Accepting request 906045 from home:AndreasStieger:branches:devel:libraries:c_c++

replace patch with version bump OBS-URL: https://build.opensuse.org/request/show/906045 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libuv?expand=0&rev=54
2021-07-13 08:54:55 +00:00 · 2021-07-13 08:54:55 +00:00 · 09bdd2c04e
commit 09bdd2c04e
parent c85edf857f
7 changed files with 23 additions and 178 deletions
--- a/CVE-2021-22918.patch
+++ b/CVE-2021-22918.patch
@ -1,146 +0,0 @@
---
- src/idna.c |   49 ++++++++++++++++++++++++++++++++++++-------------
- 1 file changed, 36 insertions(+), 13 deletions(-)
-
--- a/src/idna.c
-+++ b/src/idna.c
-@@ -19,6 +19,7 @@
- 
- #include "uv.h"
- #include "idna.h"
-+#include <assert.h>
- #include <string.h>
- 
- static unsigned uv__utf8_decode1_slow(const char** p,
-@@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(co
-   if (a > 0xF7)
-     return -1;
- 
-  switch (*p - pe) {
-+  switch (pe - *p) {
-   default:
-     if (a > 0xEF) {
-       min = 0x10000;
-@@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(co
-       a = 0;
-       break;
-     }
-+    /* Fall through. */
-+  case 0:
-     return -1;  /* Invalid continuation byte. */
-   }
- 
-@@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(co
- unsigned uv__utf8_decode1(const char** p, const char* pe) {
-   unsigned a;
- 
-+  assert(*p < pe);
-+
-   a = (unsigned char) *(*p)++;
- 
-   if (a < 128)
-@@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p
-   return uv__utf8_decode1_slow(p, pe, a);
- }
- 
-#define foreach_codepoint(c, p, pe) \
-  for (; (void) (*p <= pe && (c = uv__utf8_decode1(p, pe))), *p <= pe;)
-
- static int uv__idna_toascii_label(const char* s, const char* se,
-                                   char** d, char* de) {
-   static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
-@@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const
-   ss = s;
-   todo = 0;
- 
-  foreach_codepoint(c, &s, se) {
-+  /* Note: after this loop we've visited all UTF-8 characters and know
-+   * they're legal so we no longer need to check for decode errors.
-+   */
-+  while (s < se) {
-+    c = uv__utf8_decode1(&s, se);
-+
-+    if (c == -1u)
-+      return UV_EINVAL;
-+
-     if (c < 128)
-       h++;
-    else if (c == (unsigned) -1)
-      return UV_EINVAL;
-     else
-       todo++;
-   }
- 
-+  /* Only write "xn--" when there are non-ASCII characters. */
-   if (todo > 0) {
-     if (*d < de) *(*d)++ = 'x';
-     if (*d < de) *(*d)++ = 'n';
-@@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const
-     if (*d < de) *(*d)++ = '-';
-   }
- 
-+  /* Write ASCII characters. */
-   x = 0;
-   s = ss;
-  foreach_codepoint(c, &s, se) {
-+  while (s < se) {
-+    c = uv__utf8_decode1(&s, se);
-+    assert(c != -1u);
-+
-     if (c > 127)
-       continue;
- 
-@@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const
-   while (todo > 0) {
-     m = -1;
-     s = ss;
-    foreach_codepoint(c, &s, se)
-+
-+    while (s < se) {
-+      c = uv__utf8_decode1(&s, se);
-+      assert(c != -1u);
-+
-       if (c >= n)
-         if (c < m)
-           m = c;
-+    }
- 
-     x = m - n;
-     y = h + 1;
-@@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const
-     n = m;
- 
-     s = ss;
-    foreach_codepoint(c, &s, se) {
-+    while (s < se) {
-+      c = uv__utf8_decode1(&s, se);
-+      assert(c != -1u);
-+
-       if (c < n)
-         if (++delta == 0)
-           return UV_E2BIG;  /* Overflow. */
-@@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const
-   return 0;
- }
- 
-#undef foreach_codepoint
-
- long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
-   const char* si;
-   const char* st;
-@@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, con
- 
-   ds = d;
- 
-  for (si = s; si < se; /* empty */) {
-+  si = s;
-+  while (si < se) {
-     st = si;
-     c = uv__utf8_decode1(&si, se);
- 
-+    if (c == -1u)
-+      return UV_EINVAL;
-+
-     if (c != '.')
-       if (c != 0x3002)  /* 。 */
-         if (c != 0xFF0E)  /* ． */
--- a/libuv-v1.41.0.tar.gz
+++ b/libuv-v1.41.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1184533907e1ddad9c0dcd30a5abb0fe25288c287ff7fee303fff7b9b2d6eb6e
-size 1272786
--- a/libuv-v1.41.0.tar.gz.sign
+++ b/libuv-v1.41.0.tar.gz.sign
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEVzU+Db2qp+g5tmoa/0fV5K2LT9wFAmAoExQACgkQ/0fV5K2L
-T9y74Q/8C1oF9SHJYyqUch+S8/7Erf+I1Hdak+BgqimH+FVtTPtyFL5OCzuhXwbI
-VzHyi8ddM7ayJY3mVyArlYwxa4u0+uJzOji9EDHH6KoUCnA08/+bUOxcaW26DSOW
-S8Tk3yJ9To892BGUQa+QLP1JIJqTlYul3pWZHOVL6pGu/qarPsyfVMMUHr7C+tkb
-Z0aFGx9LrCmm+s0WyvoLF7NxfhDBwEVsSnfHZSWd5v6DGTprmGgHWqqbx8EQIzXs
-XFu2mKhhV1klr0OxgakjpZiQV4P+GKgkc623lTBnafSGJMVWu57oy9xsEhoKL1pi
-Pn1CWyYeeAR1huNham30wb525KrEa4W96kEBWWbJvFHue4Amlnr4vha5vVdzO3NL
-GKmxay+s+bTG1wpYdkyk+OiINoV6+AB2tGruiCZVRVnHF96knY7Y3ShZzkpoedlj
-s+/0pj4InABnr9n0iTVK0CDBqpUg05VMlgTxJukZE72q6biSTZSo+bKNtJOF3Oc1
-ihwQiyXLMTshk6kwYqaNe+9tu4sVSPUWzK8+8ydEkuDmjmb4k0L+N0T1zt2iKF42
-Dy6sXbNJghWmslHgKOvZ+aFI0EStl4of3MXFCd54Co1ECt3zNMdSQDYN9NcvXRZS
-vrb0GsGnDwtU5ndA3PEydNfjZ2tKRgAf9E+4Zie0QDmBDxHlHoo=
-=2N+m
-----END PGP SIGNATURE-----
--- a/libuv-v1.41.1.tar.gz
+++ b/libuv-v1.41.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65db0c7f2438bc8cd48865de282bf6670027f3557d6e3cb62fb65b2e350a687d
+size 1273135
--- a/libuv-v1.41.1.tar.gz.sign
+++ b/libuv-v1.41.1.tar.gz.sign
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEErq0KS2hnZ3UaDkrvNKJfsSgkZRQFAmDl/ikACgkQNKJfsSgk
+ZRQHmw//f+Ahw0QRZaYQhcwxfvG87pTAIlbgbTX1m6USrlvgGbBSjm/C5eV/VjJ9
+Tf5kRNresN8kh+6cl8gNlGS2HJJWZHYks+4oYUOUk0XfeE8i/1RSoTEQEuSOvXjH
+gjFc524EU89aVg/AN3U34mp53oMAiT01PafQVJTVsYdK211kSQN1/AW8XLBhTK15
+Oj6+yktf8vyQ/qogbE3ckvnbPtFGGs2BLdapusWLWKIq9MobYIC4Wmg9xsvgq7v5
+GTM1ZvId9WaHC+/2ZZZd8MKzfFXjr48UhVuH93oa+zixGCdOq+bYTYG7OdJ7e6xg
+JssF6VDOmUiaMoP8M2Qhnvfu7cIddCGwrkVq2zRC30RHhVsgKqXOt6FCDVGE3L47
+NVIcYJssJXINIz1jSUCtG05K7ZI0Ok6+oOSy1K+pJe+mMz/Kp4X7xzXhGANJsnjI
+bYbq72/WlCTDlqk/biUmMFIvQuUbl22+L78UtJML1+0+UtX4+SeCcFJKxKnoXSyF
+IdKJQafoukvg1erOHqOPVEqxJQx1LC2LcIcpGonOH3dPBOb48oJ4T8j/xCnt36Zl
+lzyiowTbl/DOvcXUaIsJZl9StU9NlZIDEa4pkUTbzEV+vtIPlBF6f4R+2457lNco
+TsyhCGvNYVeQwqNyZaDfXSBTNvwn/seE/2uz1WEp7dnmVJSwazA=
+=hLSo
+-----END PGP SIGNATURE-----
--- a/libuv.changes
+++ b/libuv.changes
@ -1,13 +1,8 @@
 -------------------------------------------------------------------
-Mon Jul 12 07:13:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
+Tue Jul 13 08:28:21 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

- Fix the patch metadata
-
-------------------------------------------------------------------
-Thu Jul  8 20:02:46 UTC 2021 - Matej Cepl <mcepl@suse.com>
-
- Add CVE-2021-22918.patch: patch libuv to fix out of bounds read
-  (Medium) (bsc#1187973, CVE-2021-22918)
+- CVE-2021-22918: fix out of bounds read in punycode decoder
+  (bsc#1187973)

 -------------------------------------------------------------------
 Tue Feb 23 22:43:09 UTC 2021 - Dirk Müller <dmueller@suse.com>
--- a/libuv.spec
+++ b/libuv.spec
@ -18,7 +18,7 @@

 %define somajor 1
 Name:           libuv
-Version:        1.41.0
+Version:        1.41.1
 Release:        0
 Summary:        Asychronous I/O support library
 License:        MIT
@ -29,9 +29,6 @@ Source1:        https://dist.libuv.org/dist/v%{version}/libuv-v%{version}.tar.gz
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         fix_tests.patch
-# PATCH-FIX-UPSTREAM CVE-2021-22918.patch bsc#1187973 mcepl@suse.com
-# fix OOB read in punycode decoder (CVE-2021-22918)
-Patch2:         CVE-2021-22918.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool