From a56c0dd10c073ab24e27e7d4525d80e4418b4182 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Sun, 4 Aug 2019 02:40:15 -0500 Subject: user/oniguruma: patch for CVE-2019-13224 and 13225 (#155) --- user/oniguruma/APKBUILD | 15 ++++++-- user/oniguruma/CVE-2019-13224.patch | 41 ++++++++++++++++++++++ user/oniguruma/CVE-2019-13225.patch | 69 +++++++++++++++++++++++++++++++++++++ 3 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 user/oniguruma/CVE-2019-13224.patch create mode 100644 user/oniguruma/CVE-2019-13225.patch (limited to 'user') diff --git a/user/oniguruma/APKBUILD b/user/oniguruma/APKBUILD index 7df3e3af5..b62084508 100644 --- a/user/oniguruma/APKBUILD +++ b/user/oniguruma/APKBUILD @@ -3,15 +3,22 @@ # Maintainer: Samuel Holland pkgname=oniguruma pkgver=6.9.2 -pkgrel=0 +pkgrel=1 pkgdesc="A regular expression library" url="https://github.com/kkos/oniguruma" arch="all" license="BSD-2-Clause" subpackages="$pkgname-dev" -source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz" +source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz + CVE-2019-13224.patch + CVE-2019-13225.patch" builddir="$srcdir/onig-$pkgver" +# secfixes: +# 6.9.2-r1: +# - CVE-2019-13224 +# - CVE-2019-13225 + build() { ./configure \ --build=$CBUILD \ @@ -32,4 +39,6 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz" +sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz +7f1b42e1ceb6e9addf87bbd456848afd9db3b721352157e3a7362354c3a4cabd58fac202d199d9f9c2f08f0c5c98e3de8583367e7716028278dae96c3d6bb43a CVE-2019-13224.patch +4c1df67369055f945c49d579c3f2ae5ffc41bb1c8a2510555908f07691c669b290accd9152f017e02a2a21f8a365c9ffd8fab42a3d11409150551f0c0c919dc7 CVE-2019-13225.patch" diff --git a/user/oniguruma/CVE-2019-13224.patch b/user/oniguruma/CVE-2019-13224.patch new file mode 100644 index 000000000..22bc6bd2f --- /dev/null +++ b/user/oniguruma/CVE-2019-13224.patch @@ -0,0 +1,41 @@ +From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Thu, 27 Jun 2019 17:25:26 +0900 +Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for + onig_new_deluxe() + +--- + src/regext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/regext.c b/src/regext.c +index fa4b360..965c793 100644 +--- a/src/regext.c ++++ b/src/regext.c +@@ -29,6 +29,7 @@ + + #include "regint.h" + ++#if 0 + static void + conv_ext0be32(const UChar* s, const UChar* end, UChar* conv) + { +@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e + + return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } ++#endif + + extern int + onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, +@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, + if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL; + + if (ci->pattern_enc != ci->target_enc) { +- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end, +- &cpat, &cpat_end); +- if (r != 0) return r; ++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } + else { + cpat = (UChar* )pattern; diff --git a/user/oniguruma/CVE-2019-13225.patch b/user/oniguruma/CVE-2019-13225.patch new file mode 100644 index 000000000..26e296d8d --- /dev/null +++ b/user/oniguruma/CVE-2019-13225.patch @@ -0,0 +1,69 @@ +From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Thu, 27 Jun 2019 14:11:55 +0900 +Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else + pattern to bytecode. + +--- + src/regcomp.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/src/regcomp.c b/src/regcomp.c +index c2c04a4..ff3431f 100644 +--- a/src/regcomp.c ++++ b/src/regcomp.c +@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg) + len += tlen; + } + ++ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END; ++ + if (IS_NOT_NULL(Else)) { +- len += SIZE_OP_JUMP; + tlen = compile_length_tree(Else, reg); + if (tlen < 0) return tlen; + len += tlen; +@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + + case BAG_IF_ELSE: + { +- int cond_len, then_len, jump_len; ++ int cond_len, then_len, else_len, jump_len; + Node* cond = NODE_BAG_BODY(node); + Node* Then = node->te.Then; + Node* Else = node->te.Else; +@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + else + then_len = 0; + +- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END; +- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP; ++ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP; + + r = add_op(reg, OP_PUSH); + if (r != 0) return r; +@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + } + + if (IS_NOT_NULL(Else)) { +- int else_len = compile_length_tree(Else, reg); +- r = add_op(reg, OP_JUMP); +- if (r != 0) return r; +- COP(reg)->jump.addr = else_len + SIZE_INC_OP; ++ else_len = compile_length_tree(Else, reg); ++ if (else_len < 0) return else_len; ++ } ++ else ++ else_len = 0; + ++ r = add_op(reg, OP_JUMP); ++ if (r != 0) return r; ++ COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP; ++ ++ r = add_op(reg, OP_ATOMIC_END); ++ if (r != 0) return r; ++ ++ if (IS_NOT_NULL(Else)) { + r = compile_tree(Else, reg, env); + } + } -- cgit v1.2.3-70-g09d2