Hi Vincent, first thanks for your review. Am Donnerstag, den 25.05.2017, 22:50 -0700 schrieb Vincent Cheng: > Hi Jörg, > > On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst > <debian@jff-webhosting.net> wrote: > > Hello Vincent, > > > > I have a bugfix release ready for a review. > > > > My changes: > > > > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high > > > > * New debian/patches/0500-CVE-2017-922[4-9].patch: > > - Cherrypicked from upstream to correct: > > + CVE-2017-9224 (Closes: #863312) > > + CVE-2017-9226 (Closes: #863314) > > + CVE-2017-9227 (Closes: #863315) > > + CVE-2017-9228 (Closes: #863316) > > + CVE-2017-9229 (Closes: #863318) > > * debian/control: > > - Add myself as maintainer. > > > > Build with pdebuild are ok. The test with the newest lintian has a lot > > of warnings. > > > > The package is uploaded to mentors[1]. The debdiff is attached. > > > > Please can you review it? > > In your upload to mentors.d.n, why has the source tarball been changed > and versioned as if libonig was a native package (it's not)? Also, if > I'm not mistaken, it doesn't look like your CVE patch is actually > applied when I attempt to build your package. > Sorry my mistake. I don't see that there was no d/source/format. I add them, build und test the package. The patch is now applied. The package is uploaded again[1]. > Have you updated dla-needed.txt, obtained a DLA id and prepared an > announcement for debian-lts-announce, as described in [1]? > No, I have no rights to do it. But I have yesterday ask Raphael Hertzog and the LTS-Team to do it. > Regards, > Vincent > CU Jörg [1] https://mentors.debian.net/debian/pool/main/libo/libonig/libonig_5.9.1-1+deb7u1.dsc -- New: GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D GPG key (long) : 09F89F3C8CA1D25D GPG Key : 8CA1D25D CAcert Key S/N : 0E:D4:56 Old pgp Key: BE581B6E (revoked since 2014-12-31). Jörg Frings-Fürst D-54470 Lieser Threema: SYR8SJXB Wire: @joergfringsfuerst IRC: j_f-f@freenode.net j_f-f@oftc.net My wish list: - Please send me a picture from the nature at your home.
diff -Nru libonig-5.9.1/debian/changelog libonig-5.9.1/debian/changelog
--- libonig-5.9.1/debian/changelog 2008-01-07 11:46:27.000000000 +0100
+++ libonig-5.9.1/debian/changelog 2017-05-26 08:27:02.000000000 +0200
@@ -1,3 +1,18 @@
+libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
+
+ * New debian/patches/0500-CVE-2017-922[4-9].patch:
+ - Cherrypicked from upstream to correct:
+ + CVE-2017-9224 (Closes: #863312)
+ + CVE-2017-9226 (Closes: #863314)
+ + CVE-2017-9227 (Closes: #863315)
+ + CVE-2017-9228 (Closes: #863316)
+ + CVE-2017-9229 (Closes: #863318)
+ * debian/control:
+ - Add myself as maintainer.
+ * Add missing debian/source/format.
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Fri, 26 May 2017 08:27:02 +0200
+
libonig (5.9.1-1) unstable; urgency=low
[ Max Kellermann ]
diff -Nru libonig-5.9.1/debian/control libonig-5.9.1/debian/control
--- libonig-5.9.1/debian/control 2008-01-07 11:46:27.000000000 +0100
+++ libonig-5.9.1/debian/control 2017-05-25 22:00:56.000000000 +0200
@@ -1,8 +1,7 @@
Source: libonig
Section: libs
Priority: extra
-Maintainer: Max Kellermann <max@duempel.org>
-Uploaders: Alexander Wirt <formorer@debian.org>
+Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Homepage: http://www.geocities.jp/kosako3/oniguruma/
Build-Depends: debhelper (>= 5), autotools-dev
Standards-Version: 3.7.3
diff -Nru libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch 1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch 2017-05-25 21:29:11.000000000 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libonig-5.9.1/regexec.c
+===================================================================
+--- libonig-5.9.1.orig/regexec.c
++++ libonig-5.9.1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+ break;
+
+ case OP_EXACT1: MOP_IN(OP_EXACT1);
+-#if 0
+ DATA_ENSURE(1);
+ if (*p != *s) goto fail;
+ p++; s++;
+-#endif
+- if (*p != *s++) goto fail;
+- DATA_ENSURE(0);
+- p++;
+ MOP_OUT;
+ break;
+
+@@ -3130,6 +3125,8 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ UChar *q = p + reg->dmin;
++
++ if (q >= end) return 0; /* fail */
+ while (p < q) p += enclen(reg->enc, p);
+ }
+ }
+@@ -3209,18 +3206,25 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+- *low = p - reg->dmax;
+- if (*low > s) {
+- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+- *low, (const UChar** )low_prev);
+- if (low_prev && IS_NULL(*low_prev))
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : s), *low);
++ if (p - str < reg->dmax) {
++ *low = (UChar* )str;
++ if (low_prev)
++ *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ }
+ else {
+- if (low_prev)
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : str), *low);
++ *low = p - reg->dmax;
++ if (*low > s) {
++ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++ *low, (const UChar** )low_prev);
++ if (low_prev && IS_NULL(*low_prev))
++ *low_prev = onigenc_get_prev_char_head(reg->enc,
++ (pprev ? pprev : s), *low);
++ }
++ else {
++ if (low_prev)
++ *low_prev = onigenc_get_prev_char_head(reg->enc,
++ (pprev ? pprev : str), *low);
++ }
+ }
+ }
+ }
+Index: libonig-5.9.1/regparse.c
+===================================================================
+--- libonig-5.9.1.orig/regparse.c
++++ libonig-5.9.1/regparse.c
+@@ -3056,7 +3056,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+ PUNFETCH;
+ prev = p;
+ num = scan_unsigned_octal_number(&p, end, 3, enc);
+- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ if (p == prev) { /* can't read nothing. */
+ num = 0; /* but, it's not error */
+ }
+@@ -3428,7 +3428,7 @@ fetch_token(OnigToken* tok, UChar** src,
+ if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+ prev = p;
+ num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ if (p == prev) { /* can't read nothing. */
+ num = 0; /* but, it's not error */
+ }
+@@ -4062,7 +4062,9 @@ next_state_class(CClassNode* cc, OnigCod
+ }
+ }
+
+- *state = CCS_VALUE;
++ if (*state != CCS_START)
++ *state = CCS_VALUE;
++
+ *type = CCV_CLASS;
+ return 0;
+ }
+@@ -4077,8 +4079,12 @@ next_state_val(CClassNode* cc, OnigCodeP
+
+ switch (*state) {
+ case CCS_VALUE:
+- if (*type == CCV_SB)
++ if (*type == CCV_SB) {
++ if (*vs > 0xff)
++ return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+ BITSET_SET_BIT(cc->bs, (int )(*vs));
++ }
+ else if (*type == CCV_CODE_POINT) {
+ r = add_code_range(&(cc->mbuf), env, *vs, *vs);
+ if (r < 0) return r;
diff -Nru libonig-5.9.1/debian/patches/series libonig-5.9.1/debian/patches/series
--- libonig-5.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/debian/patches/series 2017-05-25 19:05:38.000000000 +0200
@@ -0,0 +1 @@
+0500-CVE-2017-922[4-9].patch
diff -Nru libonig-5.9.1/debian/source/format libonig-5.9.1/debian/source/format
--- libonig-5.9.1/debian/source/format 1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.1/debian/source/format 2013-03-15 21:01:11.000000000 +0100
@@ -0,0 +1 @@
+3.0 (quilt)
Attachment:
signature.asc
Description: This is a digitally signed message part