[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863538: marked as done (unblock: libonig/6.1.3-2)



Your message dated Sun, 28 May 2017 10:53:02 +0000
with message-id <E1dEvok-0001sc-AI@respighi.debian.org>
and subject line unblock libonig
has caused the Debian Bug report #863538,
regarding unblock: libonig/6.1.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863538: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863538
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package libonig

The relase 6.1.3-2 fixes the CVE's:

 CVE-2017-9224
 CVE-2017-9225
 CVE-2017-9226
 CVE-2017-9227
 CVE-2017-9228
 CVE-2017-9229

The debdiff is attached.

Many thanks.

CU
Jörg


unblock libonig/6.1.3-2

- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlkqqRMACgkQCfifPIyh
0l2e6Q//Tfg0j3UGGPgQHgPR3DdsCj5bdr0H+WFmBMbiwYYE5UqOBHEbBs2Z5Jfo
/i0NV7z/+uc6rl4G5Swxsv4Rj43rs0c3xbVEcKGf5BTfPH8gGNTCBAMNhwi3m/9w
Lxt7cSfO+6tJaI+89ysVONp0P2npSmTqHrdQrGJtVTsCHG/xchJB/y2ZAM99pyyQ
adapg5GzOmTVhnCz7llTxjEXx6z4dveNzDngd+K7u9N3YFv6c36dXC01KWoVuKgW
sQzjWpwpKakUOR1Lt6wWnUMqJG3SoVhXUp/s+OQ//98nWt8iFFwTPstQ4goaa/eY
IklC6c/WJNGKg5eLOLCMAdBKT6Ds1Eoe7U61iprN/rWcckyeLbMvbAvNi/EqyKPR
4Rb9RDSSPyJsX5px2DlgdebYgyMPGk/MEg4r4z7nZcj1rSCdznwwxJlLgpW0MqQ1
HKnQn73HBkXxyfzXNyAIdfYp+JCU8gXvZfWw+rQSpdJh9EX49GRAL9M54VSLVNFJ
TONrj31RDGhHmVLYFqrpA/FDxAVvZTEM8zWJm5XgvDxDV4MPZYz5RiW2Of8UyeNT
jl6YC1MyWGl0KkXRLyGiT3WEeLQzXKgLp9rWye5epEbOP+eVH9AfsRTuDzNloDmK
raKreqD10QBNIE4R7aFTlDCdtyPwjPPomt3359mQlSgiq1rkWhE=
=qAlo
-----END PGP SIGNATURE-----
diff -Nru libonig-6.1.3/debian/changelog libonig-6.1.3/debian/changelog
--- libonig-6.1.3/debian/changelog	2016-12-15 09:23:30.000000000 +0100
+++ libonig-6.1.3/debian/changelog	2017-05-27 12:05:50.000000000 +0200
@@ -1,3 +1,16 @@
+libonig (6.1.3-2) unstable; urgency=high
+
+  * New debian/patches/0500-CVE-2017-922[4-9].patch:
+    - Cherrypicked from upstream to correct:
+      + CVE-2017-9224 (Closes: #863312)
+      + CVE-2017-9225 (Closes: #863313)
+      + CVE-2017-9226 (Closes: #863314)
+      + CVE-2017-9227 (Closes: #863315)
+      + CVE-2017-9228 (Closes: #863316)
+      + CVE-2017-9229 (Closes: #863318)
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sat, 27 May 2017 12:05:50 +0200
+
 libonig (6.1.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libonig-6.1.3/debian/patches/0500-CVE-2017-922[4-9].patch libonig-6.1.3/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-6.1.3/debian/patches/0500-CVE-2017-922[4-9].patch	1970-01-01 01:00:00.000000000 +0100
+++ libonig-6.1.3/debian/patches/0500-CVE-2017-922[4-9].patch	2017-05-27 12:00:03.000000000 +0200
@@ -0,0 +1,144 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory 
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 6.1.3-1+deb9u1/src/regexec.c
+===================================================================
+--- 6.1.3-1+deb9u1.orig/src/regexec.c
++++ 6.1.3-1+deb9u1/src/regexec.c
+@@ -1463,14 +1463,9 @@ match_at(regex_t* reg, const UChar* str,
+       break;
+ 
+     case OP_EXACT1:  MOP_IN(OP_EXACT1);
+-#if 0
+       DATA_ENSURE(1);
+       if (*p != *s) goto fail;
+       p++; s++;
+-#endif
+-      if (*p != *s++) goto fail;
+-      DATA_ENSURE(0);
+-      p++;
+       MOP_OUT;
+       break;
+ 
+@@ -3149,6 +3144,8 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       UChar *q = p + reg->dmin;
++
++      if (q >= end) return 0; /* fail */
+       while (p < q) p += enclen(reg->enc, p);
+     }
+   }
+@@ -3228,18 +3225,25 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+-        *low = p - reg->dmax;
+-        if (*low > s) {
+-          *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+-                                          *low, (const UChar** )low_prev);
+-          if (low_prev && IS_NULL(*low_prev))
+-            *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                                   (pprev ? pprev : s), *low);
+-        }
+-        else {
++        if (p - str < reg->dmax) {
++          *low = (UChar* )str;
+           if (low_prev)
+-            *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                                   (pprev ? pprev : str), *low);
++            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
++ 	}
++ 	else {
++          *low = p - reg->dmax;
++          if (*low > s) {
++            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++                                                 *low, (const UChar** )low_prev);
++            if (low_prev && IS_NULL(*low_prev))
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : s), *low);
++          }
++          else {
++            if (low_prev)
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : str), *low);
++          }
+         }
+       }
+     }
+Index: 6.1.3-1+deb9u1/src/regparse.c
+===================================================================
+--- 6.1.3-1+deb9u1.orig/src/regparse.c
++++ 6.1.3-1+deb9u1/src/regparse.c
+@@ -2986,7 +2986,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+         PUNFETCH;
+         prev = p;
+         num = scan_unsigned_octal_number(&p, end, 3, enc);
+-        if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+         if (p == prev) {  /* can't read nothing. */
+           num = 0; /* but, it's not error */
+         }
+@@ -3358,7 +3358,7 @@ fetch_token(OnigToken* tok, UChar** src,
+       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+         prev = p;
+         num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+-        if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+         if (p == prev) {  /* can't read nothing. */
+           num = 0; /* but, it's not error */
+         }
+@@ -3994,7 +3994,9 @@ next_state_class(CClassNode* cc, OnigCod
+     }
+   }
+ 
+-  *state = CCS_VALUE;
++  if (*state != CCS_START)
++    *state = CCS_VALUE;
++
+   *type  = CCV_CLASS;
+   return 0;
+ }
+@@ -4010,6 +4012,9 @@ next_state_val(CClassNode* cc, OnigCodeP
+   switch (*state) {
+   case CCS_VALUE:
+     if (*type == CCV_SB) {
++      if (*vs > 0xff)
++          return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+       BITSET_SET_BIT(cc->bs, (int )(*vs));
+     }
+     else if (*type == CCV_CODE_POINT) {
+Index: 6.1.3-1+deb9u1/src/gperf_unfold_key_conv.py
+===================================================================
+--- 6.1.3-1+deb9u1.orig/src/gperf_unfold_key_conv.py
++++ 6.1.3-1+deb9u1/src/gperf_unfold_key_conv.py
+@@ -36,7 +36,7 @@ def parse_line(s):
+     if r != s: return r
+     r = re.sub(REG_GET_CODE, 'OnigCodePoint gcode = wordlist[key].code;', s)
+     if r != s: return r
+-    r = re.sub(REG_CODE_CHECK, 'if (code == gcode)', s)
++    r = re.sub(REG_CODE_CHECK, 'if (code == gcode && wordlist[key].index >= 0)', s)
+     if r != s: return r
+ 
+     return s
+Index: 6.1.3-1+deb9u1/src/unicode_unfold_key.c
+===================================================================
+--- 6.1.3-1+deb9u1.orig/src/unicode_unfold_key.c
++++ 6.1.3-1+deb9u1/src/unicode_unfold_key.c
+@@ -2844,7 +2844,7 @@ unicode_unfold_key(OnigCodePoint code)
+         {
+           OnigCodePoint gcode = wordlist[key].code;
+ 
+-          if (code == gcode)
++          if (code == gcode && wordlist[key].index >= 0)
+             return &wordlist[key];
+         }
+     }
diff -Nru libonig-6.1.3/debian/patches/series libonig-6.1.3/debian/patches/series
--- libonig-6.1.3/debian/patches/series	2016-11-09 22:30:52.000000000 +0100
+++ libonig-6.1.3/debian/patches/series	2017-05-27 11:15:28.000000000 +0200
@@ -1,2 +1,3 @@
 #001-changes_build_sys.diff
 0100-source_typos.patch
+0500-CVE-2017-922[4-9].patch

--- End Message ---
--- Begin Message ---
Unblocked libonig.

--- End Message ---

Reply to: