[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863562: marked as done (jessie-pu: package libonig/5.9.5-3.2)

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.camel@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #863562,
regarding jessie-pu: package libonig/5.9.5-3.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863562
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:

 CVE-2017-9224
 CVE-2017-9226
 CVE-2017-9227
 CVE-2017-9228
 CVE-2017-9229

ready, The debdiff is attached.


- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlkq/Q4ACgkQCfifPIyh
0l3LkQ//UY/XbO0adWiAPyombGW3e+lSRikPyn+cZfroCGgkkp7W1ch+xqiB+TyT
CU8sBMqiRGFEm9OY0gCljmaalZ1/Hoi7TGdTuo56pfu7/g/TPn8IUYef5NPGySRb
/8+RUF1hFIBRWeHHwnhJ6mJ3f00FnzQK9i0j05Oew/upgzQpL+uaJv8Dzu+swgqI
L+qlORuMN9V1sFkMwBMSaRmkLUkDw7C0LUYy21seb9ONmiCW+a3/7a/NuRYOE/S9
T2Kkn5moykCd87eW36DRoak7pFAbIdXMbzhAiQB2gd4cJRbpiN30TIX3YOMbnRPL
2S3jPrmsSIpbGYsfnn6ZkjfavwW9fwfjTUehrn6jX2bKwuwdRxIt5z57V1uuex9N
MpBQWL8jKfMMscfz3YzOJPdz0XicVYAHBN0zswapHtZDfnlOwNoj3I6iPng0QEGj
vQ2zD/P0wSoD8JeMfotOKeHaCXoWcQxmJmacGPS2BnA03OvKlSC7HGNyLnOu7Dws
ye8oCglZNpLmF/1cr7nvrHSnpiPc4MvyYxnFDSTFvB15ugsgoMaNdf2gvEXiUHNo
R+ZY2wCil3R4IKvpvKGYqpReNKOACjc+EhNU5KzrWvA39jdvJmkGZTc9IqV8E+Z+
q2q4ponTuPY47s2iB5SGBHIo5bpuhdwqREsB6VsCWyWde9gDm6A=
=aAPj
-----END PGP SIGNATURE-----

diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
--- libonig-5.9.5/debian/changelog	2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/changelog	2017-05-28 16:59:55.000000000 +0200
@@ -1,3 +1,15 @@
+libonig (5.9.5-3.2+deb8u1) stable; urgency=medium
+
+  * New debian/patches/0500-CVE-2017-922[4-9].patch:
+    - Cherrypicked from upstream to correct:
+      + CVE-2017-9224 (Closes: #863312)
+      + CVE-2017-9226 (Closes: #863314)
+      + CVE-2017-9227 (Closes: #863315)
+      + CVE-2017-9228 (Closes: #863316)
+      + CVE-2017-9229 (Closes: #863318)
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 28 May 2017 16:59:55 +0200
+
 libonig (5.9.5-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	1970-01-01 01:00:00.000000000 +0100
+++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	2017-05-26 07:07:41.000000000 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory 
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 5.9.5-3.2-deb8u1/regexec.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regexec.c
++++ 5.9.5-3.2-deb8u1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+       break;
+ 
+     case OP_EXACT1:  MOP_IN(OP_EXACT1);
+-#if 0
+       DATA_ENSURE(1);
+       if (*p != *s) goto fail;
+       p++; s++;
+-#endif
+-      if (*p != *s++) goto fail;
+-      DATA_ENSURE(0);
+-      p++;
+       MOP_OUT;
+       break;
+ 
+@@ -3128,6 +3123,8 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       UChar *q = p + reg->dmin;
++
++      if (q >= end) return 0; /* fail */
+       while (p < q) p += enclen(reg->enc, p);
+     }
+   }
+@@ -3207,18 +3204,25 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+-	*low = p - reg->dmax;
+-	if (*low > s) {
+-	  *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+-							      *low, (const UChar** )low_prev);
+-	  if (low_prev && IS_NULL(*low_prev))
+-	    *low_prev = onigenc_get_prev_char_head(reg->enc,
+-						   (pprev ? pprev : s), *low);
++        if (p - str < reg->dmax) {
++          *low = (UChar* )str;
++          if (low_prev)
++            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ 	}
+ 	else {
+-	  if (low_prev)
+-	    *low_prev = onigenc_get_prev_char_head(reg->enc,
+-					       (pprev ? pprev : str), *low);
++          *low = p - reg->dmax;
++          if (*low > s) {
++            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++                                                 *low, (const UChar** )low_prev);
++            if (low_prev && IS_NULL(*low_prev))
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : s), *low);
++          }
++          else {
++            if (low_prev)
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : str), *low);
++          }
+ 	}
+       }
+     }
+Index: 5.9.5-3.2-deb8u1/regparse.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regparse.c
++++ 5.9.5-3.2-deb8u1/regparse.c
+@@ -3064,7 +3064,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+ 	PUNFETCH;
+ 	prev = p;
+ 	num = scan_unsigned_octal_number(&p, end, 3, enc);
+-	if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ 	if (p == prev) {  /* can't read nothing. */
+ 	  num = 0; /* but, it's not error */
+ 	}
+@@ -3436,7 +3436,7 @@ fetch_token(OnigToken* tok, UChar** src,
+       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+ 	prev = p;
+ 	num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+-	if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+ 	if (p == prev) {  /* can't read nothing. */
+ 	  num = 0; /* but, it's not error */
+ 	}
+@@ -4068,7 +4068,9 @@ next_state_class(CClassNode* cc, OnigCod
+     }
+   }
+ 
+-  *state = CCS_VALUE;
++  if (*state != CCS_START)
++    *state = CCS_VALUE;
++
+   *type  = CCV_CLASS;
+   return 0;
+ }
+@@ -4083,8 +4085,12 @@ next_state_val(CClassNode* cc, OnigCodeP
+ 
+   switch (*state) {
+   case CCS_VALUE:
+-    if (*type == CCV_SB)
++    if (*type == CCV_SB) {
++      if (*vs > 0xff)
++          return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+       BITSET_SET_BIT(cc->bs, (int )(*vs));
++    }
+     else if (*type == CCV_CODE_POINT) {
+       r = add_code_range(&(cc->mbuf), env, *vs, *vs);
+       if (r < 0) return r;
diff -Nru libonig-5.9.5/debian/patches/series libonig-5.9.5/debian/patches/series
--- libonig-5.9.5/debian/patches/series	2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/patches/series	2017-05-26 07:02:15.000000000 +0200
@@ -1 +1,2 @@
-001-changes_build_sys.diff
\ Kein Zeilenumbruch am Dateiende.
+001-changes_build_sys.diff
+0500-CVE-2017-922[4-9].patch

--- End Message ---
--- Begin Message --- 
Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---
Reply to: