gettext: fix CVE-2018-18751

Backport patch to fix CVE-2018-18751 for gettext. Because po-gram-gen.y has been modified by fix-CVE-2018-18751.patch, it requires yacc which provided by bison-native to re-create po-gram-gen.c. Please remove bison-native from DEPENDS* when next upgrade. Ref: https://security-tracker.debian.org/tracker/CVE-2018-18751 (From OE-Core rev: 4b3a085d6c63fd8459bb084aaa277dd2e8949594) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2018-11-14 00:46:32 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-16 11:46:07 +0000
commit: 6da5d5b3242f4f435628192c561a1d2115a9a9ee (patch)
tree: 1672ef5cec3f88baeca68bac76fe182c27dc45e9 /meta
parent: be1c84a91eb3ddddbef5cb7d4f74ffbb0ffe5778 (diff)
download: poky-6da5d5b3242f4f435628192c561a1d2115a9a9ee.tar.gz
2 files changed, 147 insertions, 2 deletions
diff --git a/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch b/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch
new file mode 100644
index 0000000000..6dfe200d65
--- /dev/null
+++ b/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch
@@ -0,0 +1,141 @@
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commit;h=dce3a16]
+CVE: CVE-2018-18751
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 15 Sep 2016 13:57:24 +0200
+Subject: [PATCH] xgettext: Fix crash with *.po file input
+When xgettext was given two *.po files with the same msgid_plural, it
+crashed with double-free.  Problem reported by Davlet Panech in:
+http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html
+* gettext-tools/src/po-gram-gen.y: Don't free msgid_pluralform after
+calling do_callback_message, assuming that it takes ownership.
+* gettext-tools/src/read-catalog.c (default_add_message): Free
+msgid_plural after calling message_alloc.
+* gettext-tools/tests/xgettext-po-2: New file.
+* gettext-tools/tests/Makefile.am (TESTS): Add new test.
+---
+ gettext-tools/src/po-gram-gen.y   | 13 ++++-----
+ gettext-tools/src/read-catalog.c  |  2 ++
+ gettext-tools/tests/Makefile.am   |  2 +-
+ gettext-tools/tests/xgettext-po-2 | 55 +++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 63 insertions(+), 9 deletions(-)
+ create mode 100755 gettext-tools/tests/xgettext-po-2
+diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
+index becf5e6..4428e77 100644
+--- a/gettext-tools/src/po-gram-gen.y
+++ b/gettext-tools/src/po-gram-gen.y
+@@ -221,14 +221,11 @@ message
+                   check_obsolete ($1, $3);
+                   check_obsolete ($1, $4);
+                   if (!$1.obsolete || pass_obsolete_entries)
+-                    {
+-                      do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+-                                           $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+-                                           $1.prev_ctxt,
+-                                           $1.prev_id, $1.prev_id_plural,
+-                                           $1.obsolete);
+-                      free ($3.string);
+-                    }
+                    do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+                                         $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+                                         $1.prev_ctxt,
+                                         $1.prev_id, $1.prev_id_plural,
+                                         $1.obsolete);
+                   else
+                     {
+                       free_message_intro ($1);
+diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
+index 571d18e..6af6d20 100644
+--- a/gettext-tools/src/read-catalog.c
+++ b/gettext-tools/src/read-catalog.c
+@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
+          appropriate.  */
+       mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
+                           msgstr_pos);
+      if (msgid_plural != NULL)
+        free (msgid_plural);
+       mp->prev_msgctxt = prev_msgctxt;
+       mp->prev_msgid = prev_msgid;
+       mp->prev_msgid_plural = prev_msgid_plural;
+diff --git a/gettext-tools/tests/Makefile.am b/gettext-tools/tests/Makefile.am
+index 23b09b1..0dfb4d8 100644
+--- a/gettext-tools/tests/Makefile.am
+++ b/gettext-tools/tests/Makefile.am
+@@ -95,7 +95,7 @@ TESTS = gettext-1 gettext-2 gettext-3 gettext-4 gettext-5 gettext-6 gettext-7 \
+        xgettext-perl-1 xgettext-perl-2 xgettext-perl-3 xgettext-perl-4 \
+        xgettext-perl-5 xgettext-perl-6 xgettext-perl-7 xgettext-perl-8 \
+        xgettext-php-1 xgettext-php-2 xgettext-php-3 xgettext-php-4 \
+-       xgettext-po-1 \
+       xgettext-po-1 xgettext-po-2 \
+        xgettext-properties-1 \
+        xgettext-python-1 xgettext-python-2 xgettext-python-3 \
+        xgettext-python-4 \
+diff --git a/gettext-tools/tests/xgettext-po-2 b/gettext-tools/tests/xgettext-po-2
+new file mode 100755
+index 0000000..c4bd9d0
+--- /dev/null
+++ b/gettext-tools/tests/xgettext-po-2
+@@ -0,0 +1,55 @@
+#! /bin/sh
+. "${srcdir=.}/init.sh"; path_prepend_ . ../src
+
+# Test PO extractors with multiple input files.
+
+cat <<EOF > xg-po-2-1.po
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+cat <<EOF > xg-po-2-2.po
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${XGETTEXT=xgettext}
+${XGETTEXT} --omit-header xg-po-2-1.po xg-po-2-2.po -o xg-po-2.tmp.po || Exit 1
+LC_ALL=C tr -d '\r' < xg-po-2.tmp.po > xg-po-2.po || Exit 1
+
+cat <<EOF > xg-po-2.ok
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${DIFF=diff}
+${DIFF} xg-po-2.ok xg-po-2.po
+result=$?
+
+exit $result
+-- 
+1.9.1
diff --git a/meta/recipes-core/gettext/gettext_0.19.8.1.bb b/meta/recipes-core/gettext/gettext_0.19.8.1.bb
index 68f5cc329a..933baccd94 100644
--- a/meta/recipes-core/gettext/gettext_0.19.8.1.bb
+++ b/meta/recipes-core/gettext/gettext_0.19.8.1.bb
@@ -8,8 +8,11 @@ SECTION = "libs"
 LICENSE = "GPLv3+ & LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-DEPENDS = "gettext-native virtual/libiconv"
+# Because po-gram-gen.y has been modified by fix-CVE-2018-18751.patch,
-DEPENDS_class-native = "gettext-minimal-native"
+# it requires yacc which provided by bison-native
+# Please remove bison-native from DEPENDS* when next upgrade
+DEPENDS = "bison-native gettext-native virtual/libiconv"
+DEPENDS_class-native = "bison-native gettext-minimal-native"
 PROVIDES = "virtual/libintl virtual/gettext"
 PROVIDES_class-native = "virtual/gettext-native"
 RCONFLICTS_${PN} = "proxy-libintl"
@@ -18,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/gettext/gettext-${PV}.tar.gz \
           file://add-with-bisonlocaledir.patch \
           file://cr-statement.c-timsort.h-fix-formatting-issues.patch \
           file://use-pkgconfig.patch \
+           file://fix-CVE-2018-18751.patch \
 "
 SRC_URI[md5sum] = "97e034cf8ce5ba73a28ff6c3c0638092"
author	Kai Kang <kai.kang@windriver.com>	2018-11-14 00:46:32 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-16 11:46:07 +0000
commit	6da5d5b3242f4f435628192c561a1d2115a9a9ee (patch)
tree	1672ef5cec3f88baeca68bac76fe182c27dc45e9 /meta
parent	be1c84a91eb3ddddbef5cb7d4f74ffbb0ffe5778 (diff)
download	poky-6da5d5b3242f4f435628192c561a1d2115a9a9ee.tar.gz

diff --git a/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch b/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch new file mode 100644 index 0000000000..6dfe200d65 --- /dev/null +++ b/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch
@@ -0,0 +1,141 @@
		1	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commit;h=dce3a16]
		2	CVE: CVE-2018-18751
		3
		4	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		5
		6	From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
		7	From: Daiki Ueno <ueno@gnu.org>
		8	Date: Thu, 15 Sep 2016 13:57:24 +0200
		9	Subject: [PATCH] xgettext: Fix crash with *.po file input
		10
		11	When xgettext was given two *.po files with the same msgid_plural, it
		12	crashed with double-free. Problem reported by Davlet Panech in:
		13	http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html
		14	* gettext-tools/src/po-gram-gen.y: Don't free msgid_pluralform after
		15	calling do_callback_message, assuming that it takes ownership.
		16	* gettext-tools/src/read-catalog.c (default_add_message): Free
		17	msgid_plural after calling message_alloc.
		18	* gettext-tools/tests/xgettext-po-2: New file.
		19	* gettext-tools/tests/Makefile.am (TESTS): Add new test.
		20	---
		21	gettext-tools/src/po-gram-gen.y \| 13 ++++-----
		22	gettext-tools/src/read-catalog.c \| 2 ++
		23	gettext-tools/tests/Makefile.am \| 2 +-
		24	gettext-tools/tests/xgettext-po-2 \| 55 +++++++++++++++++++++++++++++++++++++++
		25	4 files changed, 63 insertions(+), 9 deletions(-)
		26	create mode 100755 gettext-tools/tests/xgettext-po-2
		27
		28	diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
		29	index becf5e6..4428e77 100644
		30	--- a/gettext-tools/src/po-gram-gen.y
		31	+++ b/gettext-tools/src/po-gram-gen.y
		32	@@ -221,14 +221,11 @@ message
		33	check_obsolete ($1, $3);
		34	check_obsolete ($1, $4);
		35	if (!$1.obsolete \|\| pass_obsolete_entries)
		36	- {
		37	- do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
		38	- $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
		39	- $1.prev_ctxt,
		40	- $1.prev_id, $1.prev_id_plural,
		41	- $1.obsolete);
		42	- free ($3.string);
		43	- }
		44	+ do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
		45	+ $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
		46	+ $1.prev_ctxt,
		47	+ $1.prev_id, $1.prev_id_plural,
		48	+ $1.obsolete);
		49	else
		50	{
		51	free_message_intro ($1);
		52	diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
		53	index 571d18e..6af6d20 100644
		54	--- a/gettext-tools/src/read-catalog.c
		55	+++ b/gettext-tools/src/read-catalog.c
		56	@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
		57	appropriate. */
		58	mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
		59	msgstr_pos);
		60	+ if (msgid_plural != NULL)
		61	+ free (msgid_plural);
		62	mp->prev_msgctxt = prev_msgctxt;
		63	mp->prev_msgid = prev_msgid;
		64	mp->prev_msgid_plural = prev_msgid_plural;
		65	diff --git a/gettext-tools/tests/Makefile.am b/gettext-tools/tests/Makefile.am
		66	index 23b09b1..0dfb4d8 100644
		67	--- a/gettext-tools/tests/Makefile.am
		68	+++ b/gettext-tools/tests/Makefile.am
		69	@@ -95,7 +95,7 @@ TESTS = gettext-1 gettext-2 gettext-3 gettext-4 gettext-5 gettext-6 gettext-7 \
		70	xgettext-perl-1 xgettext-perl-2 xgettext-perl-3 xgettext-perl-4 \
		71	xgettext-perl-5 xgettext-perl-6 xgettext-perl-7 xgettext-perl-8 \
		72	xgettext-php-1 xgettext-php-2 xgettext-php-3 xgettext-php-4 \
		73	- xgettext-po-1 \
		74	+ xgettext-po-1 xgettext-po-2 \
		75	xgettext-properties-1 \
		76	xgettext-python-1 xgettext-python-2 xgettext-python-3 \
		77	xgettext-python-4 \
		78	diff --git a/gettext-tools/tests/xgettext-po-2 b/gettext-tools/tests/xgettext-po-2
		79	new file mode 100755
		80	index 0000000..c4bd9d0
		81	--- /dev/null
		82	+++ b/gettext-tools/tests/xgettext-po-2
		83	@@ -0,0 +1,55 @@
		84	+#! /bin/sh
		85	+. "${srcdir=.}/init.sh"; path_prepend_ . ../src
		86	+
		87	+# Test PO extractors with multiple input files.
		88	+
		89	+cat <<EOF > xg-po-2-1.po
		90	+msgid "first msgid"
		91	+msgid_plural "first msgid (plural)"
		92	+msgstr[0] ""
		93	+msgstr[1] ""
		94	+
		95	+msgid "second msgid"
		96	+msgid_plural "second msgid (plural)"
		97	+msgstr[0] ""
		98	+msgstr[1] ""
		99	+EOF
		100	+
		101	+cat <<EOF > xg-po-2-2.po
		102	+msgid "third msgid"
		103	+msgid_plural "third msgid (plural)"
		104	+msgstr[0] ""
		105	+msgstr[1] ""
		106	+
		107	+msgid "second msgid"
		108	+msgid_plural "second msgid (plural)"
		109	+msgstr[0] ""
		110	+msgstr[1] ""
		111	+EOF
		112	+
		113	+: ${XGETTEXT=xgettext}
		114	+${XGETTEXT} --omit-header xg-po-2-1.po xg-po-2-2.po -o xg-po-2.tmp.po \|\| Exit 1
		115	+LC_ALL=C tr -d '\r' < xg-po-2.tmp.po > xg-po-2.po \|\| Exit 1
		116	+
		117	+cat <<EOF > xg-po-2.ok
		118	+msgid "first msgid"
		119	+msgid_plural "first msgid (plural)"
		120	+msgstr[0] ""
		121	+msgstr[1] ""
		122	+
		123	+msgid "second msgid"
		124	+msgid_plural "second msgid (plural)"
		125	+msgstr[0] ""
		126	+msgstr[1] ""
		127	+
		128	+msgid "third msgid"
		129	+msgid_plural "third msgid (plural)"
		130	+msgstr[0] ""
		131	+msgstr[1] ""
		132	+EOF
		133	+
		134	+: ${DIFF=diff}
		135	+${DIFF} xg-po-2.ok xg-po-2.po
		136	+result=$?
		137	+
		138	+exit $result
		139	--
		140	1.9.1
		141


diff --git a/meta/recipes-core/gettext/gettext_0.19.8.1.bb b/meta/recipes-core/gettext/gettext_0.19.8.1.bb index 68f5cc329a..933baccd94 100644 --- a/meta/recipes-core/gettext/gettext_0.19.8.1.bb +++ b/meta/recipes-core/gettext/gettext_0.19.8.1.bb
@@ -8,8 +8,11 @@ SECTION = "libs"
8	LICENSE = "GPLv3+ & LGPL-2.1+"	8	LICENSE = "GPLv3+ & LGPL-2.1+"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"	9	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
10		10
11	DEPENDS = "gettext-native virtual/libiconv"	11	# Because po-gram-gen.y has been modified by fix-CVE-2018-18751.patch,
12	DEPENDS_class-native = "gettext-minimal-native"	12	# it requires yacc which provided by bison-native
		13	# Please remove bison-native from DEPENDS* when next upgrade
		14	DEPENDS = "bison-native gettext-native virtual/libiconv"
		15	DEPENDS_class-native = "bison-native gettext-minimal-native"
13	PROVIDES = "virtual/libintl virtual/gettext"	16	PROVIDES = "virtual/libintl virtual/gettext"
14	PROVIDES_class-native = "virtual/gettext-native"	17	PROVIDES_class-native = "virtual/gettext-native"
15	RCONFLICTS_${PN} = "proxy-libintl"	18	RCONFLICTS_${PN} = "proxy-libintl"
@@ -18,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/gettext/gettext-${PV}.tar.gz \
18	file://add-with-bisonlocaledir.patch \	21	file://add-with-bisonlocaledir.patch \
19	file://cr-statement.c-timsort.h-fix-formatting-issues.patch \	22	file://cr-statement.c-timsort.h-fix-formatting-issues.patch \
20	file://use-pkgconfig.patch \	23	file://use-pkgconfig.patch \
		24	file://fix-CVE-2018-18751.patch \
21	"	25	"
22		26
23	SRC_URI[md5sum] = "97e034cf8ce5ba73a28ff6c3c0638092"	27	SRC_URI[md5sum] = "97e034cf8ce5ba73a28ff6c3c0638092"