Subject: CVS commit: [pkgsrc-2015Q2] pkgsrc/devel/libidn
From: Matthias Scheler
Date: 2015-08-24 20:45:09
Message id: 20150824184509.6289498@cvs.netbsd.org

Log Message:
Pullup ticket #4795 - requested by he
devel/libidn: security update

Revisions pulled up:
- devel/libidn/Makefile                                         1.93-1.94
- devel/libidn/distinfo                                         1.60-1.61

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Thu Jul  9 14:02:04 UTC 2015

   Modified Files:
   	pkgsrc/devel/libidn: Makefile distinfo

   Log Message:
   Update to 1.31:

   * Version 1.31 (released 2015-07-08) [bet

   ** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059
   This function has always been documented to not validate that the
   input UTF-8 string is actually valid UTF-8.  Like the rest of the API,
   when you call a function that works on UTF-8 data, you have to pass it
   valid UTF-8 data.  Application writers appear to have difficulties
   using interfaces designed like that, as bugs triggered by invalid
   UTF-8 has been identified in a number of projects (jabberd2, gnutls,
   wget, and curl).  While we could introduce a new API to perform UTF-8
   validation, so that applications can easily implement the proper
   checks, this appear error prone because there is a risk that the check
   will be forgotten.  Instead, we took the more radical approach of
   modifying the documentation and the implementation of the API.  The
   intention is that all functions that accepts UTF-8 data should
   validate it before use.  This will solve the problem for applications,
   without needing to change them.  This change has the unfortunate
   side-effect that Surrogate codes (see section 5.5 of RFC 3454) no
   longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but
   instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error
   code, as the gnulib/libunistring-based code that we use to test
   UTF-8-compliance rejects Surrogate codes.  We hope that this is an
   acceptable cost to live with in order to improve application security.
   We welcome feedback on this solution, and we are marking this release
   as beta rather than stable to signal that we may reconsider this
   approach if people disagree.  Reported by several people including
   Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos
   Mavrogiannopoulos.

   ** libidn: Added STRINGPREP_ICONV_ERROR error code.

   ** libidn: Workaround valgrind/gcc/glibc issue.
   Valgrind reported a 'Invalid read of size 4' that was caused by
   optimized strlen implementation.  Reported and patch by Alessandro
   Ghedini <alessandro@ghedini.me>.

   ** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use.
   Errors caught by valgrind did not always trigger 'make check' failures
   before.

   ** i18n: Updated Danish translation.
   Thanks to Joe Hansen.

   ** API and ABI is backwards compatible with the previous version.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Thu Aug  6 07:54:57 UTC 2015

   Modified Files:
   	pkgsrc/devel/libidn: Makefile distinfo

   Log Message:
   Update to 1.32:

   * Version 1.32 (released 2015-08-01) [beta]

   ** libidn: Fix crash in idna_to_unicode_8z8z and idna_to_unicode_8zlz.
   This problem was introduced in 1.31.  Reported by Adam Sampson.

   ** API and ABI is backwards compatible with the previous version.

Files:
RevisionActionfile
1.92.2.1modifypkgsrc/devel/libidn/Makefile
1.59.4.1modifypkgsrc/devel/libidn/distinfo