security: CVE-2018-18751

Resolves: rhbz#1647044 Version: 0.19.8.1-18
2018-11-08 10:10:48 +01:00 · 2018-11-08 10:10:48 +01:00 · 7a9956c8de
parent 1336916058
commit 7a9956c8de
2 changed files with 58 additions and 1 deletions
--- a/gettext-0.19.8.1-CVE-2018-18751.patch
+++ b/gettext-0.19.8.1-CVE-2018-18751.patch
@ -0,0 +1,52 @@
+From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 15 Sep 2016 13:57:24 +0200
+Subject: [PATCH] xgettext: Fix crash with *.po file input
+
+When xgettext was given two *.po files with the same msgid_plural, it
+crashed with double-free.  Problem reported by Davlet Panech in:
+http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html
+
+praiskup: I dropped the testsuite part, otherwise we'd have to
+'autoreconf -vif' the sources.
+
+diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
+index becf5e607..4428e7725 100644
+--- a/gettext-tools/src/po-gram-gen.y
+++ b/gettext-tools/src/po-gram-gen.y
+@@ -221,14 +221,11 @@ message
+                   check_obsolete ($1, $3);
+                   check_obsolete ($1, $4);
+                   if (!$1.obsolete || pass_obsolete_entries)
+-                    {
+-                      do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+-                                           $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+-                                           $1.prev_ctxt,
+-                                           $1.prev_id, $1.prev_id_plural,
+-                                           $1.obsolete);
+-                      free ($3.string);
+-                    }
+                    do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+                                         $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+                                         $1.prev_ctxt,
+                                         $1.prev_id, $1.prev_id_plural,
+                                         $1.obsolete);
+                   else
+                     {
+                       free_message_intro ($1);
+diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
+index 571d18e1b..6af6d2025 100644
+--- a/gettext-tools/src/read-catalog.c
+++ b/gettext-tools/src/read-catalog.c
+@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
+          appropriate.  */
+       mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
+                           msgstr_pos);
+      if (msgid_plural != NULL)
+        free (msgid_plural);
+       mp->prev_msgctxt = prev_msgctxt;
+       mp->prev_msgid = prev_msgid;
+       mp->prev_msgid_plural = prev_msgid_plural;
+-- 
+2.19.1
+
--- a/gettext.spec
+++ b/gettext.spec
@ -8,7 +8,7 @@
 Summary: GNU libraries and utilities for producing multi-lingual messages
 Name: gettext
 Version: 0.19.8.1
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv3+ and LGPLv2+
 Group: Development/Tools
 URL: http://www.gnu.org/software/gettext/
@ -22,6 +22,8 @@ Patch0: disable-gettext-runtime-test-lock.patch
 Patch1: gettext-po-send-mail.patch
 # Rhbz#1531476, upstream a0cab23332a254e3500cac2a3a984472d02180e5
 Patch2: gettext-0.19.8-its-segfault.patch
+# rhbz#1647044
+Patch3: gettext-0.19.8.1-CVE-2018-18751.patch

 Source2: msghack.py
 Source3: msghack.1
@ -324,6 +326,9 @@ make check LIBUNISTRING=-lunistring
 %{_mandir}/man1/msghack.1*

 %changelog
+* Thu Nov 08 2018 Pavel Raiskup <praiskup@redhat.com> - 0.19.8.1-18
+- fix CVE-2018-18751 (rhbz#1647044)
+
 * Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.19.8.1-17
 - Rebuild with fixed binutils