user/oniguruma: patch for CVE-2019-13224 and 13225 (#155)

3 files changed, 122 insertions, 3 deletions

diff --git a/user/oniguruma/APKBUILD b/user/oniguruma/APKBUILD
index 7df3e3af5..b62084508 100644
--- a/user/oniguruma/APKBUILD
+++ b/user/oniguruma/APKBUILD
@@ -3,15 +3,22 @@
 # Maintainer: Samuel Holland <samuel@sholland.org>
 pkgname=oniguruma
 pkgver=6.9.2
-pkgrel=0
+pkgrel=1
 pkgdesc="A regular expression library"
 url="https://github.com/kkos/oniguruma"
 arch="all"
 license="BSD-2-Clause"
 subpackages="$pkgname-dev"
-source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz"
+source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz
+	CVE-2019-13224.patch
+	CVE-2019-13225.patch"
 builddir="$srcdir/onig-$pkgver"
 
+# secfixes:
+#   6.9.2-r1:
+#     - CVE-2019-13224
+#     - CVE-2019-13225
+
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -32,4 +39,6 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001  onig-6.9.2.tar.gz"
+sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001  onig-6.9.2.tar.gz
+7f1b42e1ceb6e9addf87bbd456848afd9db3b721352157e3a7362354c3a4cabd58fac202d199d9f9c2f08f0c5c98e3de8583367e7716028278dae96c3d6bb43a  CVE-2019-13224.patch
+4c1df67369055f945c49d579c3f2ae5ffc41bb1c8a2510555908f07691c669b290accd9152f017e02a2a21f8a365c9ffd8fab42a3d11409150551f0c0c919dc7  CVE-2019-13225.patch"
diff --git a/user/oniguruma/CVE-2019-13224.patch b/user/oniguruma/CVE-2019-13224.patch
new file mode 100644
index 000000000..22bc6bd2f
--- /dev/null
+++ b/user/oniguruma/CVE-2019-13224.patch
@@ -0,0 +1,41 @@
+From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 17:25:26 +0900
+Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+---
+ src/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/regext.c b/src/regext.c
+index fa4b360..965c793 100644
+--- a/src/regext.c
++++ b/src/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r != 0) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
diff --git a/user/oniguruma/CVE-2019-13225.patch b/user/oniguruma/CVE-2019-13225.patch
new file mode 100644
index 000000000..26e296d8d
--- /dev/null
+++ b/user/oniguruma/CVE-2019-13225.patch
@@ -0,0 +1,69 @@
+From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 14:11:55 +0900
+Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else
+ pattern to bytecode.
+
+---
+ src/regcomp.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index c2c04a4..ff3431f 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
+         len += tlen;
+       }
+ 
++      len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
++
+       if (IS_NOT_NULL(Else)) {
+-        len += SIZE_OP_JUMP;
+         tlen = compile_length_tree(Else, reg);
+         if (tlen < 0) return tlen;
+         len += tlen;
+@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+ 
+   case BAG_IF_ELSE:
+     {
+-      int cond_len, then_len, jump_len;
++      int cond_len, then_len, else_len, jump_len;
+       Node* cond = NODE_BAG_BODY(node);
+       Node* Then = node->te.Then;
+       Node* Else = node->te.Else;
+@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+       else
+         then_len = 0;
+ 
+-      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
+-      if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
++      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
+ 
+       r = add_op(reg, OP_PUSH);
+       if (r != 0) return r;
+@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+       }
+ 
+       if (IS_NOT_NULL(Else)) {
+-        int else_len = compile_length_tree(Else, reg);
+-        r = add_op(reg, OP_JUMP);
+-        if (r != 0) return r;
+-        COP(reg)->jump.addr = else_len + SIZE_INC_OP;
++        else_len = compile_length_tree(Else, reg);
++        if (else_len < 0) return else_len;
++      }
++      else
++        else_len = 0;
+ 
++      r = add_op(reg, OP_JUMP);
++      if (r != 0) return r;
++      COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;
++
++      r = add_op(reg, OP_ATOMIC_END);
++      if (r != 0) return r;
++
++      if (IS_NOT_NULL(Else)) {
+         r = compile_tree(Else, reg, env);
+       }
+     }