gettext: fix CVE-2018-18751

Backport patch to fix CVE-2018-18751 for gettext. Because po-gram-gen.y has been modified by fix-CVE-2018-18751.patch, it requires yacc which provided by bison-native to re-create po-gram-gen.c. Please remove bison-native from DEPENDS* when next upgrade. Ref: https://security-tracker.debian.org/tracker/CVE-2018-18751 (From OE-Core rev: 4b3a085d6c63fd8459bb084aaa277dd2e8949594) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-03-17 20:59:42 +01:00 · 2018-11-14 00:46:32 -05:00
parent be1c84a91e
commit 6da5d5b324
2 changed files with 147 additions and 2 deletions
--- a/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch
+++ b/meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch
@@ -0,0 +1,141 @@
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commit;h=dce3a16]
+CVE: CVE-2018-18751
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 15 Sep 2016 13:57:24 +0200
+Subject: [PATCH] xgettext: Fix crash with *.po file input
+
+When xgettext was given two *.po files with the same msgid_plural, it
+crashed with double-free.  Problem reported by Davlet Panech in:
+http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html
+* gettext-tools/src/po-gram-gen.y: Don't free msgid_pluralform after
+calling do_callback_message, assuming that it takes ownership.
+* gettext-tools/src/read-catalog.c (default_add_message): Free
+msgid_plural after calling message_alloc.
+* gettext-tools/tests/xgettext-po-2: New file.
+* gettext-tools/tests/Makefile.am (TESTS): Add new test.
+---
+ gettext-tools/src/po-gram-gen.y   | 13 ++++-----
+ gettext-tools/src/read-catalog.c  |  2 ++
+ gettext-tools/tests/Makefile.am   |  2 +-
+ gettext-tools/tests/xgettext-po-2 | 55 +++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 63 insertions(+), 9 deletions(-)
+ create mode 100755 gettext-tools/tests/xgettext-po-2
+
+diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
+index becf5e6..4428e77 100644
+--- a/gettext-tools/src/po-gram-gen.y
+++ b/gettext-tools/src/po-gram-gen.y
+@@ -221,14 +221,11 @@ message
+                   check_obsolete ($1, $3);
+                   check_obsolete ($1, $4);
+                   if (!$1.obsolete || pass_obsolete_entries)
+-                    {
+-                      do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+-                                           $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+-                                           $1.prev_ctxt,
+-                                           $1.prev_id, $1.prev_id_plural,
+-                                           $1.obsolete);
+-                      free ($3.string);
+-                    }
+                    do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+                                         $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+                                         $1.prev_ctxt,
+                                         $1.prev_id, $1.prev_id_plural,
+                                         $1.obsolete);
+                   else
+                     {
+                       free_message_intro ($1);
+diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
+index 571d18e..6af6d20 100644
+--- a/gettext-tools/src/read-catalog.c
+++ b/gettext-tools/src/read-catalog.c
+@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
+          appropriate.  */
+       mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
+                           msgstr_pos);
+      if (msgid_plural != NULL)
+        free (msgid_plural);
+       mp->prev_msgctxt = prev_msgctxt;
+       mp->prev_msgid = prev_msgid;
+       mp->prev_msgid_plural = prev_msgid_plural;
+diff --git a/gettext-tools/tests/Makefile.am b/gettext-tools/tests/Makefile.am
+index 23b09b1..0dfb4d8 100644
+--- a/gettext-tools/tests/Makefile.am
+++ b/gettext-tools/tests/Makefile.am
+@@ -95,7 +95,7 @@ TESTS = gettext-1 gettext-2 gettext-3 gettext-4 gettext-5 gettext-6 gettext-7 \
+ 	xgettext-perl-1 xgettext-perl-2 xgettext-perl-3 xgettext-perl-4 \
+ 	xgettext-perl-5 xgettext-perl-6 xgettext-perl-7 xgettext-perl-8 \
+ 	xgettext-php-1 xgettext-php-2 xgettext-php-3 xgettext-php-4 \
+-	xgettext-po-1 \
+	xgettext-po-1 xgettext-po-2 \
+ 	xgettext-properties-1 \
+ 	xgettext-python-1 xgettext-python-2 xgettext-python-3 \
+ 	xgettext-python-4 \
+diff --git a/gettext-tools/tests/xgettext-po-2 b/gettext-tools/tests/xgettext-po-2
+new file mode 100755
+index 0000000..c4bd9d0
+--- /dev/null
+++ b/gettext-tools/tests/xgettext-po-2
+@@ -0,0 +1,55 @@
+#! /bin/sh
+. "${srcdir=.}/init.sh"; path_prepend_ . ../src
+
+# Test PO extractors with multiple input files.
+
+cat <<EOF > xg-po-2-1.po
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+cat <<EOF > xg-po-2-2.po
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${XGETTEXT=xgettext}
+${XGETTEXT} --omit-header xg-po-2-1.po xg-po-2-2.po -o xg-po-2.tmp.po || Exit 1
+LC_ALL=C tr -d '\r' < xg-po-2.tmp.po > xg-po-2.po || Exit 1
+
+cat <<EOF > xg-po-2.ok
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${DIFF=diff}
+${DIFF} xg-po-2.ok xg-po-2.po
+result=$?
+
+exit $result
+-- 
+1.9.1
+
--- a/meta/recipes-core/gettext/gettext_0.19.8.1.bb
+++ b/meta/recipes-core/gettext/gettext_0.19.8.1.bb
@@ -8,8 +8,11 @@ SECTION = "libs"
 LICENSE = "GPLv3+ & LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

-DEPENDS = "gettext-native virtual/libiconv"
-DEPENDS_class-native = "gettext-minimal-native"
+# Because po-gram-gen.y has been modified by fix-CVE-2018-18751.patch,
+# it requires yacc which provided by bison-native
+# Please remove bison-native from DEPENDS* when next upgrade
+DEPENDS = "bison-native gettext-native virtual/libiconv"
+DEPENDS_class-native = "bison-native gettext-minimal-native"
 PROVIDES = "virtual/libintl virtual/gettext"
 PROVIDES_class-native = "virtual/gettext-native"
 RCONFLICTS_${PN} = "proxy-libintl"
@@ -18,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/gettext/gettext-${PV}.tar.gz \
 	   file://add-with-bisonlocaledir.patch \
 	   file://cr-statement.c-timsort.h-fix-formatting-issues.patch \
 	   file://use-pkgconfig.patch \
+	   file://fix-CVE-2018-18751.patch \
 "

 SRC_URI[md5sum] = "97e034cf8ce5ba73a28ff6c3c0638092"