Bug#863562: jessie-pu: package libonig/5.9.5-3.2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:
CVE-2017-9224
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
CVE-2017-9229
ready, The debdiff is attached.
- -- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlkq/Q4ACgkQCfifPIyh
0l3LkQ//UY/XbO0adWiAPyombGW3e+lSRikPyn+cZfroCGgkkp7W1ch+xqiB+TyT
CU8sBMqiRGFEm9OY0gCljmaalZ1/Hoi7TGdTuo56pfu7/g/TPn8IUYef5NPGySRb
/8+RUF1hFIBRWeHHwnhJ6mJ3f00FnzQK9i0j05Oew/upgzQpL+uaJv8Dzu+swgqI
L+qlORuMN9V1sFkMwBMSaRmkLUkDw7C0LUYy21seb9ONmiCW+a3/7a/NuRYOE/S9
T2Kkn5moykCd87eW36DRoak7pFAbIdXMbzhAiQB2gd4cJRbpiN30TIX3YOMbnRPL
2S3jPrmsSIpbGYsfnn6ZkjfavwW9fwfjTUehrn6jX2bKwuwdRxIt5z57V1uuex9N
MpBQWL8jKfMMscfz3YzOJPdz0XicVYAHBN0zswapHtZDfnlOwNoj3I6iPng0QEGj
vQ2zD/P0wSoD8JeMfotOKeHaCXoWcQxmJmacGPS2BnA03OvKlSC7HGNyLnOu7Dws
ye8oCglZNpLmF/1cr7nvrHSnpiPc4MvyYxnFDSTFvB15ugsgoMaNdf2gvEXiUHNo
R+ZY2wCil3R4IKvpvKGYqpReNKOACjc+EhNU5KzrWvA39jdvJmkGZTc9IqV8E+Z+
q2q4ponTuPY47s2iB5SGBHIo5bpuhdwqREsB6VsCWyWde9gDm6A=
=aAPj
-----END PGP SIGNATURE-----
diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
--- libonig-5.9.5/debian/changelog 2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/changelog 2017-05-28 16:59:55.000000000 +0200
@@ -1,3 +1,15 @@
+libonig (5.9.5-3.2+deb8u1) stable; urgency=medium
+
+ * New debian/patches/0500-CVE-2017-922[4-9].patch:
+ - Cherrypicked from upstream to correct:
+ + CVE-2017-9224 (Closes: #863312)
+ + CVE-2017-9226 (Closes: #863314)
+ + CVE-2017-9227 (Closes: #863315)
+ + CVE-2017-9228 (Closes: #863316)
+ + CVE-2017-9229 (Closes: #863318)
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Sun, 28 May 2017 16:59:55 +0200
+
libonig (5.9.5-3.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 2017-05-26 07:07:41.000000000 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 5.9.5-3.2-deb8u1/regexec.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regexec.c
++++ 5.9.5-3.2-deb8u1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+ break;
+
+ case OP_EXACT1: MOP_IN(OP_EXACT1);
+-#if 0
+ DATA_ENSURE(1);
+ if (*p != *s) goto fail;
+ p++; s++;
+-#endif
+- if (*p != *s++) goto fail;
+- DATA_ENSURE(0);
+- p++;
+ MOP_OUT;
+ break;
+
+@@ -3128,6 +3123,8 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ UChar *q = p + reg->dmin;
++
++ if (q >= end) return 0; /* fail */
+ while (p < q) p += enclen(reg->enc, p);
+ }
+ }
+@@ -3207,18 +3204,25 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+- *low = p - reg->dmax;
+- if (*low > s) {
+- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+- *low, (const UChar** )low_prev);
+- if (low_prev && IS_NULL(*low_prev))
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : s), *low);
++ if (p - str < reg->dmax) {
++ *low = (UChar* )str;
++ if (low_prev)
++ *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ }
+ else {
+- if (low_prev)
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : str), *low);
++ *low = p - reg->dmax;
++ if (*low > s) {
++ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++ *low, (const UChar** )low_prev);
++ if (low_prev && IS_NULL(*low_prev))
++ *low_prev = onigenc_get_prev_char_head(reg->enc,
++ (pprev ? pprev : s), *low);
++ }
++ else {
++ if (low_prev)
++ *low_prev = onigenc_get_prev_char_head(reg->enc,
++ (pprev ? pprev : str), *low);
++ }
+ }
+ }
+ }
+Index: 5.9.5-3.2-deb8u1/regparse.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regparse.c
++++ 5.9.5-3.2-deb8u1/regparse.c
+@@ -3064,7 +3064,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+ PUNFETCH;
+ prev = p;
+ num = scan_unsigned_octal_number(&p, end, 3, enc);
+- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ if (p == prev) { /* can't read nothing. */
+ num = 0; /* but, it's not error */
+ }
+@@ -3436,7 +3436,7 @@ fetch_token(OnigToken* tok, UChar** src,
+ if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+ prev = p;
+ num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ if (p == prev) { /* can't read nothing. */
+ num = 0; /* but, it's not error */
+ }
+@@ -4068,7 +4068,9 @@ next_state_class(CClassNode* cc, OnigCod
+ }
+ }
+
+- *state = CCS_VALUE;
++ if (*state != CCS_START)
++ *state = CCS_VALUE;
++
+ *type = CCV_CLASS;
+ return 0;
+ }
+@@ -4083,8 +4085,12 @@ next_state_val(CClassNode* cc, OnigCodeP
+
+ switch (*state) {
+ case CCS_VALUE:
+- if (*type == CCV_SB)
++ if (*type == CCV_SB) {
++ if (*vs > 0xff)
++ return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+ BITSET_SET_BIT(cc->bs, (int )(*vs));
++ }
+ else if (*type == CCV_CODE_POINT) {
+ r = add_code_range(&(cc->mbuf), env, *vs, *vs);
+ if (r < 0) return r;
diff -Nru libonig-5.9.5/debian/patches/series libonig-5.9.5/debian/patches/series
--- libonig-5.9.5/debian/patches/series 2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/patches/series 2017-05-26 07:02:15.000000000 +0200
@@ -1 +1,2 @@
-001-changes_build_sys.diff
\ Kein Zeilenumbruch am Dateiende.
+001-changes_build_sys.diff
+0500-CVE-2017-922[4-9].patch
Reply to: