add security fixes from Fedora

author: Remi Collet <remi@remirepo.net> 2019-07-15 15:47:22 +0200
committer: Remi Collet <remi@remirepo.net> 2019-07-15 15:47:22 +0200
commit: 558251d3ce37b751b4d3e263577e4252b441a92b (patch)
tree: dd3ff28d074ba25c8b52e5155476a4167c160631
parent: 7af69d0e975f27cd4141ebf2f365032ac17c5150 (diff)
4 files changed, 169 insertions, 2 deletions
diff --git a/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch b/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch
new file mode 100644
index 0000000..a4c140d
--- /dev/null
+++ b/0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch
@@ -0,0 +1,72 @@
+From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 14:11:55 +0900
+Subject: [PATCH 10/32] Fix CVE-2019-13225: problem in converting if-then-else
+ pattern to bytecode.
+
+---
+ src/regcomp.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index c2c04a4..ff3431f 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
+         len += tlen;
+       }
+ 
++      len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
++
+       if (IS_NOT_NULL(Else)) {
+-        len += SIZE_OP_JUMP;
+         tlen = compile_length_tree(Else, reg);
+         if (tlen < 0) return tlen;
+         len += tlen;
+@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+ 
+   case BAG_IF_ELSE:
+     {
+-      int cond_len, then_len, jump_len;
++      int cond_len, then_len, else_len, jump_len;
+       Node* cond = NODE_BAG_BODY(node);
+       Node* Then = node->te.Then;
+       Node* Else = node->te.Else;
+@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+       else
+         then_len = 0;
+ 
+-      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
+-      if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
++      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
+ 
+       r = add_op(reg, OP_PUSH);
+       if (r != 0) return r;
+@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+       }
+ 
+       if (IS_NOT_NULL(Else)) {
+-        int else_len = compile_length_tree(Else, reg);
+-        r = add_op(reg, OP_JUMP);
+-        if (r != 0) return r;
+-        COP(reg)->jump.addr = else_len + SIZE_INC_OP;
++        else_len = compile_length_tree(Else, reg);
++        if (else_len < 0) return else_len;
++      }
++      else
++        else_len = 0;
+ 
++      r = add_op(reg, OP_JUMP);
++      if (r != 0) return r;
++      COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;
++
++      r = add_op(reg, OP_ATOMIC_END);
++      if (r != 0) return r;
++
++      if (IS_NOT_NULL(Else)) {
+         r = compile_tree(Else, reg, env);
+       }
+     }
+-- 
+2.21.0
+
diff --git a/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch b/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch
new file mode 100644
index 0000000..4a2b994
--- /dev/null
+++ b/0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch
@@ -0,0 +1,44 @@
+From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 17:25:26 +0900
+Subject: [PATCH 11/32] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+---
+ src/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/regext.c b/src/regext.c
+index fa4b360..965c793 100644
+--- a/src/regext.c
++++ b/src/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r != 0) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
+-- 
+2.21.0
+
diff --git a/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch b/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch
new file mode 100644
index 0000000..6567d25
--- /dev/null
+++ b/0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch
@@ -0,0 +1,27 @@
+From 4a8db9d50f8281930678ed6f06692545293f3c9d Mon Sep 17 00:00:00 2001
+From: Mamoru TASAKA <mtasaka@fedoraproject.org>
+Date: Fri, 12 Jul 2019 15:38:43 +0900
+Subject: [PATCH] onig_new_deluxe: don't free new pattern if success
+
+On onig_new_deluxe() success (r == 0), new pattern (cpat) is used in
+einfo->pattern, so don't free this.
+---
+ src/regext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/regext.c b/src/regext.c
+index fa4b360..920d183 100644
+--- a/src/regext.c
++++ b/src/regext.c
+@@ -196,7 +196,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   }
+ 
+  err2:
+-  if (cpat != pattern) xfree(cpat);
++  if (r && (cpat != pattern)) xfree(cpat);
+ 
+   return r;
+ }
+-- 
+2.21.0
+
diff --git a/oniguruma.spec b/oniguruma.spec
index 82e042d..03d8dd2 100644
--- a/oniguruma.spec
+++ b/oniguruma.spec
@@ -23,13 +23,21 @@ Name:       %{libname}
 %else
 Name:       %{libname}%{soname}
 %endif
-Version:	6.9.1
-Release:	1%{?dist}
+Version:	6.9.2
+Release:	2%{?dist}
 Summary:	Regular expressions library
 
 License:	BSD
 URL:		https://github.com/kkos/oniguruma/
 Source0:	https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{version}.tar.gz
+# upstream patches
+Patch10:	0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch
+#Patch11:	0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch
+# Not use Patch11 for F-30 and below, this is almost API change (deprecation of API) in
+# onig_new_deluxe() and this change should be avoided (if possible) in stable
+# branch
+# Instead use another fix
+Patch101:	0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch
 
 BuildRequires:	gcc
 
@@ -80,6 +88,10 @@ for f in \
 done
 %endif
 
+%patch10 -p1 -b .CVE-2019-13225
+#%%patch11 -p1 -b .CVE-2019-13224
+%patch101 -p1 -b .CVE-2019-13224
+
 
 %build
 %configure \
@@ -125,6 +137,8 @@ find $RPM_BUILD_ROOT -name '*.la' \
 %doc	doc/CALLOUTS.BUILTIN
 %doc	doc/FAQ
 %doc	doc/RE
+%doc	doc/SYNTAX.md
+%doc	doc/UNICODE_PROPERTIES
 %lang(ja)	%doc	doc/API.ja
 %lang(ja)	%doc	doc/CALLOUTS.API.ja
 %lang(ja)	%doc	doc/CALLOUTS.BUILTIN.ja
@@ -139,6 +153,16 @@ find $RPM_BUILD_ROOT -name '*.la' \
 
 
 %changelog
+* Mon Jul 15 2019 Remi Collet <remi@remirepo.net> -6.9.2-2
+- add security fixes from Fedora
+
+* Fri Jul 12 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.2-2
+- Upstream patch for CVE-2019-13225 (#1728966)
+- NON-upstream patch for CVE-2019-13224 (#1728971)
+
+* Mon May 13 2019 Remi Collet <remi@remirepo.net> -6.9.2-1
+- update to 6.9.2
+
 * Mon Apr  1 2019 Remi Collet <remi@remirepo.net> -6.9.1-1
 - rename to oniguruma5 to allow parallel installation
   beside old oniguruma version
author	Remi Collet <remi@remirepo.net>	2019-07-15 15:47:22 +0200
committer	Remi Collet <remi@remirepo.net>	2019-07-15 15:47:22 +0200
commit	558251d3ce37b751b4d3e263577e4252b441a92b (patch)
tree	dd3ff28d074ba25c8b52e5155476a4167c160631
parent	7af69d0e975f27cd4141ebf2f365032ac17c5150 (diff)