From 5c6a3e83d5b7f881d4162d2c8a0959d61c1081bb Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 1 Oct 2020 09:33:50 +0200
Subject: From Fedora: Apply upstream fix for CVE-2020-26159

---
 oniguruma.spec | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'oniguruma.spec')

diff --git a/oniguruma.spec b/oniguruma.spec
index f8281d2..45d84bf 100644
--- a/oniguruma.spec
+++ b/oniguruma.spec
@@ -24,7 +24,7 @@
 
 Name:		%{libname}%{oldsoname}php
 Version:	%{mainver}%{?postver:+%postver}
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Regular expressions library
 
 License:	BSD
@@ -33,6 +33,9 @@ Source0:	https://github.com/kkos/oniguruma/releases/download/v%{mainver}%{?postv
 
 # Bump soname from 5 to 105 to allow parallel installation
 Patch0:		onig-soname.patch
+# https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
+# https://github.com/kkos/oniguruma/issues/207
+Patch1:    oniguruma-XXX-CVE-2020-26159.patch
 
 BuildRequires:	gcc
 
@@ -67,6 +70,7 @@ developing applications that use %{name}.
 %{__sed} -i.multilib -e 's|-L@libdir@||' onig-config.in
 
 %patch0 -p1 -b .bump
+%patch1 -p1 -b .CVE-2020-26159
 
 %if 0
 for f in \
@@ -83,6 +87,11 @@ done
 
 
 %build
+# This package fails its testsuite when compiled with LTO, but the real problem
+# is that it ends up mixing and matching regexp bits between itself and glibc.
+# Disable LTO
+%define _lto_cflags %{nil}
+
 %configure \
     --enable-posix-api \
 	--disable-silent-rules \
@@ -147,6 +156,12 @@ sed -e '/^test_regset_LDADD/s/$/ -lrt/' -i test/Makefile
 
 
 %changelog
+* Thu Oct  1 2020 Remi Collet <remi@remirepo.net> -6.9.5+rev1-3
+- From Fedora: Apply upstream fix for CVE-2020-26159
+
+* Thu Oct  1 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.5-3.rev1
+- Apply upstream fix for CVE-2020-26159
+
 * Tue Jun  9 2020 Remi Collet <remi@remirepo.net> -6.9.5+rev1-2
 - osbolete oniguruna5
 
-- 
cgit