diff options
| -rw-r--r-- | 0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch | 72 | ||||
| -rw-r--r-- | 0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch | 44 | ||||
| -rw-r--r-- | 0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch | 27 | ||||
| -rw-r--r-- | oniguruma.spec | 28 |
4 files changed, 169 insertions, 2 deletions
diff --git a/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch b/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch new file mode 100644 index 0000000..a4c140d --- /dev/null +++ b/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch @@ -0,0 +1,72 @@ +From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kosako@sofnec.co.jp> +Date: Thu, 27 Jun 2019 14:11:55 +0900 +Subject: [PATCH 10/32] Fix CVE-2019-13225: problem in converting if-then-else + pattern to bytecode. + +--- + src/regcomp.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/src/regcomp.c b/src/regcomp.c +index c2c04a4..ff3431f 100644 +--- a/src/regcomp.c ++++ b/src/regcomp.c +@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg) + len += tlen; + } + ++ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END; ++ + if (IS_NOT_NULL(Else)) { +- len += SIZE_OP_JUMP; + tlen = compile_length_tree(Else, reg); + if (tlen < 0) return tlen; + len += tlen; +@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + + case BAG_IF_ELSE: + { +- int cond_len, then_len, jump_len; ++ int cond_len, then_len, else_len, jump_len; + Node* cond = NODE_BAG_BODY(node); + Node* Then = node->te.Then; + Node* Else = node->te.Else; +@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + else + then_len = 0; + +- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END; +- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP; ++ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP; + + r = add_op(reg, OP_PUSH); + if (r != 0) return r; +@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + } + + if (IS_NOT_NULL(Else)) { +- int else_len = compile_length_tree(Else, reg); +- r = add_op(reg, OP_JUMP); +- if (r != 0) return r; +- COP(reg)->jump.addr = else_len + SIZE_INC_OP; ++ else_len = compile_length_tree(Else, reg); ++ if (else_len < 0) return else_len; ++ } ++ else ++ else_len = 0; + ++ r = add_op(reg, OP_JUMP); ++ if (r != 0) return r; ++ COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP; ++ ++ r = add_op(reg, OP_ATOMIC_END); ++ if (r != 0) return r; ++ ++ if (IS_NOT_NULL(Else)) { + r = compile_tree(Else, reg, env); + } + } +-- +2.21.0 + diff --git a/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch b/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch new file mode 100644 index 0000000..4a2b994 --- /dev/null +++ b/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch @@ -0,0 +1,44 @@ +From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kosako@sofnec.co.jp> +Date: Thu, 27 Jun 2019 17:25:26 +0900 +Subject: [PATCH 11/32] Fix CVE-2019-13224: don't allow different encodings for + onig_new_deluxe() + +--- + src/regext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/regext.c b/src/regext.c +index fa4b360..965c793 100644 +--- a/src/regext.c ++++ b/src/regext.c +@@ -29,6 +29,7 @@ + + #include "regint.h" + ++#if 0 + static void + conv_ext0be32(const UChar* s, const UChar* end, UChar* conv) + { +@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e + + return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } ++#endif + + extern int + onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, +@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, + if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL; + + if (ci->pattern_enc != ci->target_enc) { +- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end, +- &cpat, &cpat_end); +- if (r != 0) return r; ++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } + else { + cpat = (UChar* )pattern; +-- +2.21.0 + diff --git a/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch b/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch new file mode 100644 index 0000000..6567d25 --- /dev/null +++ b/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch @@ -0,0 +1,27 @@ +From 4a8db9d50f8281930678ed6f06692545293f3c9d Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA <mtasaka@fedoraproject.org> +Date: Fri, 12 Jul 2019 15:38:43 +0900 +Subject: [PATCH] onig_new_deluxe: don't free new pattern if success + +On onig_new_deluxe() success (r == 0), new pattern (cpat) is used in +einfo->pattern, so don't free this. +--- + src/regext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/regext.c b/src/regext.c +index fa4b360..920d183 100644 +--- a/src/regext.c ++++ b/src/regext.c +@@ -196,7 +196,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, + } + + err2: +- if (cpat != pattern) xfree(cpat); ++ if (r && (cpat != pattern)) xfree(cpat); + + return r; + } +-- +2.21.0 + diff --git a/oniguruma.spec b/oniguruma.spec index 82e042d..03d8dd2 100644 --- a/oniguruma.spec +++ b/oniguruma.spec @@ -23,13 +23,21 @@ Name: %{libname} %else Name: %{libname}%{soname} %endif -Version: 6.9.1 -Release: 1%{?dist} +Version: 6.9.2 +Release: 2%{?dist} Summary: Regular expressions library License: BSD URL: https://github.com/kkos/oniguruma/ Source0: https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{version}.tar.gz +# upstream patches +Patch10: 0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch +#Patch11: 0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch +# Not use Patch11 for F-30 and below, this is almost API change (deprecation of API) in +# onig_new_deluxe() and this change should be avoided (if possible) in stable +# branch +# Instead use another fix +Patch101: 0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch BuildRequires: gcc @@ -80,6 +88,10 @@ for f in \ done %endif +%patch10 -p1 -b .CVE-2019-13225 +#%%patch11 -p1 -b .CVE-2019-13224 +%patch101 -p1 -b .CVE-2019-13224 + %build %configure \ @@ -125,6 +137,8 @@ find $RPM_BUILD_ROOT -name '*.la' \ %doc doc/CALLOUTS.BUILTIN %doc doc/FAQ %doc doc/RE +%doc doc/SYNTAX.md +%doc doc/UNICODE_PROPERTIES %lang(ja) %doc doc/API.ja %lang(ja) %doc doc/CALLOUTS.API.ja %lang(ja) %doc doc/CALLOUTS.BUILTIN.ja @@ -139,6 +153,16 @@ find $RPM_BUILD_ROOT -name '*.la' \ %changelog +* Mon Jul 15 2019 Remi Collet <remi@remirepo.net> -6.9.2-2 +- add security fixes from Fedora + +* Fri Jul 12 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.2-2 +- Upstream patch for CVE-2019-13225 (#1728966) +- NON-upstream patch for CVE-2019-13224 (#1728971) + +* Mon May 13 2019 Remi Collet <remi@remirepo.net> -6.9.2-1 +- update to 6.9.2 + * Mon Apr 1 2019 Remi Collet <remi@remirepo.net> -6.9.1-1 - rename to oniguruma5 to allow parallel installation beside old oniguruma version |