From 9bd4bafbc2d43862bb24e1c1458ffe856798d0b9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 20 Oct 2020 15:28:11 +0200 Subject: From Fedora: Revert fix for CVE-2020-26159, marked as false https://github.com/kkos/oniguruma/issues/221 --- oniguruma-XXX-CVE-2020-26159.patch | 22 ---------------------- oniguruma.spec | 10 +++++----- 2 files changed, 5 insertions(+), 27 deletions(-) delete mode 100644 oniguruma-XXX-CVE-2020-26159.patch diff --git a/oniguruma-XXX-CVE-2020-26159.patch b/oniguruma-XXX-CVE-2020-26159.patch deleted file mode 100644 index 71a8ada..0000000 --- a/oniguruma-XXX-CVE-2020-26159.patch +++ /dev/null @@ -1,22 +0,0 @@ -From cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Mon, 21 Sep 2020 12:58:29 +0900 -Subject: [PATCH] #207: Out-of-bounds write - ---- - src/regcomp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/regcomp.c b/src/regcomp.c -index f6494b6d..a0a68561 100644 ---- a/src/regcomp.c -+++ b/src/regcomp.c -@@ -6257,7 +6257,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc) - - for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) { - len = enclen(enc, p); -- if (i + len > OPT_EXACT_MAXLEN) break; -+ if (i + len >= OPT_EXACT_MAXLEN) break; - for (j = 0; j < len && p < end; j++) - to->s[i++] = *p++; - } diff --git a/oniguruma.spec b/oniguruma.spec index 45d84bf..12f49c7 100644 --- a/oniguruma.spec +++ b/oniguruma.spec @@ -24,7 +24,7 @@ Name: %{libname}%{oldsoname}php Version: %{mainver}%{?postver:+%postver} -Release: 3%{?dist} +Release: 4%{?dist} Summary: Regular expressions library License: BSD @@ -33,9 +33,6 @@ Source0: https://github.com/kkos/oniguruma/releases/download/v%{mainver}%{?postv # Bump soname from 5 to 105 to allow parallel installation Patch0: onig-soname.patch -# https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 -# https://github.com/kkos/oniguruma/issues/207 -Patch1: oniguruma-XXX-CVE-2020-26159.patch BuildRequires: gcc @@ -70,7 +67,6 @@ developing applications that use %{name}. %{__sed} -i.multilib -e 's|-L@libdir@||' onig-config.in %patch0 -p1 -b .bump -%patch1 -p1 -b .CVE-2020-26159 %if 0 for f in \ @@ -156,6 +152,10 @@ sed -e '/^test_regset_LDADD/s/$/ -lrt/' -i test/Makefile %changelog +* Tue Oct 20 2020 Remi Collet -6.9.5+rev1-4 +- From Fedora: Revert fix for CVE-2020-26159, marked as false + https://github.com/kkos/oniguruma/issues/221 + * Thu Oct 1 2020 Remi Collet -6.9.5+rev1-3 - From Fedora: Apply upstream fix for CVE-2020-26159 -- cgit