Fix CVE-2019-13224

Resolves: RHEL-6970
2023-12-21 10:36:38 +01:00 · 2023-12-21 10:36:38 +01:00 · 0bd48a7bf0
commit 0bd48a7bf0
parent c0283d587f
2 changed files with 25 additions and 1 deletions
--- a/oniguruma-6.8.2-CVE-2019-13224-fix.patch
+++ b/oniguruma-6.8.2-CVE-2019-13224-fix.patch
@ -0,0 +1,18 @@
+diff -up onig-6.8.2/src/regext.c.orig onig-6.8.2/src/regext.c
+--- onig-6.8.2/src/regext.c.orig	2017-12-11 01:08:17.000000000 +0100
+++ onig-6.8.2/src/regext.c	2023-10-30 11:10:45.018894014 +0100
+@@ -196,7 +196,13 @@ onig_new_deluxe(regex_t** reg, const UCh
+   }
+ 
+  err2:
+-  if (cpat != pattern) xfree(cpat);
+  if (cpat != pattern) {
+    xfree(cpat);
+    if (r) {
+      einfo->par = (UChar* )NULL;
+      einfo->par_end = (UChar* )NULL;
+    }
+  }
+ 
+   return r;
+ }
--- a/oniguruma.spec
+++ b/oniguruma.spec
@ -1,6 +1,6 @@
 Name:		oniguruma
 Version:	6.8.2
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Regular expressions library

 Group:		System Environment/Libraries
@ -10,6 +10,7 @@ Source0:	https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{
 # Backport https://src.fedoraproject.org/rpms/oniguruma/blob/f29/f/0100-Apply-CVE-2019-13325-fix-to-6.9.1.patch
 # (upstream: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c)
 Patch100:	oniguruma-6.8.2-CVE-2019-13225-fix.patch
+Patch101:	oniguruma-6.8.2-CVE-2019-13224-fix.patch

 %description
 Oniguruma is a regular expressions library.
@ -46,6 +47,7 @@ done
 %endif

 %patch100 -p1 -b .CVE-2019-13225
+%patch101 -p1 -b .CVE-2019-13224

 %build
 %configure \
@ -102,6 +104,10 @@ find $RPM_BUILD_ROOT -name '*.la' \
 %{_libdir}/pkgconfig/%{name}.pc	

 %changelog
+* Thu Dec 21 2023 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.8.2-3
+- Fix CVE-2019-13224
+  Resolves: RHEL-6970
+
 * Fri Jun 26 2020 Jiri Kucera <jkucera@redhat.com> - 6.8.2-2
 - Fix CVE-2019-13225
  Resolves: #1771052