb721ceef6beecc4d49dfd19478325e1b47f3196f7d2acc4930e19
+SHA256 (CVE-2017-14062.patch) = 9dd36fddcfe60b8feb958bab4538054134187a52c98c15ec43362b63eaf69ac4
diff --git a/libidn/CVE-2017-14062.patch b/libidn/CVE-2017-14062.patch
new file mode 100644
index 000000000..2a2c2b7ee
--- /dev/null
+++ b/libidn/CVE-2017-14062.patch
@@ -0,0 +1,29 @@
+--- a/lib/punycode.c	2016-01-14 21:42:33.000000000 +0800
++++ b/lib/punycode.c	2018-01-12 11:36:58.027226633 +0800
+@@ -88,11 +88,11 @@ enum
+ /* point (for use in representing integers) in the range 0 to */
+ /* base-1, or base if cp does not represent a value.          */
+ 
+-static punycode_uint
+-decode_digit (punycode_uint cp)
++static unsigned
++decode_digit (int cp)
+ {
+-  return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+-    cp - 97 < 26 ? cp - 97 : base;
++  return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
++    cp - 97 < 26 ? cp - 97 : base);
+ }
+ 
+ /* encode_digit(d,flag) returns the basic code point whose value      */
+--- a/tests/tst_idna.c	2016-01-14 21:42:33.000000000 +0800
++++ b/tests/tst_idna.c	2018-01-12 11:36:58.027226633 +0800
+@@ -211,7 +211,7 @@ static const struct idna idna[] = {
+     'x', 'n', '-', '-', 'f', 'o', 0x3067},
+    IDNA_ACE_PREFIX "too long too long too long too long too long too "
+    "long too long too long too long too long ", 0,
+-   IDNA_CONTAINS_ACE_PREFIX, IDNA_PUNYCODE_ERROR}
++   IDNA_CONTAINS_ACE_PREFIX, IDNA_INVALID_LENGTH}
+ };
+ 
+ void
diff --git a/libidn/Pkgfile b/libidn/Pkgfile
index 25ee04769..f6bef3a9b 100644
--- a/libidn/Pkgfile
+++ b/libidn/Pkgfile
@@ -5,12 +5,17 @@
 
 name=libidn
 version=1.33
-release=1
-source=(http://ftp.gnu.org/gnu/$name/$name-$version.tar.gz)
+release=2
+source=(http://ftp.gnu.org/gnu/$name/$name-$version.tar.gz
+        CVE-2017-14062.patch)
 
 build() {
 	cd $name-$version
 
+	patch -p1 -i $SRC/CVE-2017-14062.patch
+	sed -i '/^SUBDIRS/s/doc//' Makefile.am
+
+	autoreconf
 	./configure \
 		--prefix=/usr \
 		--disable-nls \
@@ -18,5 +23,9 @@ build() {
 
 	make
 	make DESTDIR=$PKG install
-	rm -r $PKG/usr/share/info
+
+	install -d $PKG/usr/share/man/man{1,3}
+	install -m 0644 doc/*.1 $PKG/usr/share/man/man1
+	install -m 0644 doc/man/*.3 $PKG/usr/share/man/man3
+
 }