From 52c8a3cd437cbd0a20b11ee25618159bc91d9945 Mon Sep 17 00:00:00 2001 From: lubing6 Date: Wed, 18 Mar 2020 16:28:45 +0800 Subject: [PATCH] fix CVE-2019-12290 --- 0001-CVE-2019-12290.patch | 364 ++++++++++++++++++ 0002-CVE-2019-12290.patch | 196 ++++++++++ 0003-CVE-2019-12290.patch | 44 +++ ...missing-errors-in-idn2_strerror_name.patch | 52 +++ ...from-error.c-add-missing-TR46-values.patch | 315 +++++++++++++++ libidn2.spec | 21 +- 6 files changed, 987 insertions(+), 5 deletions(-) create mode 100644 0001-CVE-2019-12290.patch create mode 100644 0002-CVE-2019-12290.patch create mode 100644 0003-CVE-2019-12290.patch create mode 100644 Add-missing-errors-in-idn2_strerror_name.patch create mode 100644 Remove-overhead-from-error.c-add-missing-TR46-values.patch diff --git a/0001-CVE-2019-12290.patch b/0001-CVE-2019-12290.patch new file mode 100644 index 0000000..2cc1e10 --- /dev/null +++ b/0001-CVE-2019-12290.patch @@ -0,0 +1,364 @@ +From 2e3328229470730f9c81ea439afe3a9cb1504276 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 9 Apr 2019 16:58:18 +0200 +Subject: [PATCH] Perform A-Label roundtrip for lookup functions by default + +This adds another check to avoid unexpected results. +It was a longstanding FIXME. + +Thanks to Jonathan Birch of Microsoft Corporation, +Florian Weimer (GNU glibc) and Nikos Mavrogiannopoulos (GnuTLS) +for investigation, discussion and testing. +--- + lib/error.c | 2 ++ + lib/idn2.h.in | 12 ++++--- + lib/lookup.c | 105 +++++++++++++++++++++++++++++++++++++++++----------------- + src/blurbs.h | 4 +-- + src/idn2.c | 32 ++++++++++-------- + src/idn2.ggo | 1 + + 6 files changed, 105 insertions(+), 51 deletions(-) + +diff --git a/lib/error.c b/lib/error.c +index 0304044..8483f30 100644 +--- a/lib/error.c ++++ b/lib/error.c +@@ -77,6 +77,7 @@ idn2_strerror (int rc) + case IDN2_DOT_IN_LABEL: return _("domain label has forbidden dot (TR46)"); + case IDN2_INVALID_TRANSITIONAL: return _("domain label has character forbidden in transitional mode (TR46)"); + case IDN2_INVALID_NONTRANSITIONAL: return _("domain label has character forbidden in non-transitional mode (TR46)"); ++ case IDN2_ALABEL_ROUNDTRIP_FAILED: return _("Alabel roundtrip failed"); + default: return _("Unknown error"); + } + } +@@ -129,6 +130,7 @@ idn2_strerror_name (int rc) + case IDN2_DOT_IN_LABEL: return ERR2STR (IDN2_DOT_IN_LABEL); + case IDN2_INVALID_TRANSITIONAL: return ERR2STR (IDN2_INVALID_TRANSITIONAL); + case IDN2_INVALID_NONTRANSITIONAL: return ERR2STR (IDN2_INVALID_NONTRANSITIONAL); ++ case IDN2_ALABEL_ROUNDTRIP_FAILED: return ERR2STR (IDN2_ALABEL_ROUNDTRIP_FAILED); + default: return "IDN2_UNKNOWN"; + } + } +diff --git a/lib/idn2.h.in b/lib/idn2.h.in +index bae7e2e..b979bda 100644 +--- a/lib/idn2.h.in ++++ b/lib/idn2.h.in +@@ -150,10 +150,11 @@ extern "C" + /** + * idn2_flags: + * @IDN2_NFC_INPUT: Normalize input string using normalization form C. +- * @IDN2_ALABEL_ROUNDTRIP: Perform optional IDNA2008 lookup roundtrip check (not implemented yet). +- * @IDN2_NO_TR46: Disable Unicode TR46 processing (default). ++ * @IDN2_ALABEL_ROUNDTRIP: Perform optional IDNA2008 lookup roundtrip check (default). ++ * @IDN2_NO_ALABEL_ROUNDTRIP: Disable ALabel lookup roundtrip check. ++ * @IDN2_NO_TR46: Disable Unicode TR46 processing. + * @IDN2_TRANSITIONAL: Perform Unicode TR46 transitional processing. +- * @IDN2_NONTRANSITIONAL: Perform Unicode TR46 non-transitional processing. ++ * @IDN2_NONTRANSITIONAL: Perform Unicode TR46 non-transitional processing (default). + * @IDN2_ALLOW_UNASSIGNED: Libidn compatibility flag, unused. + * @IDN2_USE_STD3_ASCII_RULES: Use STD3 ASCII rules. + * This is a #TR46 only flag, and will be ignored when set without either +@@ -170,7 +171,8 @@ extern "C" + IDN2_NONTRANSITIONAL = 8, + IDN2_ALLOW_UNASSIGNED = 16, + IDN2_USE_STD3_ASCII_RULES = 32, +- IDN2_NO_TR46 = 64 ++ IDN2_NO_TR46 = 64, ++ IDN2_NO_ALABEL_ROUNDTRIP = 128 + } idn2_flags; + + /* IDNA2008 with UTF-8 encoded inputs. */ +@@ -221,6 +223,7 @@ extern "C" + * @IDN2_DOT_IN_LABEL: Label has forbidden dot (TR46). + * @IDN2_INVALID_TRANSITIONAL: Label has character forbidden in transitional mode (TR46). + * @IDN2_INVALID_NONTRANSITIONAL: Label has character forbidden in non-transitional mode (TR46). ++ * @IDN2_ALABEL_ROUNDTRIP_FAILED: ALabel -> Ulabel -> ALabel result differs from input. + * + * Return codes for IDN2 functions. All return codes are negative + * except for the successful code IDN2_OK which are guaranteed to be +@@ -259,6 +262,7 @@ extern "C" + IDN2_DOT_IN_LABEL = -311, + IDN2_INVALID_TRANSITIONAL = -312, + IDN2_INVALID_NONTRANSITIONAL = -313, ++ IDN2_ALABEL_ROUNDTRIP_FAILED = -314, + } idn2_rc; + + /* Auxilliary functions. */ +diff --git a/lib/lookup.c b/lib/lookup.c +index 1d922a5..5e814e0 100644 +--- a/lib/lookup.c ++++ b/lib/lookup.c +@@ -51,6 +51,9 @@ static int set_default_flags(int *flags) + if (((*flags) & (IDN2_TRANSITIONAL|IDN2_NONTRANSITIONAL)) && ((*flags) & IDN2_NO_TR46)) + return IDN2_INVALID_FLAGS; + ++ if (((*flags) & IDN2_ALABEL_ROUNDTRIP) && ((*flags) & IDN2_NO_ALABEL_ROUNDTRIP)) ++ return IDN2_INVALID_FLAGS; ++ + if (!((*flags) & (IDN2_NO_TR46|IDN2_TRANSITIONAL))) + *flags |= IDN2_NONTRANSITIONAL; + +@@ -63,23 +66,39 @@ label (const uint8_t * src, size_t srclen, uint8_t * dst, size_t * dstlen, + { + size_t plen; + uint32_t *p; +- int rc; +- size_t tmpl; +- +- if (_idn2_ascii_p (src, srclen)) +- { +- if (flags & IDN2_ALABEL_ROUNDTRIP) +- /* FIXME implement this MAY: +- +- If the input to this procedure appears to be an A-label +- (i.e., it starts in "xn--", interpreted +- case-insensitively), the lookup application MAY attempt to +- convert it to a U-label, first ensuring that the A-label is +- entirely in lowercase (converting it to lowercase if +- necessary), and apply the tests of Section 5.4 and the +- conversion of Section 5.5 to that form. */ +- return IDN2_INVALID_FLAGS; ++ const uint8_t *src_org = NULL; ++ uint8_t *src_allocated = NULL; ++ int rc, check_roundtrip = 0; ++ size_t tmpl, srclen_org = 0; ++ uint32_t label_u32[IDN2_LABEL_MAX_LENGTH]; ++ size_t label32_len = IDN2_LABEL_MAX_LENGTH; ++ ++ if (_idn2_ascii_p (src, srclen)) { ++ if (!(flags & IDN2_NO_ALABEL_ROUNDTRIP) && srclen >= 4 && memcmp (src, "xn--", 4) == 0) { ++ /* ++ If the input to this procedure appears to be an A-label ++ (i.e., it starts in "xn--", interpreted ++ case-insensitively), the lookup application MAY attempt to ++ convert it to a U-label, first ensuring that the A-label is ++ entirely in lowercase (converting it to lowercase if ++ necessary), and apply the tests of Section 5.4 and the ++ conversion of Section 5.5 to that form. */ ++ rc = _idn2_punycode_decode (srclen - 4, (char *) src + 4, &label32_len, label_u32); ++ if (rc) ++ return rc; + ++ check_roundtrip = 1; ++ src_org = src; ++ srclen_org = srclen; ++ ++ srclen = IDN2_LABEL_MAX_LENGTH; ++ src = src_allocated = u32_to_u8 (label_u32, label32_len, NULL, &srclen); ++ if (!src) { ++ if (errno == ENOMEM) ++ return IDN2_MALLOC; ++ return IDN2_ENCODING_ERROR; ++ } ++ } else { + if (srclen > IDN2_LABEL_MAX_LENGTH) + return IDN2_TOO_BIG_LABEL; + if (srclen > *dstlen) +@@ -89,10 +108,11 @@ label (const uint8_t * src, size_t srclen, uint8_t * dst, size_t * dstlen, + *dstlen = srclen; + return IDN2_OK; + } ++ } + + rc = _idn2_u8_to_u32_nfc (src, srclen, &p, &plen, flags & IDN2_NFC_INPUT); + if (rc != IDN2_OK) +- return rc; ++ goto out; + + if (!(flags & IDN2_TRANSITIONAL)) + { +@@ -110,8 +130,8 @@ label (const uint8_t * src, size_t srclen, uint8_t * dst, size_t * dstlen, + + if (rc != IDN2_OK) + { +- free(p); +- return rc; ++ free (p); ++ goto out; + } + } + +@@ -124,11 +144,25 @@ label (const uint8_t * src, size_t srclen, uint8_t * dst, size_t * dstlen, + rc = _idn2_punycode_encode (plen, p, &tmpl, (char *) dst + 4); + free (p); + if (rc != IDN2_OK) +- return rc; ++ goto out; ++ + + *dstlen = 4 + tmpl; + +- return IDN2_OK; ++ if (check_roundtrip) ++ { ++ if (srclen_org != *dstlen || memcmp (src_org, dst, srclen_org)) ++ { ++ rc = IDN2_ALABEL_ROUNDTRIP_FAILED; ++ goto out; ++ } ++ } ++ ++ rc = IDN2_OK; ++ ++out: ++ free (src_allocated); ++ return rc; + } + + #define TR46_TRANSITIONAL_CHECK \ +@@ -371,13 +405,17 @@ _tr46 (const uint8_t * domain_u8, uint8_t ** out, int flags) + * Pass %IDN2_NFC_INPUT in @flags to convert input to NFC form before + * further processing. %IDN2_TRANSITIONAL and %IDN2_NONTRANSITIONAL + * do already imply %IDN2_NFC_INPUT. ++ * + * Pass %IDN2_ALABEL_ROUNDTRIP in @flags to + * convert any input A-labels to U-labels and perform additional +- * testing (not implemented yet). ++ * testing. This is default since version 2.2. ++ * To switch this behavior off, pass IDN2_NO_ALABEL_ROUNDTRIP ++ * + * Pass %IDN2_TRANSITIONAL to enable Unicode TR46 + * transitional processing, and %IDN2_NONTRANSITIONAL to enable +- * Unicode TR46 non-transitional processing. Multiple flags may be +- * specified by binary or:ing them together. ++ * Unicode TR46 non-transitional processing. ++ * ++ * Multiple flags may be specified by binary or:ing them together. + * + * After version 2.0.3: %IDN2_USE_STD3_ASCII_RULES disabled by default. + * Previously we were eliminating non-STD3 characters from domain strings +@@ -495,14 +533,19 @@ idn2_lookup_u8 (const uint8_t * src, uint8_t ** lookupname, int flags) + * to be encoded in the locale's default coding system, and will be + * transcoded to UTF-8 and NFC normalized by this function. + * +- * Pass %IDN2_ALABEL_ROUNDTRIP in @flags to convert any input A-labels +- * to U-labels and perform additional testing. Pass +- * %IDN2_TRANSITIONAL to enable Unicode TR46 transitional processing, ++ * Pass %IDN2_ALABEL_ROUNDTRIP in @flags to ++ * convert any input A-labels to U-labels and perform additional ++ * testing. This is default since version 2.2. ++ * To switch this behavior off, pass IDN2_NO_ALABEL_ROUNDTRIP ++ * ++ * Pass %IDN2_TRANSITIONAL to enable Unicode TR46 transitional processing, + * and %IDN2_NONTRANSITIONAL to enable Unicode TR46 non-transitional +- * processing. Multiple flags may be specified by binary or:ing them +- * together, for example %IDN2_ALABEL_ROUNDTRIP | +- * %IDN2_NONTRANSITIONAL. The %IDN2_NFC_INPUT in @flags is always +- * enabled in this function. ++ * processing. ++ * ++ * Multiple flags may be specified by binary or:ing them together, for ++ * example %IDN2_ALABEL_ROUNDTRIP | %IDN2_NONTRANSITIONAL. ++ * ++ * The %IDN2_NFC_INPUT in @flags is always enabled in this function. + * + * After version 0.11: @lookupname may be NULL to test lookup of @src + * without allocating memory. +diff --git a/src/blurbs.h b/src/blurbs.h +index 2d71ed0..4fdea0f 100644 +--- a/src/blurbs.h ++++ b/src/blurbs.h +@@ -1,5 +1,5 @@ + /* blurbs.h - warranty and conditions blurbs +- Copyright (C) 2011-2017 Simon Josefsson ++ Copyright (C) 2011-2019 Simon Josefsson, Tim Ruehsen + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -16,7 +16,7 @@ + */ + + #define GREETING \ +- "Copyright (C) 2011-2017 Simon Josefsson\n" \ ++ "Copyright (C) 2011-2019 Simon Josefsson, Tim Ruehsen\n" \ + "This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n" \ + "This is free software, and you are welcome to redistribute it\n" \ + "under certain conditions; type `show c' for details.\n\n" +diff --git a/src/idn2.c b/src/idn2.c +index 9fdaf12..161ab56 100644 +--- a/src/idn2.c ++++ b/src/idn2.c +@@ -1,5 +1,5 @@ + /* idn2.c - command line interface to libidn2 +- Copyright (C) 2011-2017 Simon Josefsson ++ Copyright (C) 2011-2019 Simon Josefsson, Tim Ruehsen + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -50,7 +50,7 @@ const char version_etc_copyright[] = + /* Do *not* mark this string for translation. %s is a copyright + symbol suitable for this locale, and %d is the copyright + year. */ +- "Copyright %s %d Simon Josefsson."; ++ "Copyright 2011-%s %d Simon Josefsson, Tim Ruehsen."; + + static void + usage (int status) +@@ -78,23 +78,24 @@ to signal the end of parameters, as in `idn2 --quiet -- -foo'.\n\ + Mandatory arguments to long options are mandatory for short options too.\n\ + "), stdout); + fputs (_("\ +- -h, --help Print help and exit\n\ +- -V, --version Print version and exit\n\ ++ -h, --help Print help and exit\n\ ++ -V, --version Print version and exit\n\ + "), stdout); + fputs (_("\ +- -d, --decode Decode (punycode) domain name\n\ +- -l, --lookup Lookup domain name (default)\n\ +- -r, --register Register label\n\ ++ -d, --decode Decode (punycode) domain name\n\ ++ -l, --lookup Lookup domain name (default)\n\ ++ -r, --register Register label\n\ + "), stdout); + fputs (_("\ +- -T, --tr46t Enable TR46 transitional processing\n\ +- -N, --tr46nt Enable TR46 non-transitional processing\n\ +- --no-tr46 Disable TR46 processing\n\ ++ -T, --tr46t Enable TR46 transitional processing\n\ ++ -N, --tr46nt Enable TR46 non-transitional processing\n\ ++ --no-tr46 Disable TR46 processing\n\ + "), stdout); + fputs (_("\ +- --usestd3asciirules Enable STD3 ASCII rules\n\ +- --debug Print debugging information\n\ +- --quiet Silent operation\n\ ++ --usestd3asciirules Enable STD3 ASCII rules\n\ ++ --no-alabelroundtrip Disable ALabel rountrip for lookups\n\ ++ --debug Print debugging information\n\ ++ --quiet Silent operation\n\ + "), stdout); + emit_bug_reporting_address (); + } +@@ -201,7 +202,7 @@ main (int argc, char *argv[]) + if (args_info.version_given) + { + version_etc (stdout, "idn2", PACKAGE_NAME, VERSION, +- "Simon Josefsson", (char *) NULL); ++ "Simon Josefsson, Tim Ruehsen", (char *) NULL); + return EXIT_SUCCESS; + } + +@@ -230,6 +231,9 @@ main (int argc, char *argv[]) + if (flags && args_info.usestd3asciirules_given) + flags |= IDN2_USE_STD3_ASCII_RULES; + ++ if (flags && args_info.no_alabelroundtrip_given) ++ flags |= IDN2_NO_ALABEL_ROUNDTRIP; ++ + for (cmdn = 0; cmdn < args_info.inputs_num; cmdn++) + process_input (args_info.inputs[cmdn], flags | IDN2_NFC_INPUT); + +diff --git a/src/idn2.ggo b/src/idn2.ggo +index 3732cb5..04a5360 100644 +--- a/src/idn2.ggo ++++ b/src/idn2.ggo +@@ -20,5 +20,6 @@ option "tr46t" T "Enable TR46 transitional processing" flag off + option "tr46nt" N "Enable TR46 non-transitional processing" flag off + option "no-tr46" - "Disable TR46 processing" flag off + option "usestd3asciirules" - "Enable STD3 ASCII rules" flag off ++option "no-alabelroundtrip" - "Disable ALabel roundtrip for lookups" flag off + option "debug" - "Print debugging information" flag off + option "quiet" - "Silent operation" flag off +-- +1.8.3.1 + diff --git a/0002-CVE-2019-12290.patch b/0002-CVE-2019-12290.patch new file mode 100644 index 0000000..b6a68cb --- /dev/null +++ b/0002-CVE-2019-12290.patch @@ -0,0 +1,196 @@ +From 019fd57f70297d216c6b80b89112307db994b74e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 9 Apr 2019 16:58:18 +0200 +Subject: [PATCH 2/3] Manually create idn2_cmd.c and idn2_cmd.h due to idn2.ggo + +diff -ru goo_before/src/idn2_cmd.c goo/src/idn2_cmd.c +--- goo_before/src/idn2_cmd.c 2020-03-17 23:09:46.872000000 +0800 ++++ goo/src/idn2_cmd.c 2020-03-17 23:07:45.844000000 +0800 +@@ -1,5 +1,5 @@ + /* +- File autogenerated by gengetopt version 2.22.6 ++ File autogenerated by gengetopt version 2.23 + generated with the following command: + gengetopt --unamed-opts --no-handle-version --no-handle-help --set-package=idn2 --input idn2.ggo --file-name idn2_cmd + +@@ -27,24 +27,25 @@ + + const char *gengetopt_args_info_purpose = ""; + +-const char *gengetopt_args_info_usage = "Usage: idn2 [OPTION]... [STRING]..."; ++const char *gengetopt_args_info_usage = "Usage: idn2 [OPTION]... [FILE]..."; + + const char *gengetopt_args_info_versiontext = ""; + + const char *gengetopt_args_info_description = ""; + + const char *gengetopt_args_info_help[] = { +- " -h, --help Print help and exit", +- " -V, --version Print version and exit", +- " -d, --decode Decode (punycode) domain name", +- " -l, --lookup Lookup domain name (default)", +- " -r, --register Register label", +- " -T, --tr46t Enable TR46 transitional processing (default=off)", +- " -N, --tr46nt Enable TR46 non-transitional processing\n (default=off)", +- " --no-tr46 Disable TR46 processing (default=off)", +- " --usestd3asciirules Enable STD3 ASCII rules (default=off)", +- " --debug Print debugging information (default=off)", +- " --quiet Silent operation (default=off)", ++ " -h, --help Print help and exit", ++ " -V, --version Print version and exit", ++ " -d, --decode Decode (punycode) domain name", ++ " -l, --lookup Lookup domain name (default)", ++ " -r, --register Register label", ++ " -T, --tr46t Enable TR46 transitional processing (default=off)", ++ " -N, --tr46nt Enable TR46 non-transitional processing\n (default=off)", ++ " --no-tr46 Disable TR46 processing (default=off)", ++ " --usestd3asciirules Enable STD3 ASCII rules (default=off)", ++ " --no-alabelroundtrip Disable ALabel roundtrip for lookups (default=off)", ++ " --debug Print debugging information (default=off)", ++ " --quiet Silent operation (default=off)", + 0 + }; + +@@ -77,6 +78,7 @@ + args_info->tr46nt_given = 0 ; + args_info->no_tr46_given = 0 ; + args_info->usestd3asciirules_given = 0 ; ++ args_info->no_alabelroundtrip_given = 0 ; + args_info->debug_given = 0 ; + args_info->quiet_given = 0 ; + } +@@ -89,6 +91,7 @@ + args_info->tr46nt_flag = 0; + args_info->no_tr46_flag = 0; + args_info->usestd3asciirules_flag = 0; ++ args_info->no_alabelroundtrip_flag = 0; + args_info->debug_flag = 0; + args_info->quiet_flag = 0; + +@@ -108,8 +111,9 @@ + args_info->tr46nt_help = gengetopt_args_info_help[6] ; + args_info->no_tr46_help = gengetopt_args_info_help[7] ; + args_info->usestd3asciirules_help = gengetopt_args_info_help[8] ; +- args_info->debug_help = gengetopt_args_info_help[9] ; +- args_info->quiet_help = gengetopt_args_info_help[10] ; ++ args_info->no_alabelroundtrip_help = gengetopt_args_info_help[9] ; ++ args_info->debug_help = gengetopt_args_info_help[10] ; ++ args_info->quiet_help = gengetopt_args_info_help[11] ; + + } + +@@ -124,19 +128,25 @@ + printf("\n%s\n", gengetopt_args_info_versiontext); + } + +-static void print_help_common(void) { +- cmdline_parser_print_version (); +- +- if (strlen(gengetopt_args_info_purpose) > 0) +- printf("\n%s\n", gengetopt_args_info_purpose); +- +- if (strlen(gengetopt_args_info_usage) > 0) +- printf("\n%s\n", gengetopt_args_info_usage); +- +- printf("\n"); ++static void print_help_common(void) ++{ ++ size_t len_purpose = strlen(gengetopt_args_info_purpose); ++ size_t len_usage = strlen(gengetopt_args_info_usage); + +- if (strlen(gengetopt_args_info_description) > 0) +- printf("%s\n\n", gengetopt_args_info_description); ++ if (len_usage > 0) { ++ printf("%s\n", gengetopt_args_info_usage); ++ } ++ if (len_purpose > 0) { ++ printf("%s\n", gengetopt_args_info_purpose); ++ } ++ ++ if (len_usage || len_purpose) { ++ printf("\n"); ++ } ++ ++ if (strlen(gengetopt_args_info_description) > 0) { ++ printf("%s\n\n", gengetopt_args_info_description); ++ } + } + + void +@@ -240,6 +250,8 @@ + write_into_file(outfile, "no-tr46", 0, 0 ); + if (args_info->usestd3asciirules_given) + write_into_file(outfile, "usestd3asciirules", 0, 0 ); ++ if (args_info->no_alabelroundtrip_given) ++ write_into_file(outfile, "no-alabelroundtrip", 0, 0 ); + if (args_info->debug_given) + write_into_file(outfile, "debug", 0, 0 ); + if (args_info->quiet_given) +@@ -416,7 +428,9 @@ + break; + }; + +- ++ FIX_UNUSED(stop_char); ++ FIX_UNUSED(val); ++ + /* store the original value */ + switch(arg_type) { + case ARG_NO: +@@ -455,10 +469,16 @@ + + package_name = argv[0]; + ++ /* TODO: Why is this here? It is not used anywhere. */ + override = params->override; ++ FIX_UNUSED(override); ++ + initialize = params->initialize; + check_required = params->check_required; ++ ++ /* TODO: Why is this here? It is not used anywhere. */ + check_ambiguity = params->check_ambiguity; ++ FIX_UNUSED(check_ambiguity); + + if (initialize) + cmdline_parser_init (args_info); +@@ -484,6 +504,7 @@ + { "tr46nt", 0, NULL, 'N' }, + { "no-tr46", 0, NULL, 0 }, + { "usestd3asciirules", 0, NULL, 0 }, ++ { "no-alabelroundtrip", 0, NULL, 0 }, + { "debug", 0, NULL, 0 }, + { "quiet", 0, NULL, 0 }, + { 0, 0, 0, 0 } +@@ -605,6 +626,18 @@ + goto failure; + + } ++ /* Disable ALabel roundtrip for lookups. */ ++ else if (strcmp (long_options[option_index].name, "no-alabelroundtrip") == 0) ++ { ++ ++ ++ if (update_arg((void *)&(args_info->no_alabelroundtrip_flag), 0, &(args_info->no_alabelroundtrip_given), ++ &(local_args_info.no_alabelroundtrip_given), optarg, 0, 0, ARG_FLAG, ++ check_ambiguity, override, 1, 0, "no-alabelroundtrip", '-', ++ additional_error)) ++ goto failure; ++ ++ } + /* Print debugging information. */ + else if (strcmp (long_options[option_index].name, "debug") == 0) + { +@@ -643,6 +676,7 @@ + + + ++ FIX_UNUSED(check_required); + + cmdline_parser_release (&local_args_info); + +@@ -680,3 +714,4 @@ + cmdline_parser_release (&local_args_info); + return (EXIT_FAILURE); + } ++/* vim: set ft=c noet ts=8 sts=8 sw=8 tw=80 nojs spell : */ diff --git a/0003-CVE-2019-12290.patch b/0003-CVE-2019-12290.patch new file mode 100644 index 0000000..1f6c004 --- /dev/null +++ b/0003-CVE-2019-12290.patch @@ -0,0 +1,44 @@ +From 019fd57f70297d216c6b80b89112307db994b74e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 9 Apr 2019 16:58:18 +0200 +Subject: [PATCH 3/3] Manually create idn2_cmd.c and idn2_cmd.h due to idn2.ggo + +diff -ru goo_before/src/idn2_cmd.h goo/src/idn2_cmd.h +--- goo_before/src/idn2_cmd.h 2020-03-17 23:09:46.872000000 +0800 ++++ goo/src/idn2_cmd.h 2020-03-17 23:07:45.844000000 +0800 +@@ -1,9 +1,9 @@ + /** @file idn2_cmd.h + * @brief The header file for the command line option parser +- * generated by GNU Gengetopt version 2.22.6 ++ * generated by GNU Gengetopt version 2.23 + * http://www.gnu.org/software/gengetopt. + * DO NOT modify this file, since it can be overwritten +- * @author GNU Gengetopt by Lorenzo Bettini */ ++ * @author GNU Gengetopt */ + + #ifndef IDN2_CMD_H + #define IDN2_CMD_H +@@ -50,6 +50,8 @@ + const char *no_tr46_help; /**< @brief Disable TR46 processing help description. */ + int usestd3asciirules_flag; /**< @brief Enable STD3 ASCII rules (default=off). */ + const char *usestd3asciirules_help; /**< @brief Enable STD3 ASCII rules help description. */ ++ int no_alabelroundtrip_flag; /**< @brief Disable ALabel roundtrip for lookups (default=off). */ ++ const char *no_alabelroundtrip_help; /**< @brief Disable ALabel roundtrip for lookups help description. */ + int debug_flag; /**< @brief Print debugging information (default=off). */ + const char *debug_help; /**< @brief Print debugging information help description. */ + int quiet_flag; /**< @brief Silent operation (default=off). */ +@@ -64,11 +66,12 @@ + unsigned int tr46nt_given ; /**< @brief Whether tr46nt was given. */ + unsigned int no_tr46_given ; /**< @brief Whether no-tr46 was given. */ + unsigned int usestd3asciirules_given ; /**< @brief Whether usestd3asciirules was given. */ ++ unsigned int no_alabelroundtrip_given ; /**< @brief Whether no-alabelroundtrip was given. */ + unsigned int debug_given ; /**< @brief Whether debug was given. */ + unsigned int quiet_given ; /**< @brief Whether quiet was given. */ + +- char **inputs ; /**< @brief unamed options (options without names) */ +- unsigned inputs_num ; /**< @brief unamed options number */ ++ char **inputs ; /**< @brief unnamed options (options without names) */ ++ unsigned inputs_num ; /**< @brief unnamed options number */ + } ; + + /** @brief The additional parameters to pass to parser functions */ diff --git a/Add-missing-errors-in-idn2_strerror_name.patch b/Add-missing-errors-in-idn2_strerror_name.patch new file mode 100644 index 0000000..26805f3 --- /dev/null +++ b/Add-missing-errors-in-idn2_strerror_name.patch @@ -0,0 +1,52 @@ +From be02ca5ca2d4aa1117b4fc55d47f18f9bb01957e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Thu, 28 Jun 2018 13:14:45 +0200 +Subject: [PATCH] Add missing errors in idn2_strerror_name() + +--- + lib/error.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/lib/error.c b/lib/error.c +index 9a5179c..9ab4fb1 100644 +--- a/lib/error.c ++++ b/lib/error.c +@@ -230,11 +230,15 @@ idn2_strerror_name (int rc) + p = ERR2STR (IDN2_UALABEL_MISMATCH); + break; + ++ case IDN2_INVALID_FLAGS: ++ p = ERR2STR (IDN2_INVALID_FLAGS); ++ break; ++ + case IDN2_NOT_NFC: + p = ERR2STR (IDN2_NOT_NFC); + break; + +- case IDN2_2HYPHEN: ++ case IDN2_2HYPHEN: + p = ERR2STR (IDN2_2HYPHEN); + break; + +@@ -274,6 +278,18 @@ idn2_strerror_name (int rc) + p = ERR2STR (IDN2_BIDI); + break; + ++ case IDN2_DOT_IN_LABEL: ++ p = ERR2STR (IDN2_DOT_IN_LABEL); ++ break; ++ ++ case IDN2_INVALID_TRANSITIONAL: ++ p = ERR2STR (IDN2_INVALID_TRANSITIONAL); ++ break; ++ ++ case IDN2_INVALID_NONTRANSITIONAL: ++ p = ERR2STR (IDN2_INVALID_NONTRANSITIONAL); ++ break; ++ + default: + p = "IDN2_UNKNOWN"; + break; +-- +1.8.3.1 + diff --git a/Remove-overhead-from-error.c-add-missing-TR46-values.patch b/Remove-overhead-from-error.c-add-missing-TR46-values.patch new file mode 100644 index 0000000..0a39756 --- /dev/null +++ b/Remove-overhead-from-error.c-add-missing-TR46-values.patch @@ -0,0 +1,315 @@ +From fc1448456bd429de98e3c5a854430af2555b9a07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Wed, 9 Jan 2019 16:59:54 +0100 +Subject: [PATCH] Remove overhead from error.c, add missing TR46 values + +--- + lib/error.c | 279 +++++++++++++----------------------------------------------- + 1 file changed, 57 insertions(+), 222 deletions(-) + +diff --git a/lib/error.c b/lib/error.c +index 9ab4fb1..0304044 100644 +--- a/lib/error.c ++++ b/lib/error.c +@@ -46,114 +46,39 @@ + const char * + idn2_strerror (int rc) + { +- const char *p; +- + bindtextdomain (PACKAGE, LOCALEDIR); + + switch (rc) + { +- case IDN2_OK: +- p = _("success"); +- break; +- +- case IDN2_MALLOC: +- p = _("out of memory"); +- break; +- +- case IDN2_NO_CODESET: +- p = _("could not determine locale encoding format"); +- break; +- +- case IDN2_ICONV_FAIL: +- p = _("could not convert string to UTF-8"); +- break; +- +- case IDN2_ENCODING_ERROR: +- p = _("string encoding error"); +- break; +- +- case IDN2_NFC: +- p = _("string could not be NFC normalized"); +- break; +- +- case IDN2_PUNYCODE_BAD_INPUT: +- p = _("string contains invalid punycode data"); +- break; +- +- case IDN2_PUNYCODE_BIG_OUTPUT: +- p = _("punycode encoded data will be too large"); +- break; +- +- case IDN2_PUNYCODE_OVERFLOW: +- p = _("punycode conversion resulted in overflow"); +- break; +- +- case IDN2_TOO_BIG_DOMAIN: +- p = _("domain name longer than 255 characters"); +- break; +- +- case IDN2_TOO_BIG_LABEL: +- p = _("domain label longer than 63 characters"); +- break; +- +- case IDN2_INVALID_ALABEL: +- p = _("input A-label is not valid"); +- break; +- +- case IDN2_UALABEL_MISMATCH: +- p = _("input A-label and U-label does not match"); +- break; +- +- case IDN2_NOT_NFC: +- p = _("string is not in Unicode NFC format"); +- break; +- +- case IDN2_2HYPHEN: +- p = _("string contains forbidden two hyphens pattern"); +- break; +- +- case IDN2_HYPHEN_STARTEND: +- p = _("string start/ends with forbidden hyphen"); +- break; +- +- case IDN2_LEADING_COMBINING: +- p = _("string contains a forbidden leading combining character"); +- break; +- +- case IDN2_DISALLOWED: +- p = _("string contains a disallowed character"); +- break; +- +- case IDN2_CONTEXTJ: +- p = _("string contains a forbidden context-j character"); +- break; +- +- case IDN2_CONTEXTJ_NO_RULE: +- p = _("string contains a context-j character with null rule"); +- break; +- +- case IDN2_CONTEXTO: +- p = _("string contains a forbidden context-o character"); +- break; +- +- case IDN2_CONTEXTO_NO_RULE: +- p = _("string contains a context-o character with null rule"); +- break; +- +- case IDN2_UNASSIGNED: +- p = _("string contains unassigned code point"); +- break; +- +- case IDN2_BIDI: +- p = _("string has forbidden bi-directional properties"); +- break; +- +- default: +- p = _("Unknown error"); +- break; ++ case IDN2_OK: return _("success"); ++ case IDN2_MALLOC: return _("out of memory"); ++ case IDN2_NO_CODESET: return _("could not determine locale encoding format"); ++ case IDN2_ICONV_FAIL: return _("could not convert string to UTF-8"); ++ case IDN2_ENCODING_ERROR: return _("string encoding error"); ++ case IDN2_NFC: return _("string could not be NFC normalized"); ++ case IDN2_PUNYCODE_BAD_INPUT: return _("string contains invalid punycode data"); ++ case IDN2_PUNYCODE_BIG_OUTPUT: return _("punycode encoded data will be too large"); ++ case IDN2_PUNYCODE_OVERFLOW: return _("punycode conversion resulted in overflow"); ++ case IDN2_TOO_BIG_DOMAIN: return _("domain name longer than 255 characters"); ++ case IDN2_TOO_BIG_LABEL: return _("domain label longer than 63 characters"); ++ case IDN2_INVALID_ALABEL: return _("input A-label is not valid"); ++ case IDN2_UALABEL_MISMATCH: return _("input A-label and U-label does not match"); ++ case IDN2_NOT_NFC: return _("string is not in Unicode NFC format"); ++ case IDN2_2HYPHEN: return _("string contains forbidden two hyphens pattern"); ++ case IDN2_HYPHEN_STARTEND: return _("string start/ends with forbidden hyphen"); ++ case IDN2_LEADING_COMBINING: return _("string contains a forbidden leading combining character"); ++ case IDN2_DISALLOWED: return _("string contains a disallowed character"); ++ case IDN2_CONTEXTJ: return _("string contains a forbidden context-j character"); ++ case IDN2_CONTEXTJ_NO_RULE: return _("string contains a context-j character with null rule"); ++ case IDN2_CONTEXTO: return _("string contains a forbidden context-o character"); ++ case IDN2_CONTEXTO_NO_RULE: return _("string contains a context-o character with null rule"); ++ case IDN2_UNASSIGNED: return _("string contains unassigned code point"); ++ case IDN2_BIDI: return _("string has forbidden bi-directional properties"); ++ case IDN2_DOT_IN_LABEL: return _("domain label has forbidden dot (TR46)"); ++ case IDN2_INVALID_TRANSITIONAL: return _("domain label has character forbidden in transitional mode (TR46)"); ++ case IDN2_INVALID_NONTRANSITIONAL: return _("domain label has character forbidden in non-transitional mode (TR46)"); ++ default: return _("Unknown error"); + } +- +- return p; + } + + #define ERR2STR(name) #name +@@ -174,126 +99,36 @@ idn2_strerror (int rc) + const char * + idn2_strerror_name (int rc) + { +- const char *p; +- + switch (rc) + { +- case IDN2_OK: +- p = ERR2STR (IDN2_OK); +- break; +- +- case IDN2_MALLOC: +- p = ERR2STR (IDN2_MALLOC); +- break; +- +- case IDN2_NO_CODESET: +- p = ERR2STR (IDN2_NO_NODESET); +- break; +- +- case IDN2_ICONV_FAIL: +- p = ERR2STR (IDN2_ICONV_FAIL); +- break; +- +- case IDN2_ENCODING_ERROR: +- p = ERR2STR (IDN2_ENCODING_ERROR); +- break; +- +- case IDN2_NFC: +- p = ERR2STR (IDN2_NFC); +- break; +- +- case IDN2_PUNYCODE_BAD_INPUT: +- p = ERR2STR (IDN2_PUNYCODE_BAD_INPUT); +- break; +- +- case IDN2_PUNYCODE_BIG_OUTPUT: +- p = ERR2STR (IDN2_PUNYCODE_BIG_OUTPUT); +- break; +- +- case IDN2_PUNYCODE_OVERFLOW: +- p = ERR2STR (IDN2_PUNYCODE_OVERFLOW); +- break; +- +- case IDN2_TOO_BIG_DOMAIN: +- p = ERR2STR (IDN2_TOO_BIG_DOMAIN); +- break; +- +- case IDN2_TOO_BIG_LABEL: +- p = ERR2STR (IDN2_TOO_BIG_LABEL); +- break; +- +- case IDN2_INVALID_ALABEL: +- p = ERR2STR (IDN2_INVALID_ALABEL); +- break; +- +- case IDN2_UALABEL_MISMATCH: +- p = ERR2STR (IDN2_UALABEL_MISMATCH); +- break; +- +- case IDN2_INVALID_FLAGS: +- p = ERR2STR (IDN2_INVALID_FLAGS); +- break; +- +- case IDN2_NOT_NFC: +- p = ERR2STR (IDN2_NOT_NFC); +- break; +- +- case IDN2_2HYPHEN: +- p = ERR2STR (IDN2_2HYPHEN); +- break; +- +- case IDN2_HYPHEN_STARTEND: +- p = ERR2STR (IDN2_HYPHEN_STARTEND); +- break; +- +- case IDN2_LEADING_COMBINING: +- p = ERR2STR (IDN2_LEADING_COMBINING); +- break; +- +- case IDN2_DISALLOWED: +- p = ERR2STR (IDN2_DISALLOWED); +- break; +- +- case IDN2_CONTEXTJ: +- p = ERR2STR (IDN2_CONTEXTJ); +- break; +- +- case IDN2_CONTEXTJ_NO_RULE: +- p = ERR2STR (IDN2_CONTEXTJ_NO_RULE); +- break; +- +- case IDN2_CONTEXTO: +- p = ERR2STR (IDN2_CONTEXTO); +- break; +- +- case IDN2_CONTEXTO_NO_RULE: +- p = ERR2STR (IDN2_CONTEXTO_NO_RULE); +- break; +- +- case IDN2_UNASSIGNED: +- p = ERR2STR (IDN2_UNASSIGNED); +- break; +- +- case IDN2_BIDI: +- p = ERR2STR (IDN2_BIDI); +- break; +- +- case IDN2_DOT_IN_LABEL: +- p = ERR2STR (IDN2_DOT_IN_LABEL); +- break; +- +- case IDN2_INVALID_TRANSITIONAL: +- p = ERR2STR (IDN2_INVALID_TRANSITIONAL); +- break; +- +- case IDN2_INVALID_NONTRANSITIONAL: +- p = ERR2STR (IDN2_INVALID_NONTRANSITIONAL); +- break; +- +- default: +- p = "IDN2_UNKNOWN"; +- break; ++ case IDN2_OK: return ERR2STR (IDN2_OK); ++ case IDN2_MALLOC: return ERR2STR (IDN2_MALLOC); ++ case IDN2_NO_CODESET: return ERR2STR (IDN2_NO_NODESET); ++ case IDN2_ICONV_FAIL: return ERR2STR (IDN2_ICONV_FAIL); ++ case IDN2_ENCODING_ERROR: return ERR2STR (IDN2_ENCODING_ERROR); ++ case IDN2_NFC: return ERR2STR (IDN2_NFC); ++ case IDN2_PUNYCODE_BAD_INPUT: return ERR2STR (IDN2_PUNYCODE_BAD_INPUT); ++ case IDN2_PUNYCODE_BIG_OUTPUT: return ERR2STR (IDN2_PUNYCODE_BIG_OUTPUT); ++ case IDN2_PUNYCODE_OVERFLOW: return ERR2STR (IDN2_PUNYCODE_OVERFLOW); ++ case IDN2_TOO_BIG_DOMAIN: return ERR2STR (IDN2_TOO_BIG_DOMAIN); ++ case IDN2_TOO_BIG_LABEL: return ERR2STR (IDN2_TOO_BIG_LABEL); ++ case IDN2_INVALID_ALABEL: return ERR2STR (IDN2_INVALID_ALABEL); ++ case IDN2_UALABEL_MISMATCH: return ERR2STR (IDN2_UALABEL_MISMATCH); ++ case IDN2_INVALID_FLAGS: return ERR2STR (IDN2_INVALID_FLAGS); ++ case IDN2_NOT_NFC: return ERR2STR (IDN2_NOT_NFC); ++ case IDN2_2HYPHEN: return ERR2STR (IDN2_2HYPHEN); ++ case IDN2_HYPHEN_STARTEND: return ERR2STR (IDN2_HYPHEN_STARTEND); ++ case IDN2_LEADING_COMBINING: return ERR2STR (IDN2_LEADING_COMBINING); ++ case IDN2_DISALLOWED: return ERR2STR (IDN2_DISALLOWED); ++ case IDN2_CONTEXTJ: return ERR2STR (IDN2_CONTEXTJ); ++ case IDN2_CONTEXTJ_NO_RULE: return ERR2STR (IDN2_CONTEXTJ_NO_RULE); ++ case IDN2_CONTEXTO: return ERR2STR (IDN2_CONTEXTO); ++ case IDN2_CONTEXTO_NO_RULE: return ERR2STR (IDN2_CONTEXTO_NO_RULE); ++ case IDN2_UNASSIGNED: return ERR2STR (IDN2_UNASSIGNED); ++ case IDN2_BIDI: return ERR2STR (IDN2_BIDI); ++ case IDN2_DOT_IN_LABEL: return ERR2STR (IDN2_DOT_IN_LABEL); ++ case IDN2_INVALID_TRANSITIONAL: return ERR2STR (IDN2_INVALID_TRANSITIONAL); ++ case IDN2_INVALID_NONTRANSITIONAL: return ERR2STR (IDN2_INVALID_NONTRANSITIONAL); ++ default: return "IDN2_UNKNOWN"; + } +- +- return p; + } +-- +1.8.3.1 + diff --git a/libidn2.spec b/libidn2.spec index 5f2d134..8876d1d 100644 --- a/libidn2.spec +++ b/libidn2.spec @@ -1,16 +1,21 @@ Name: libidn2 Version: 2.0.5 -Release: 7 +Release: 8 Summary: GNU IDN Library License: (GPLv2+ or LGPLv3+) and GPLv3+ URL: https://www.gnu.org/software/libidn/#libidn2 Source0: https://ftp.gnu.org/gnu/libidn/%{name}-%{version}.tar.gz Patch0: bugfix-libidn2-change-rpath.patch -Patch6000: Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch -Patch6001: Add-libidn2_register_fuzzer-and-corpora.patch -Patch6002: Restrict-output-length-to-63.patch -Patch9000: fix-compile-error-about-missing-aclocal.patch +Patch1: Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch +Patch2: Add-libidn2_register_fuzzer-and-corpora.patch +Patch3: Restrict-output-length-to-63.patch +Patch4: Add-missing-errors-in-idn2_strerror_name.patch +Patch5: Remove-overhead-from-error.c-add-missing-TR46-values.patch +Patch6: 0001-CVE-2019-12290.patch +Patch7: 0002-CVE-2019-12290.patch +Patch8: 0003-CVE-2019-12290.patch +Patch9: fix-compile-error-about-missing-aclocal.patch #Dependency BuildRequires: gcc gettext libunistring-devel autoconf texinfo @@ -78,6 +83,12 @@ make %{?_smp_mflags} -C tests check %{_datadir}/gtk-doc/ %changelog +* Wed Mar 18 2020 openEuler Buildteam - 2.0.5-8 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2019-12290 + * Wed Jan 1 2020 openEuler Buildteam - 2.0.5-7 - Fix bug in patched -- Gitee