libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])

[Jörg Frings-Fürst <debian@jff-webhosting.net>]

Hello Vincent,

I have a bugfix release ready for a review.

My changes:

libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high

  * New debian/patches/0500-CVE-2017-922[4-9].patch:
    - Cherrypicked from upstream to correct:
      + CVE-2017-9224 (Closes: #863312)
      + CVE-2017-9226 (Closes: #863314)
      + CVE-2017-9227 (Closes: #863315)
      + CVE-2017-9228 (Closes: #863316)
      + CVE-2017-9229 (Closes: #863318)
  * debian/control:
    - Add myself as maintainer.

Build with pdebuild are ok. The test with the newest lintian has a lot
of warnings.

The package is uploaded to mentors[1].  The debdiff is attached.

Please can you review it?

Many thanks.

CU
Jörg


[1] https://mentors.debian.net/debian/pool/main/libo/libonig/libonig_5.9.1-1+deb7u1.dsc


-- 
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54470 Lieser

Threema: SYR8SJXB
Wire: @joergfringsfuerst

IRC: j_f-f@freenode.net
     j_f-f@oftc.net

My wish list: 
 - Please send me a picture from the nature at your home.

diff -Nru libonig-5.9.1/debian/changelog libonig-5.9.1/debian/changelog
--- libonig-5.9.1/debian/changelog	2008-01-07 11:46:27.000000000 +0100
+++ libonig-5.9.1/debian/changelog	2017-05-25 22:01:47.000000000 +0200
@@ -1,3 +1,17 @@
+libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
+
+  * New debian/patches/0500-CVE-2017-922[4-9].patch:
+    - Cherrypicked from upstream to correct:
+      + CVE-2017-9224 (Closes: #863312)
+      + CVE-2017-9226 (Closes: #863314)
+      + CVE-2017-9227 (Closes: #863315)
+      + CVE-2017-9228 (Closes: #863316)
+      + CVE-2017-9229 (Closes: #863318)
+  * debian/control:
+    - Add myself as maintainer.
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Thu, 25 May 2017 22:01:47 +0200
+
 libonig (5.9.1-1) unstable; urgency=low
 
   [ Max Kellermann ]
diff -Nru libonig-5.9.1/debian/control libonig-5.9.1/debian/control
--- libonig-5.9.1/debian/control	2008-01-07 11:46:27.000000000 +0100
+++ libonig-5.9.1/debian/control	2017-05-25 22:00:56.000000000 +0200
@@ -1,8 +1,7 @@
 Source: libonig
 Section: libs
 Priority: extra
-Maintainer: Max Kellermann <max@duempel.org>
-Uploaders: Alexander Wirt <formorer@debian.org>
+Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
 Homepage: http://www.geocities.jp/kosako3/oniguruma/
 Build-Depends: debhelper (>= 5), autotools-dev
 Standards-Version: 3.7.3
diff -Nru libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch	2017-05-25 21:29:11.000000000 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory 
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libonig-5.9.1/regexec.c
+===================================================================
+--- libonig-5.9.1.orig/regexec.c
++++ libonig-5.9.1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+       break;
+ 
+     case OP_EXACT1:  MOP_IN(OP_EXACT1);
+-#if 0
+       DATA_ENSURE(1);
+       if (*p != *s) goto fail;
+       p++; s++;
+-#endif
+-      if (*p != *s++) goto fail;
+-      DATA_ENSURE(0);
+-      p++;
+       MOP_OUT;
+       break;
+ 
+@@ -3130,6 +3125,8 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       UChar *q = p + reg->dmin;
++
++      if (q >= end) return 0; /* fail */
+       while (p < q) p += enclen(reg->enc, p);
+     }
+   }
+@@ -3209,18 +3206,25 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+-	*low = p - reg->dmax;
+-	if (*low > s) {
+-	  *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+-							      *low, (const UChar** )low_prev);
+-	  if (low_prev && IS_NULL(*low_prev))
+-	    *low_prev = onigenc_get_prev_char_head(reg->enc,
+-						   (pprev ? pprev : s), *low);
++        if (p - str < reg->dmax) {
++          *low = (UChar* )str;
++          if (low_prev)
++            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ 	}
+ 	else {
+-	  if (low_prev)
+-	    *low_prev = onigenc_get_prev_char_head(reg->enc,
+-					       (pprev ? pprev : str), *low);
++          *low = p - reg->dmax;
++          if (*low > s) {
++            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++                                                 *low, (const UChar** )low_prev);
++            if (low_prev && IS_NULL(*low_prev))
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : s), *low);
++          }
++          else {
++            if (low_prev)
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : str), *low);
++          }
+ 	}
+       }
+     }
+Index: libonig-5.9.1/regparse.c
+===================================================================
+--- libonig-5.9.1.orig/regparse.c
++++ libonig-5.9.1/regparse.c
+@@ -3056,7 +3056,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+ 	PUNFETCH;
+ 	prev = p;
+ 	num = scan_unsigned_octal_number(&p, end, 3, enc);
+-	if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ 	if (p == prev) {  /* can't read nothing. */
+ 	  num = 0; /* but, it's not error */
+ 	}
+@@ -3428,7 +3428,7 @@ fetch_token(OnigToken* tok, UChar** src,
+       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+ 	prev = p;
+ 	num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+-	if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ 	if (p == prev) {  /* can't read nothing. */
+ 	  num = 0; /* but, it's not error */
+ 	}
+@@ -4062,7 +4062,9 @@ next_state_class(CClassNode* cc, OnigCod
+     }
+   }
+ 
+-  *state = CCS_VALUE;
++  if (*state != CCS_START)
++    *state = CCS_VALUE;
++
+   *type  = CCV_CLASS;
+   return 0;
+ }
+@@ -4077,8 +4079,12 @@ next_state_val(CClassNode* cc, OnigCodeP
+ 
+   switch (*state) {
+   case CCS_VALUE:
+-    if (*type == CCV_SB)
++    if (*type == CCV_SB) {
++      if (*vs > 0xff)
++          return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+       BITSET_SET_BIT(cc->bs, (int )(*vs));
++    }
+     else if (*type == CCV_CODE_POINT) {
+       r = add_code_range(&(cc->mbuf), env, *vs, *vs);
+       if (r < 0) return r;
diff -Nru libonig-5.9.1/debian/patches/series libonig-5.9.1/debian/patches/series
--- libonig-5.9.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/debian/patches/series	2017-05-25 19:05:38.000000000 +0200
@@ -0,0 +1 @@
+0500-CVE-2017-922[4-9].patch
diff -Nru libonig-5.9.1/.pc/.quilt_patches libonig-5.9.1/.pc/.quilt_patches
--- libonig-5.9.1/.pc/.quilt_patches	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/.pc/.quilt_patches	2017-05-25 17:52:22.000000000 +0200
@@ -0,0 +1 @@
+debian/patches
diff -Nru libonig-5.9.1/.pc/.quilt_series libonig-5.9.1/.pc/.quilt_series
--- libonig-5.9.1/.pc/.quilt_series	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/.pc/.quilt_series	2017-05-25 17:52:22.000000000 +0200
@@ -0,0 +1 @@
+series
diff -Nru libonig-5.9.1/.pc/.version libonig-5.9.1/.pc/.version
--- libonig-5.9.1/.pc/.version	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/.pc/.version	2017-05-25 17:52:22.000000000 +0200
@@ -0,0 +1 @@
+2

Attachment: signature.asc
Description: This is a digitally signed message part