diff --git a/SOURCES/gettext-0.19.8.1-CVE-2018-18751.patch b/SOURCES/gettext-0.19.8.1-CVE-2018-18751.patch new file mode 100644 index 0000000..a857738 --- /dev/null +++ b/SOURCES/gettext-0.19.8.1-CVE-2018-18751.patch @@ -0,0 +1,445 @@ +From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 15 Sep 2016 13:57:24 +0200 +Subject: [PATCH] xgettext: Fix crash with *.po file input + +When xgettext was given two *.po files with the same msgid_plural, it +crashed with double-free. Problem reported by Davlet Panech in: +http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html + +praiskup: +- I dropped the testsuite part, otherwise we'd have to 'autoreconf -vif' the + sources +- I'm patching manually the po-gram-gen.c file to avoid 'bison' BR + +diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y +index becf5e607..4428e7725 100644 +--- a/gettext-tools/src/po-gram-gen.y ++++ b/gettext-tools/src/po-gram-gen.y +@@ -221,14 +221,11 @@ message + check_obsolete ($1, $3); + check_obsolete ($1, $4); + if (!$1.obsolete || pass_obsolete_entries) +- { +- do_callback_message ($1.ctxt, string2, &$1.pos, $3.string, +- $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos, +- $1.prev_ctxt, +- $1.prev_id, $1.prev_id_plural, +- $1.obsolete); +- free ($3.string); +- } ++ do_callback_message ($1.ctxt, string2, &$1.pos, $3.string, ++ $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos, ++ $1.prev_ctxt, ++ $1.prev_id, $1.prev_id_plural, ++ $1.obsolete); + else + { + free_message_intro ($1); +diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c +index 571d18e1b..6af6d2025 100644 +--- a/gettext-tools/src/read-catalog.c ++++ b/gettext-tools/src/read-catalog.c +@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this, + appropriate. */ + mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len, + msgstr_pos); ++ if (msgid_plural != NULL) ++ free (msgid_plural); + mp->prev_msgctxt = prev_msgctxt; + mp->prev_msgid = prev_msgid; + mp->prev_msgid_plural = prev_msgid_plural; +diff --git a/gettext-tools/src/po-gram-gen.c b/gettext-tools/src/po-gram-gen.c +--- a/gettext-tools/src/po-gram-gen.c ++++ b/gettext-tools/src/po-gram-gen.c +@@ -1,8 +1,8 @@ +-/* A Bison parser, made by GNU Bison 3.0.4. */ ++/* A Bison parser, made by GNU Bison 3.0.5. */ + + /* Bison implementation for Yacc-like parsers in C + +- Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc. ++ Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -44,7 +44,7 @@ + #define YYBISON 1 + + /* Bison version. */ +-#define YYBISON_VERSION "3.0.4" ++#define YYBISON_VERSION "3.0.5" + + /* Skeleton name. */ + #define YYSKELETON_NAME "yacc.c" +@@ -568,9 +568,9 @@ + static const yytype_uint16 yyrline[] = + { + 0, 169, 169, 171, 172, 173, 174, 179, 187, 195, +- 216, 240, 249, 258, 269, 278, 292, 301, 315, 321, +- 332, 338, 350, 361, 372, 376, 391, 414, 422, 434, +- 442 ++ 216, 237, 246, 255, 266, 275, 289, 298, 312, 318, ++ 329, 335, 347, 358, 369, 373, 388, 411, 419, 431, ++ 439 + }; + #endif + +@@ -1054,6 +1054,7 @@ + case N: \ + yyformat = S; \ + break ++ default: /* Avoid compiler warnings. */ + YYCASE_(0, YY_("syntax error")); + YYCASE_(1, YY_("syntax error, unexpected %s")); + YYCASE_(2, YY_("syntax error, unexpected %s, expecting %s")); +@@ -1370,23 +1371,23 @@ + switch (yyn) + { + case 7: +-#line 180 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 180 "po-gram-gen.y" /* yacc.c:1648 */ + { + po_callback_comment_dispatcher ((yyvsp[0].string).string); + } +-#line 1378 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1379 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 8: +-#line 188 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 188 "po-gram-gen.y" /* yacc.c:1648 */ + { + po_callback_domain ((yyvsp[0].string).string); + } +-#line 1386 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1387 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 9: +-#line 196 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 196 "po-gram-gen.y" /* yacc.c:1648 */ + { + char *string2 = string_list_concat_destroy (&(yyvsp[-2].stringlist).stringlist); + char *string4 = string_list_concat_destroy (&(yyvsp[0].stringlist).stringlist); +@@ -1407,11 +1408,11 @@ + free (string4); + } + } +-#line 1411 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1412 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 10: +-#line 217 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 217 "po-gram-gen.y" /* yacc.c:1648 */ + { + char *string2 = string_list_concat_destroy (&(yyvsp[-2].stringlist).stringlist); + +@@ -1419,14 +1420,11 @@ + check_obsolete ((yyvsp[-3].message_intro), (yyvsp[-1].string)); + check_obsolete ((yyvsp[-3].message_intro), (yyvsp[0].rhs)); + if (!(yyvsp[-3].message_intro).obsolete || pass_obsolete_entries) +- { +- do_callback_message ((yyvsp[-3].message_intro).ctxt, string2, &(yyvsp[-3].message_intro).pos, (yyvsp[-1].string).string, +- (yyvsp[0].rhs).rhs.msgstr, (yyvsp[0].rhs).rhs.msgstr_len, &(yyvsp[0].rhs).pos, +- (yyvsp[-3].message_intro).prev_ctxt, +- (yyvsp[-3].message_intro).prev_id, (yyvsp[-3].message_intro).prev_id_plural, +- (yyvsp[-3].message_intro).obsolete); +- free ((yyvsp[-1].string).string); +- } ++ do_callback_message ((yyvsp[-3].message_intro).ctxt, string2, &(yyvsp[-3].message_intro).pos, (yyvsp[-1].string).string, ++ (yyvsp[0].rhs).rhs.msgstr, (yyvsp[0].rhs).rhs.msgstr_len, &(yyvsp[0].rhs).pos, ++ (yyvsp[-3].message_intro).prev_ctxt, ++ (yyvsp[-3].message_intro).prev_id, (yyvsp[-3].message_intro).prev_id_plural, ++ (yyvsp[-3].message_intro).obsolete); + else + { + free_message_intro ((yyvsp[-3].message_intro)); +@@ -1435,11 +1433,11 @@ + free ((yyvsp[0].rhs).rhs.msgstr); + } + } +-#line 1439 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1437 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 11: +-#line 241 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 238 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[0].string)); +@@ -1448,11 +1446,11 @@ + string_list_destroy (&(yyvsp[-1].stringlist).stringlist); + free ((yyvsp[0].string).string); + } +-#line 1452 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1450 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 12: +-#line 250 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 247 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[0].rhs)); +@@ -1461,22 +1459,22 @@ + string_list_destroy (&(yyvsp[-1].stringlist).stringlist); + free ((yyvsp[0].rhs).rhs.msgstr); + } +-#line 1465 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1463 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 13: +-#line 259 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 256 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].message_intro), (yyvsp[0].stringlist)); + po_gram_error_at_line (&(yyvsp[-1].message_intro).pos, _("missing 'msgstr' section")); + free_message_intro ((yyvsp[-1].message_intro)); + string_list_destroy (&(yyvsp[0].stringlist).stringlist); + } +-#line 1476 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1474 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 14: +-#line 270 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 267 "po-gram-gen.y" /* yacc.c:1648 */ + { + (yyval.message_intro).prev_ctxt = NULL; + (yyval.message_intro).prev_id = NULL; +@@ -1485,11 +1483,11 @@ + (yyval.message_intro).pos = (yyvsp[0].string).pos; + (yyval.message_intro).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1489 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1487 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 15: +-#line 279 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 276 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].prev), (yyvsp[0].string)); + (yyval.message_intro).prev_ctxt = (yyvsp[-1].prev).ctxt; +@@ -1499,11 +1497,11 @@ + (yyval.message_intro).pos = (yyvsp[0].string).pos; + (yyval.message_intro).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1503 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1501 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 16: +-#line 293 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 290 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].string), (yyvsp[0].stringlist)); + (yyval.prev).ctxt = (yyvsp[-1].string).string; +@@ -1512,11 +1510,11 @@ + (yyval.prev).pos = (yyvsp[-1].string).pos; + (yyval.prev).obsolete = (yyvsp[-1].string).obsolete; + } +-#line 1516 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1514 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 17: +-#line 302 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 299 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-2].string), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].string), (yyvsp[0].string)); +@@ -1526,21 +1524,21 @@ + (yyval.prev).pos = (yyvsp[-2].string).pos; + (yyval.prev).obsolete = (yyvsp[-2].string).obsolete; + } +-#line 1530 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1528 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 18: +-#line 316 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 313 "po-gram-gen.y" /* yacc.c:1648 */ + { + (yyval.string).string = NULL; + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1540 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1538 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 19: +-#line 322 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 319 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-2].pos), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].pos), (yyvsp[0].pos)); +@@ -1548,21 +1546,21 @@ + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1552 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1550 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 20: +-#line 333 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 330 "po-gram-gen.y" /* yacc.c:1648 */ + { + (yyval.string).string = NULL; + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1562 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1560 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 21: +-#line 339 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 336 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-2].pos), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].pos), (yyvsp[0].pos)); +@@ -1570,11 +1568,11 @@ + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1574 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1572 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 22: +-#line 351 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 348 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].pos), (yyvsp[0].stringlist)); + plural_counter = 0; +@@ -1582,30 +1580,30 @@ + (yyval.string).pos = (yyvsp[-1].pos).pos; + (yyval.string).obsolete = (yyvsp[-1].pos).obsolete; + } +-#line 1586 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1584 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 23: +-#line 362 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 359 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].pos), (yyvsp[0].stringlist)); + (yyval.string).string = string_list_concat_destroy (&(yyvsp[0].stringlist).stringlist); + (yyval.string).pos = (yyvsp[-1].pos).pos; + (yyval.string).obsolete = (yyvsp[-1].pos).obsolete; + } +-#line 1597 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1595 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 24: +-#line 373 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 370 "po-gram-gen.y" /* yacc.c:1648 */ + { + (yyval.rhs) = (yyvsp[0].rhs); + } +-#line 1605 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1603 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 25: +-#line 377 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 374 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].rhs), (yyvsp[0].rhs)); + (yyval.rhs).rhs.msgstr = XNMALLOC ((yyvsp[-1].rhs).rhs.msgstr_len + (yyvsp[0].rhs).rhs.msgstr_len, char); +@@ -1617,11 +1615,11 @@ + (yyval.rhs).pos = (yyvsp[-1].rhs).pos; + (yyval.rhs).obsolete = (yyvsp[-1].rhs).obsolete; + } +-#line 1621 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1619 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 26: +-#line 392 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 389 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-4].pos), (yyvsp[-3].pos)); + check_obsolete ((yyvsp[-4].pos), (yyvsp[-2].number)); +@@ -1640,11 +1638,11 @@ + (yyval.rhs).pos = (yyvsp[-4].pos).pos; + (yyval.rhs).obsolete = (yyvsp[-4].pos).obsolete; + } +-#line 1644 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1642 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 27: +-#line 415 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 412 "po-gram-gen.y" /* yacc.c:1648 */ + { + string_list_init (&(yyval.stringlist).stringlist); + string_list_append (&(yyval.stringlist).stringlist, (yyvsp[0].string).string); +@@ -1652,11 +1650,11 @@ + (yyval.stringlist).pos = (yyvsp[0].string).pos; + (yyval.stringlist).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1656 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1654 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 28: +-#line 423 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 420 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].stringlist), (yyvsp[0].string)); + (yyval.stringlist).stringlist = (yyvsp[-1].stringlist).stringlist; +@@ -1665,11 +1663,11 @@ + (yyval.stringlist).pos = (yyvsp[-1].stringlist).pos; + (yyval.stringlist).obsolete = (yyvsp[-1].stringlist).obsolete; + } +-#line 1669 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1667 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 29: +-#line 435 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 432 "po-gram-gen.y" /* yacc.c:1648 */ + { + string_list_init (&(yyval.stringlist).stringlist); + string_list_append (&(yyval.stringlist).stringlist, (yyvsp[0].string).string); +@@ -1677,11 +1675,11 @@ + (yyval.stringlist).pos = (yyvsp[0].string).pos; + (yyval.stringlist).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1681 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1679 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + case 30: +-#line 443 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 440 "po-gram-gen.y" /* yacc.c:1648 */ + { + check_obsolete ((yyvsp[-1].stringlist), (yyvsp[0].string)); + (yyval.stringlist).stringlist = (yyvsp[-1].stringlist).stringlist; +@@ -1690,11 +1688,11 @@ + (yyval.stringlist).pos = (yyvsp[-1].stringlist).pos; + (yyval.stringlist).obsolete = (yyvsp[-1].stringlist).obsolete; + } +-#line 1694 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1692 "po-gram-gen.c" /* yacc.c:1648 */ + break; + + +-#line 1698 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1696 "po-gram-gen.c" /* yacc.c:1648 */ + default: break; + } + /* User semantic actions sometimes alter yychar, and that requires +-- +2.19.1 + diff --git a/SPECS/gettext.spec b/SPECS/gettext.spec index ee9aa84..d09166c 100644 --- a/SPECS/gettext.spec +++ b/SPECS/gettext.spec @@ -9,7 +9,7 @@ Summary: GNU libraries and utilities for producing multi-lingual messages Name: gettext Version: 0.19.8.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv3+ and LGPLv2+ Group: Development/Tools URL: http://www.gnu.org/software/gettext/ @@ -21,6 +21,8 @@ Patch0: disable-gettext-runtime-test-lock.patch # Upstreamed patch: # http://lists.gnu.org/archive/html/bug-gettext/2016-08/msg00006.html Patch1: gettext-po-send-mail.patch +# rhbz#1648433 +Patch2: gettext-0.19.8.1-CVE-2018-18751.patch Source2: msghack.py Source3: msghack.1 # for bootstrapping @@ -345,6 +347,9 @@ fi %{_emacs_sitestartdir}/*.el %changelog +* Fri May 3 2019 Jens Petersen - 0.19.8.1-3 +- fix CVE-2018-18751: double-free in xgettext (rhbz#1648433) + * Wed Mar 15 2017 Kalev Lember - 0.19.8.1-2 - Depend on the exact version of the library sub package - Resolves: #1386869