fix CVE-2020-21913

2021-10-22 10:31:41 +08:00 · 2021-10-22 10:31:41 +08:00 · e11b2b7a24
commit e11b2b7a24
parent 78b5801a07
2 changed files with 71 additions and 1 deletions
--- a/backport-CVE-2020-21913.patch
+++ b/backport-CVE-2020-21913.patch
@ -0,0 +1,66 @@
+From 657c326d4b8a6c4c6721957320fc8c3c68670cfb Mon Sep 17 00:00:00 2001
+From: Jeff Genovy <29107334+jefgen@users.noreply.github.com>
+Date: Tue, 15 Oct 2019 00:05:52 -0700
+Subject: [PATCH] ICU-20850 Use LocalMemory for cmd to prevent use after free
+
+Conflict:NA
+Reference:https://github.com/unicode-org/icu/pull/886/commits/657c326d4b8a6c4c6721957320fc8c3c68670cfb
+---
+ source/tools/pkgdata/pkgdata.cpp | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source/tools/pkgdata/pkgdata.cpp b/source/tools/pkgdata/pkgdata.cpp
+index ffcf459..cf2c51c 100644
+--- a/source/tools/pkgdata/pkgdata.cpp
+++ b/source/tools/pkgdata/pkgdata.cpp
+@@ -66,6 +66,8 @@ U_DEFINE_LOCAL_OPEN_POINTER(LocalPipeFilePointer, FILE, pclose);
+ 
+ #endif
+ 
+using icu::LocalMemory;
+
+ static void loadLists(UPKGOptions *o, UErrorCode *status);
+ 
+ static int32_t pkg_executeOptions(UPKGOptions *o);
+@@ -1506,9 +1508,7 @@ static int32_t pkg_generateLibraryFile(const char *targetDir, const char mode, c
+ 
+ static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode, const char *gencFilePath) {
+     char tempObjectFile[SMALL_BUFFER_MAX_SIZE] = "";
+-    char *cmd;
+     int32_t result = 0;
+-
+     int32_t length = 0;
+ 
+     /* Remove the ending .s and replace it with .o for the new object file. */
+@@ -1518,22 +1518,22 @@ static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode
+     length = uprv_strlen(pkgDataFlags[COMPILER]) + uprv_strlen(pkgDataFlags[LIBFLAGS])
+                     + uprv_strlen(tempObjectFile) + uprv_strlen(gencFilePath) + BUFFER_PADDING_SIZE;
+ 
+-    cmd = (char *)uprv_malloc(sizeof(char) * length);
+-    if (cmd == NULL) {
+    LocalMemory<char> cmd((char *)uprv_malloc(sizeof(char) * length));
+    if (cmd.isNull()) {
+         return -1;
+     }
+ 
+     /* Generate the object file. */
+-    sprintf(cmd, "%s %s -o %s %s",
+    sprintf(cmd.getAlias(), "%s %s -o %s %s",
+             pkgDataFlags[COMPILER],
+             pkgDataFlags[LIBFLAGS],
+             tempObjectFile,
+             gencFilePath);
+ 
+-    result = runCommand(cmd);
+-    uprv_free(cmd);
+    result = runCommand(cmd.getAlias());
+
+     if (result != 0) {
+-        fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd);
+        fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd.getAlias());
+         return result;
+     }
+ 
+-- 
+2.27.0
+
--- a/icu.spec
+++ b/icu.spec
@ -1,6 +1,6 @@
 Name:      icu
 Version:   62.1
-Release:   5
+Release:   6
 Summary:   International Components for Unicode
 License:   MIT and UCD and Public Domain
 URL:       http://site.icu-project.org/
@ -15,6 +15,7 @@ Patch2:    icuinfo-man.patch

 Patch6000: icu-fix-memory-leak.patch
 Patch6001: CVE-2020-10531.patch
+Patch6002: backport-CVE-2020-21913.patch

 %description
 Tools and utilities for developing with icu.
@ -129,6 +130,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l


 %changelog
+* Fri Oct 22 2021 wangkeorng <wangkerong@huawei.com> - 62.1-6
+- fix CVE-2020-21913
+
 * Fri Mar 20 2020 gulining <gulining1@huawei.com> - 62.1-5
 - fix CVE-2020-10531