!70 [sync] PR-69: add epoch number to changelog

From: @openeuler-sync-bot Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
add epoch number to changelog
2024-02-19 08:09:42 +00:00 · 2024-02-19 15:54:18 +08:00 · 2024-02-19 07:54:11 +00:00 · 2024-02-19 10:46:02 +08:00 · 2022-03-28 06:17:35 +00:00 · 2022-03-28 11:17:14 +08:00
7 changed files with 139 additions and 17 deletions
--- a/backport-0001-CVE-2024-24806.patch
+++ b/backport-0001-CVE-2024-24806.patch
@ -0,0 +1,52 @@
+From 0f2d7e784a256b54b2385043438848047bc2a629 Mon Sep 17 00:00:00 2001
+From: Ben Noordhuis <info@bnoordhuis.nl>
+Date: Thu, 18 Jan 2024 14:51:40 +0100
+Subject: [PATCH] fix: always zero-terminate idna output
+
+Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
+---
+ src/idna.c       | 5 +++--
+ test/test-idna.c | 4 ++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/idna.c b/src/idna.c
+index b44cb16..645165c 100644
+--- a/src/idna.c
+++ b/src/idna.c
+@@ -307,8 +307,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+       return rc;
+   }
+ 
+-  if (d < de)
+-    *d++ = '\0';
+  if (d >= de)
+    return UV_EINVAL;
+ 
+  *d++ = '\0';
+   return d - ds;  /* Number of bytes written. */
+ }
+diff --git a/test/test-idna.c b/test/test-idna.c
+index f4fad96..d079be5 100644
+--- a/test/test-idna.c
+++ b/test/test-idna.c
+@@ -99,6 +99,7 @@ TEST_IMPL(utf8_decode1) {
+ TEST_IMPL(utf8_decode1_overrun) {
+   const char* p;
+   char b[1];
+  char c[1];
+ 
+   /* Single byte. */
+   p = b;
+@@ -112,6 +113,9 @@ TEST_IMPL(utf8_decode1_overrun) {
+   ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
+   ASSERT_EQ(p, b + 1);
+ 
+  b[0] = 0x7F;
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
+
+   return 0;
+ }
+ 
+-- 
+2.41.0
+
--- a/backport-0002-CVE-2024-24806.patch
+++ b/backport-0002-CVE-2024-24806.patch
@ -0,0 +1,40 @@
+From 3530bcc30350d4a6ccf35d2f7b33e23292b9de70 Mon Sep 17 00:00:00 2001
+From: Ben Noordhuis <info@bnoordhuis.nl>
+Date: Thu, 18 Jan 2024 14:52:38 +0100
+Subject: [PATCH] fix: reject zero-length idna inputs
+
+Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
+---
+ src/idna.c       | 3 +++
+ test/test-idna.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/idna.c b/src/idna.c
+index 645165c..abbfe87 100644
+--- a/src/idna.c
+++ b/src/idna.c
+@@ -273,6 +273,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+   char* ds;
+   int rc;
+ 
+  if (s == se)
+    return UV_EINVAL;
+
+   ds = d;
+ 
+   si = s;
+diff --git a/test/test-idna.c b/test/test-idna.c
+index d079be5..d59b521 100644
+--- a/test/test-idna.c
+++ b/test/test-idna.c
+@@ -114,6 +114,7 @@ TEST_IMPL(utf8_decode1_overrun) {
+   ASSERT_EQ(p, b + 1);
+ 
+   b[0] = 0x7F;
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 0, c, c + 1));
+   ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
+ 
+   return 0;
+-- 
+2.41.0
+
--- a/backport-0003-CVE-2024-24806.patch
+++ b/backport-0003-CVE-2024-24806.patch
@ -0,0 +1,27 @@
+From e0327e1d508b8207c9150b6e582f0adf26213c39 Mon Sep 17 00:00:00 2001
+From: Santiago Gimeno <santiago.gimeno@gmail.com>
+Date: Wed, 7 Feb 2024 20:27:58 +0100
+Subject: [PATCH] test: empty strings are not valid IDNA
+
+Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
+---
+ test/test-idna.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/test-idna.c b/test/test-idna.c
+index d59b521..37da38d 100644
+--- a/test/test-idna.c
+++ b/test/test-idna.c
+@@ -150,8 +150,8 @@ TEST_IMPL(idna_toascii) {
+   /* Illegal inputs. */
+   F("\xC0\x80\xC1\x80", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+   F("\xC0\x80\xC1\x80.com", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+  F("", UV_EINVAL);
+   /* No conversion. */
+-  T("", "");
+   T(".", ".");
+   T(".com", ".com");
+   T("example", "example");
+-- 
+2.41.0
+
--- a/libuv-v1.23.0.tar.gz
+++ b/libuv-v1.23.0.tar.gz
--- a/libuv-v1.42.0.tar.gz
+++ b/libuv-v1.42.0.tar.gz
--- a/libuv.pc.in
+++ b/libuv.pc.in
@ -1,11 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: libuv
-Description: Development libraries for libuv
-Version: @version@
-Libs: -L${libdir} -luv -lrt -lpthread -lnsl -ldl
-Cflags: -I{includedir}
-URL: http://libuv.org/
--- a/libuv.spec
+++ b/libuv.spec
@ -1,14 +1,17 @@
 Name:           libuv
 Epoch:          1
-Version:        1.23.0
+Version:        1.42.0
 Release:        2
 Summary:        A multi-platform support library with a focus on asynchronous I/O

-# the licensing breakdown is described in detail in the LICENSE file
-License:        MIT and BSD and ISC
+# from README.md
+License:        MIT and CC-BY-4.0
 URL:            http://libuv.org/
 Source0:        http://dist.libuv.org/dist/v%{version}/%{name}-v%{version}.tar.gz
-Source2:        %{name}.pc.in
+
+Patch6000: backport-0001-CVE-2024-24806.patch
+Patch6001: backport-0002-CVE-2024-24806.patch
+Patch6002: backport-0003-CVE-2024-24806.patch

 BuildRequires:  autoconf automake libtool gcc

@ -28,7 +31,6 @@ Development libraries for libuv

 %package_help

-
 %prep
 %autosetup -p1 -n %{name}-v%{version}

@ -60,5 +62,17 @@ Development libraries for libuv
 %doc ChangeLog

 %changelog
-* Tue Dec 3 2019 mengxian <mengxian@huawei.com> - 1.23.0-2
+* Sun Feb 18 2024 shixuantong <shixuantong1@huawei.com> - 1:1.42.0-2
+- fix CVE-2024-24806
+
+* Thu Mar 24 2022 wangkai <wangkai385@huawei.com> - 1:1.42.0-1
+- upgrade version to 1.42.0
+
+* Mon Dec 14 2020 wangxiao <wangxiao65@huawei.com> - 1:1.38.1-2
+- fix CVE-2020-8252
+
+* Wed Aug 5 2020 hanxinke <hanxinke@huawei.com> - 1:1.38.1-1
+- update to 1.38.1
+
+* Tue Dec 3 2019 mengxian <mengxian@huawei.com> - 1:1.23.0-2
 - Package init
Author	SHA1	Message	Date
openeuler-ci-bot	b7fc32acf7	!70 [sync] PR-69: add epoch number to changelog From: @openeuler-sync-bot Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng	2024-02-19 08:09:42 +00:00
shixuantong	c4836e140b	add epoch number to changelog (cherry picked from commit 9bdd091e6723fbb4c8169aa8f45ca396e84dc957)	2024-02-19 15:54:18 +08:00
openeuler-ci-bot	6739e7f866	!68 [sync] PR-62: fix CVE-2024-24806 From: @openeuler-sync-bot Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng	2024-02-19 07:54:11 +00:00
shixuantong	b0bda8503c	fix CVE-2024-24806 (cherry picked from commit 0b3795f84630f2bdcecff383980695d189dcac2f)	2024-02-19 10:46:02 +08:00
openeuler-ci-bot	2d43fea40f	!19 [sync] PR-16: upgrade version to 1.42.0 From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2022-03-28 06:17:35 +00:00
wk333	6d1d67e89c	upgrade version to 1.42.0 (cherry picked from commit 72c55ed022b5d0f5b6ca4d4c05402c79cd486db9)	2022-03-28 11:17:14 +08:00
openeuler-ci-bot	c31791df1f	!11 fix CVE-2020-8252 From: @wangxiao65 Reviewed-by: @jackie_wu123,@small_leek Signed-off-by: @small_leek	2020-12-15 14:18:57 +08:00
wangxiao65	1b0face75b	fix CVE-2020-8252	2020-12-15 11:38:40 +08:00
openeuler-ci-bot	d8118110b4	!7 libuv: update to 1.38.1 Merge pull request !7 from hanxinke/openEuler-20.03-LTS	2020-08-10 22:04:34 +08:00
hanxinke	5a7d624216	libuv: update to 1.38.1	2020-08-05 20:08:34 +08:00