From f633e92125129ec6e7fde76b34d7dea910bdd981 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 20 Feb 2024 13:36:19 +0000 Subject: [PATCH] import UBI oniguruma-6.8.2-2.1.el8_9 --- .../oniguruma-6.8.2-CVE-2019-13224-fix.patch | 18 ++ .../oniguruma-6.8.2-CVE-2019-16163-fix.patch | 42 ++++ .../oniguruma-6.8.2-CVE-2019-19012-fix.patch | 204 ++++++++++++++++++ .../oniguruma-6.8.2-CVE-2019-19203-fix.patch | 114 ++++++++++ .../oniguruma-6.8.2-CVE-2019-19204-fix.patch | 12 ++ SPECS/oniguruma.spec | 24 ++- 6 files changed, 413 insertions(+), 1 deletion(-) create mode 100644 SOURCES/oniguruma-6.8.2-CVE-2019-13224-fix.patch create mode 100644 SOURCES/oniguruma-6.8.2-CVE-2019-16163-fix.patch create mode 100644 SOURCES/oniguruma-6.8.2-CVE-2019-19012-fix.patch create mode 100644 SOURCES/oniguruma-6.8.2-CVE-2019-19203-fix.patch create mode 100644 SOURCES/oniguruma-6.8.2-CVE-2019-19204-fix.patch diff --git a/SOURCES/oniguruma-6.8.2-CVE-2019-13224-fix.patch b/SOURCES/oniguruma-6.8.2-CVE-2019-13224-fix.patch new file mode 100644 index 0000000..e7da05c --- /dev/null +++ b/SOURCES/oniguruma-6.8.2-CVE-2019-13224-fix.patch @@ -0,0 +1,18 @@ +diff -up onig-6.8.2/src/regext.c.orig onig-6.8.2/src/regext.c +--- onig-6.8.2/src/regext.c.orig 2017-12-11 01:08:17.000000000 +0100 ++++ onig-6.8.2/src/regext.c 2023-10-30 11:10:45.018894014 +0100 +@@ -196,7 +196,13 @@ onig_new_deluxe(regex_t** reg, const UCh + } + + err2: +- if (cpat != pattern) xfree(cpat); ++ if (cpat != pattern) { ++ xfree(cpat); ++ if (r) { ++ einfo->par = (UChar* )NULL; ++ einfo->par_end = (UChar* )NULL; ++ } ++ } + + return r; + } diff --git a/SOURCES/oniguruma-6.8.2-CVE-2019-16163-fix.patch b/SOURCES/oniguruma-6.8.2-CVE-2019-16163-fix.patch new file mode 100644 index 0000000..5c36883 --- /dev/null +++ b/SOURCES/oniguruma-6.8.2-CVE-2019-16163-fix.patch @@ -0,0 +1,42 @@ +diff -up onig-6.8.2/src/regparse.c.orig onig-6.8.2/src/regparse.c +--- onig-6.8.2/src/regparse.c.orig 2023-11-22 10:28:14.536985966 +0100 ++++ onig-6.8.2/src/regparse.c 2023-11-22 10:32:19.677112046 +0100 +@@ -6198,6 +6198,7 @@ parse_char_class(Node** np, OnigToken* t + env->parse_depth++; + if (env->parse_depth > ParseDepthLimit) + return ONIGERR_PARSE_DEPTH_LIMIT_OVER; ++ + prev_cc = (CClassNode* )NULL; + r = fetch_token_in_cc(tok, src, end, env); + if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) { +@@ -7723,14 +7724,18 @@ static int + parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end, + ScanEnv* env) + { +- int r, len, group = 0; ++ int r, len, group; + Node* qn; + Node** targetp; ++ unsigned int parse_depth; + ++ group = 0; + *np = NULL; + if (tok->type == (enum TokenSyms )term) + goto end_of_token; + ++ parse_depth = env->parse_depth; ++ + switch (tok->type) { + case TK_ALT: + case TK_EOT: +@@ -8037,6 +8042,10 @@ parse_exp(Node** np, OnigToken* tok, int + if (is_invalid_quantifier_target(*targetp)) + return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID; + ++ parse_depth++; ++ if (parse_depth > ParseDepthLimit) ++ return ONIGERR_PARSE_DEPTH_LIMIT_OVER; ++ + qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper, + (r == TK_INTERVAL ? 1 : 0)); + CHECK_NULL_RETURN_MEMERR(qn); diff --git a/SOURCES/oniguruma-6.8.2-CVE-2019-19012-fix.patch b/SOURCES/oniguruma-6.8.2-CVE-2019-19012-fix.patch new file mode 100644 index 0000000..8069670 --- /dev/null +++ b/SOURCES/oniguruma-6.8.2-CVE-2019-19012-fix.patch @@ -0,0 +1,204 @@ +diff -up onig-6.8.2/src/regexec.c.orig onig-6.8.2/src/regexec.c +--- onig-6.8.2/src/regexec.c.orig 2018-04-17 02:08:37.000000000 +0200 ++++ onig-6.8.2/src/regexec.c 2023-12-07 15:39:01.502781873 +0100 +@@ -4384,14 +4384,14 @@ forward_search_range(regex_t* reg, const + #endif + + p = s; +- if (reg->dmin > 0) { ++ if (reg->dmin != 0) { ++ if (end - p <= reg->dmin) ++ return 0; /* fail */ + if (ONIGENC_IS_SINGLEBYTE(reg->enc)) { + p += reg->dmin; + } + else { + UChar *q = p + reg->dmin; +- +- if (q >= end) return 0; /* fail */ + while (p < q) p += enclen(reg->enc, p); + } + } +@@ -4420,7 +4420,7 @@ forward_search_range(regex_t* reg, const + } + + if (p && p < range) { +- if (p - reg->dmin < s) { ++ if (p - s < reg->dmin) { + retry_gate: + pprev = p; + p += enclen(reg->enc, p); +@@ -4468,6 +4468,7 @@ forward_search_range(regex_t* reg, const + *low_prev = onigenc_get_prev_char_head(reg->enc, + (pprev ? pprev : str), p); + } ++ *high = p; + } + else { + if (reg->dmax != INFINITE_LEN) { +@@ -4492,9 +4493,12 @@ forward_search_range(regex_t* reg, const + } + } + } ++ /* no needs to adjust *high, *high is used as range check only */ ++ if (p - str < reg->dmin) ++ *high = (UChar* )str; ++ else ++ *high = p - reg->dmin; + } +- /* no needs to adjust *high, *high is used as range check only */ +- *high = p - reg->dmin; + + #ifdef ONIG_DEBUG_SEARCH + fprintf(stderr, +@@ -4517,7 +4521,6 @@ backward_search_range(regex_t* reg, cons + { + UChar *p; + +- range += reg->dmin; + p = s; + + retry: +@@ -4598,10 +4601,22 @@ backward_search_range(regex_t* reg, cons + } + } + +- /* no needs to adjust *high, *high is used as range check only */ + if (reg->dmax != INFINITE_LEN) { +- *low = p - reg->dmax; +- *high = p - reg->dmin; ++ if (p - str < reg->dmax) ++ *low = (UChar* )str; ++ else ++ *low = p - reg->dmax; ++ ++ if (reg->dmin != 0) { ++ if (p - str < reg->dmin) ++ *high = (UChar* )str; ++ else ++ *high = p - reg->dmin; ++ } ++ else { ++ *high = p; ++ } ++ + *high = onigenc_get_right_adjust_char_head(reg->enc, adjrange, *high); + } + +@@ -4731,13 +4746,16 @@ onig_search_with_param(regex_t* reg, con + goto mismatch_no_msa; + + if (range > start) { +- if ((OnigLen )(min_semi_end - start) > reg->anchor_dmax) { ++ if (min_semi_end - start > reg->anchor_dmax) { + start = min_semi_end - reg->anchor_dmax; + if (start < end) + start = onigenc_get_right_adjust_char_head(reg->enc, str, start); + } +- if ((OnigLen )(max_semi_end - (range - 1)) < reg->anchor_dmin) { +- range = max_semi_end - reg->anchor_dmin + 1; ++ if (max_semi_end - (range - 1) < reg->anchor_dmin) { ++ if (max_semi_end - str + 1 < reg->anchor_dmin) ++ goto mismatch_no_msa; ++ else ++ range = max_semi_end - reg->anchor_dmin + 1; + } + + if (start > range) goto mismatch_no_msa; +@@ -4745,12 +4763,16 @@ onig_search_with_param(regex_t* reg, con + Backward search is used. */ + } + else { +- if ((OnigLen )(min_semi_end - range) > reg->anchor_dmax) { ++ if (min_semi_end - range > reg->anchor_dmax) { + range = min_semi_end - reg->anchor_dmax; + } +- if ((OnigLen )(max_semi_end - start) < reg->anchor_dmin) { +- start = max_semi_end - reg->anchor_dmin; +- start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); ++ if (max_semi_end - start < reg->anchor_dmin) { ++ if (max_semi_end - str < reg->anchor_dmin) ++ goto mismatch_no_msa; ++ else { ++ start = max_semi_end - reg->anchor_dmin; ++ start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); ++ } + } + if (range > start) goto mismatch_no_msa; + } +@@ -4818,15 +4840,19 @@ onig_search_with_param(regex_t* reg, con + if (reg->optimize != OPTIMIZE_NONE) { + UChar *sch_range, *low, *high, *low_prev; + +- sch_range = (UChar* )range; + if (reg->dmax != 0) { + if (reg->dmax == INFINITE_LEN) + sch_range = (UChar* )end; + else { +- sch_range += reg->dmax; +- if (sch_range > end) sch_range = (UChar* )end; ++ if ((end - range) < reg->dmax) ++ sch_range = (UChar* )end; ++ else { ++ sch_range = (UChar* )range + reg->dmax; ++ } + } + } ++ else ++ sch_range = (UChar* )range; + + if ((end - start) < reg->threshold_len) + goto mismatch; +@@ -4885,18 +4911,28 @@ onig_search_with_param(regex_t* reg, con + + if (reg->optimize != OPTIMIZE_NONE) { + UChar *low, *high, *adjrange, *sch_start; ++ const UChar *min_range; + + if (range < end) + adjrange = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, range); + else + adjrange = (UChar* )end; + ++ if (end - range > reg->dmin) ++ min_range = range + reg->dmin; ++ else ++ min_range = end; ++ + if (reg->dmax != INFINITE_LEN && + (end - range) >= reg->threshold_len) { + do { +- sch_start = s + reg->dmax; +- if (sch_start > end) sch_start = (UChar* )end; +- if (backward_search_range(reg, str, end, sch_start, range, adjrange, ++ if (end - s > reg->dmax) ++ sch_start = s + reg->dmax; ++ else { ++ sch_start = (UChar* )end; ++ } ++ ++ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, + &low, &high) <= 0) + goto mismatch; + +@@ -4914,19 +4950,7 @@ onig_search_with_param(regex_t* reg, con + else { /* check only. */ + if ((end - range) < reg->threshold_len) goto mismatch; + +- sch_start = s; +- if (reg->dmax != 0) { +- if (reg->dmax == INFINITE_LEN) +- sch_start = (UChar* )end; +- else { +- sch_start += reg->dmax; +- if (sch_start > end) sch_start = (UChar* )end; +- else +- sch_start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, +- start, sch_start); +- } +- } +- if (backward_search_range(reg, str, end, sch_start, range, adjrange, ++ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, + &low, &high) <= 0) goto mismatch; + } + } diff --git a/SOURCES/oniguruma-6.8.2-CVE-2019-19203-fix.patch b/SOURCES/oniguruma-6.8.2-CVE-2019-19203-fix.patch new file mode 100644 index 0000000..9ece647 --- /dev/null +++ b/SOURCES/oniguruma-6.8.2-CVE-2019-19203-fix.patch @@ -0,0 +1,114 @@ +diff -up onig-6.8.2/src/gb18030.c.orig onig-6.8.2/src/gb18030.c +--- onig-6.8.2/src/gb18030.c.orig 2023-10-17 12:12:44.944352236 +0200 ++++ onig-6.8.2/src/gb18030.c 2023-10-17 12:14:52.188483869 +0200 +@@ -76,6 +76,20 @@ gb18030_mbc_enc_len(const UChar* p) + } + + static int ++gb18030_code_to_mbclen(OnigCodePoint code) ++{ ++ if ((code & 0xff000000) != 0) return 4; ++ else if ((code & 0xff0000) != 0) return ONIGERR_INVALID_CODE_POINT_VALUE; ++ else if ((code & 0xff00) != 0) return 2; ++ else { ++ if (GB18030_MAP[(int )(code & 0xff)] == CM) ++ return ONIGERR_INVALID_CODE_POINT_VALUE; ++ ++ return 1; ++ } ++} ++ ++static int + is_valid_mbc_string(const UChar* p, const UChar* end) + { + while (p < end) { +@@ -522,7 +536,7 @@ OnigEncodingType OnigEncodingGB18030 = { + 1, /* min enc length */ + onigenc_is_mbc_newline_0x0a, + gb18030_mbc_to_code, +- onigenc_mb4_code_to_mbclen, ++ gb18030_code_to_mbclen, + gb18030_code_to_mbc, + gb18030_mbc_case_fold, + onigenc_ascii_apply_all_case_fold, +diff -up onig-6.8.2/src/regparse.c.orig onig-6.8.2/src/regparse.c +--- onig-6.8.2/src/regparse.c.orig 2023-10-17 12:17:56.661666528 +0200 ++++ onig-6.8.2/src/regparse.c 2023-10-17 12:29:57.807302184 +0200 +@@ -5839,6 +5839,7 @@ add_ctype_to_cc(CClassNode* cc, int ctyp + + int c, r; + int ascii_mode; ++ int is_single; + const OnigCodePoint *ranges; + OnigCodePoint limit; + OnigCodePoint sb_out; +@@ -5860,6 +5861,7 @@ add_ctype_to_cc(CClassNode* cc, int ctyp + } + + r = 0; ++ is_single = ONIGENC_IS_SINGLEBYTE(enc); + limit = ascii_mode ? ASCII_LIMIT : SINGLE_BYTE_SIZE; + + switch (ctype) { +@@ -5876,19 +5878,25 @@ add_ctype_to_cc(CClassNode* cc, int ctyp + case ONIGENC_CTYPE_ALNUM: + if (not != 0) { + for (c = 0; c < (int )limit; c++) { +- if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) +- BITSET_SET_BIT(cc->bs, c); ++ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) { ++ if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) ++ BITSET_SET_BIT(cc->bs, c); ++ } + } + for (c = limit; c < SINGLE_BYTE_SIZE; c++) { +- BITSET_SET_BIT(cc->bs, c); ++ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) ++ BITSET_SET_BIT(cc->bs, c); + } + +- ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); ++ if (is_single == 0) ++ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); + } + else { + for (c = 0; c < (int )limit; c++) { +- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) +- BITSET_SET_BIT(cc->bs, c); ++ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) { ++ if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) ++ BITSET_SET_BIT(cc->bs, c); ++ } + } + } + break; +@@ -5898,21 +5906,25 @@ add_ctype_to_cc(CClassNode* cc, int ctyp + case ONIGENC_CTYPE_WORD: + if (not != 0) { + for (c = 0; c < (int )limit; c++) { +- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0 /* check invalid code point */ ++ /* check invalid code point */ ++ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) + && ! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) + BITSET_SET_BIT(cc->bs, c); + } + for (c = limit; c < SINGLE_BYTE_SIZE; c++) { +- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0) ++ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) + BITSET_SET_BIT(cc->bs, c); + } ++ if (ascii_mode != 0 && is_single == 0) ++ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); + } + else { + for (c = 0; c < (int )limit; c++) { +- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) ++ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) ++ && ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) + BITSET_SET_BIT(cc->bs, c); + } +- if (ascii_mode == 0) ++ if (ascii_mode == 0 && is_single == 0) + ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); + } + break; diff --git a/SOURCES/oniguruma-6.8.2-CVE-2019-19204-fix.patch b/SOURCES/oniguruma-6.8.2-CVE-2019-19204-fix.patch new file mode 100644 index 0000000..907cf00 --- /dev/null +++ b/SOURCES/oniguruma-6.8.2-CVE-2019-19204-fix.patch @@ -0,0 +1,12 @@ +diff -up onig-6.8.2/src/regparse.c.orig onig-6.8.2/src/regparse.c +--- onig-6.8.2/src/regparse.c.orig 2023-10-13 10:22:48.882495157 +0200 ++++ onig-6.8.2/src/regparse.c 2023-10-13 10:23:11.096529668 +0200 +@@ -4132,7 +4132,7 @@ fetch_range_quantifier(UChar** src, UCha + if (PEND) goto invalid; + PFETCH(c); + if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) { +- if (c != MC_ESC(env->syntax)) goto invalid; ++ if (c != MC_ESC(env->syntax) || PEND) goto invalid; + PFETCH(c); + } + if (c != '}') goto invalid; diff --git a/SPECS/oniguruma.spec b/SPECS/oniguruma.spec index 7d4c4a7..2df4da3 100644 --- a/SPECS/oniguruma.spec +++ b/SPECS/oniguruma.spec @@ -1,6 +1,6 @@ Name: oniguruma Version: 6.8.2 -Release: 2%{?dist} +Release: 2.1%{?dist} Summary: Regular expressions library Group: System Environment/Libraries @@ -10,6 +10,11 @@ Source0: https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{ # Backport https://src.fedoraproject.org/rpms/oniguruma/blob/f29/f/0100-Apply-CVE-2019-13325-fix-to-6.9.1.patch # (upstream: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c) Patch100: oniguruma-6.8.2-CVE-2019-13225-fix.patch +Patch101: oniguruma-6.8.2-CVE-2019-13224-fix.patch +Patch102: oniguruma-6.8.2-CVE-2019-16163-fix.patch +Patch103: oniguruma-6.8.2-CVE-2019-19012-fix.patch +Patch104: oniguruma-6.8.2-CVE-2019-19203-fix.patch +Patch105: oniguruma-6.8.2-CVE-2019-19204-fix.patch %description Oniguruma is a regular expressions library. @@ -46,6 +51,11 @@ done %endif %patch100 -p1 -b .CVE-2019-13225 +%patch101 -p1 -b .CVE-2019-13224 +%patch102 -p1 -b .CVE-2019-16163 +%patch103 -p1 -b .CVE-2019-19012 +%patch104 -p1 -b .CVE-2019-19203 +%patch105 -p1 -b .CVE-2019-19204 %build %configure \ @@ -102,6 +112,18 @@ find $RPM_BUILD_ROOT -name '*.la' \ %{_libdir}/pkgconfig/%{name}.pc %changelog +* Fri Jan 05 2024 Vitezslav Crhonek - 6.8.2-2.1 +- Fix CVE-2019-13224 + Resolves: RHEL-20648 +- Fix CVE-2019-16163 + Resolves: RHEL-20642 +- Fix CVE-2019-19012 + Resolves: RHEL-20636 +- Fix CVE-2019-19203 + Resolves: RHEL-20630 +- Fix CVE-2019-19204 + Resolves: RHEL-20624 + * Fri Jun 26 2020 Jiri Kucera - 6.8.2-2 - Fix CVE-2019-13225 Resolves: #1771052