rpms/oniguruma
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Upstream patch for CVE-2019-13225 (#1728966)

Browse Source 
NON-upstream patch for CVE-2019-13224 (#1728971)
This commit is contained in:
Mamoru TASAKA 2019-07-12 15:47:42 +09:00
parent e4219c20bd
commit 8ebd53c39d
4 changed files with 160 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch Normal file
View File

@ -0,0 +1,72 @@
From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001
From: "K.Kosako" <kosako@sofnec.co.jp>
Date: Thu, 27 Jun 2019 14:11:55 +0900
Subject: [PATCH 10/32] Fix CVE-2019-13225: problem in converting if-then-else
pattern to bytecode.
---
src/regcomp.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/src/regcomp.c b/src/regcomp.c
index c2c04a4..ff3431f 100644
--- a/src/regcomp.c
+++ b/src/regcomp.c
@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
len += tlen;
}
+ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
+
if (IS_NOT_NULL(Else)) {
- len += SIZE_OP_JUMP;
tlen = compile_length_tree(Else, reg);
if (tlen < 0) return tlen;
len += tlen;
@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
case BAG_IF_ELSE:
{
- int cond_len, then_len, jump_len;
+ int cond_len, then_len, else_len, jump_len;
Node* cond = NODE_BAG_BODY(node);
Node* Then = node->te.Then;
Node* Else = node->te.Else;
@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
else
then_len = 0;
- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
+ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
r = add_op(reg, OP_PUSH);
if (r != 0) return r;
@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
}
if (IS_NOT_NULL(Else)) {
- int else_len = compile_length_tree(Else, reg);
- r = add_op(reg, OP_JUMP);
- if (r != 0) return r;
- COP(reg)->jump.addr = else_len + SIZE_INC_OP;
+ else_len = compile_length_tree(Else, reg);
+ if (else_len < 0) return else_len;
+ }
+ else
+ else_len = 0;
+ r = add_op(reg, OP_JUMP);
+ if (r != 0) return r;
+ COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;
+
+ r = add_op(reg, OP_ATOMIC_END);
+ if (r != 0) return r;
+
+ if (IS_NOT_NULL(Else)) {
r = compile_tree(Else, reg, env);
}
}
--
2.21.0

44
0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch Normal file
View File

@ -0,0 +1,44 @@
From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001
From: "K.Kosako" <kosako@sofnec.co.jp>
Date: Thu, 27 Jun 2019 17:25:26 +0900
Subject: [PATCH 11/32] Fix CVE-2019-13224: don't allow different encodings for
onig_new_deluxe()
---
src/regext.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/regext.c b/src/regext.c
index fa4b360..965c793 100644
--- a/src/regext.c
+++ b/src/regext.c
@@ -29,6 +29,7 @@
#include "regint.h"
+#if 0
static void
conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
{
@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
}
+#endif
extern int
onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
if (ci->pattern_enc != ci->target_enc) {
- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
- &cpat, &cpat_end);
- if (r != 0) return r;
+ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
}
else {
cpat = (UChar* )pattern;
--
2.21.0

27
0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch Normal file
View File

@ -0,0 +1,27 @@
From 4a8db9d50f8281930678ed6f06692545293f3c9d Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Fri, 12 Jul 2019 15:38:43 +0900
Subject: [PATCH] onig_new_deluxe: don't free new pattern if success
On onig_new_deluxe() success (r == 0), new pattern (cpat) is used in
einfo->pattern, so don't free this.
---
src/regext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/regext.c b/src/regext.c
index fa4b360..920d183 100644
--- a/src/regext.c
+++ b/src/regext.c
@@ -196,7 +196,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
}
err2:
- if (cpat != pattern) xfree(cpat);
+ if (r && (cpat != pattern)) xfree(cpat);
return r;
}
--
2.21.0

18
oniguruma.spec
View File

@ -3,7 +3,7 @@
%global mainver 6.9.2
#%%global betaver rc3
%global fedorarel 1
%global fedorarel 2
Name: oniguruma
Version: %{mainver}
@ -13,6 +13,14 @@ Summary: Regular expressions library
License: BSD
URL: https://github.com/kkos/oniguruma/
Source0: https://github.com/kkos/oniguruma/releases/download/v%{mainver}%{?betaver:_%betaver}/onig-%{mainver}%{?betaver:-%betaver}.tar.gz
# upstream patches
Patch10: 0010-Fix-CVE-2019-13225-problem-in-converting-if-then-els.patch
#Patch11: 0011-Fix-CVE-2019-13224-don-t-allow-different-encodings-f.patch
# Not use Patch11 for F-30 and below, this is almost API change (deprecation of API) in
# onig_new_deluxe() and this change should be avoided (if possible) in stable
# branch
# Instead use another fix
Patch101: 0101-onig_new_deluxe-don-t-free-new-pattern-if-success.patch
BuildRequires: gcc
@ -49,6 +57,10 @@ for f in \
done
%endif
%patch10 -p1 -b .CVE-2019-13225
#%%patch11 -p1 -b .CVE-2019-13224
%patch101 -p1 -b .CVE-2019-13224
%build
%configure \
--disable-silent-rules \
@ -104,6 +116,10 @@ find $RPM_BUILD_ROOT -name '*.la' \
%{_libdir}/pkgconfig/%{name}.pc
%changelog
* Fri Jul 12 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.2-2
- Upstream patch for CVE-2019-13225 (#1728966)
- NON-upstream patch for CVE-2019-13224 (#1728971)
* Tue May 7 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.2-1
- rc3 released as 6.9.2 final release