Bug#863562: jessie-pu: package libonig/5.9.5-3.2

Jörg Frings-Fürst Sun, 28 May 2017 09:43:18 -0700

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:

 CVE-2017-9224
 CVE-2017-9226
 CVE-2017-9227
 CVE-2017-9228
 CVE-2017-9229

ready, The debdiff is attached.


- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlkq/Q4ACgkQCfifPIyh
0l3LkQ//UY/XbO0adWiAPyombGW3e+lSRikPyn+cZfroCGgkkp7W1ch+xqiB+TyT
CU8sBMqiRGFEm9OY0gCljmaalZ1/Hoi7TGdTuo56pfu7/g/TPn8IUYef5NPGySRb
/8+RUF1hFIBRWeHHwnhJ6mJ3f00FnzQK9i0j05Oew/upgzQpL+uaJv8Dzu+swgqI
L+qlORuMN9V1sFkMwBMSaRmkLUkDw7C0LUYy21seb9ONmiCW+a3/7a/NuRYOE/S9
T2Kkn5moykCd87eW36DRoak7pFAbIdXMbzhAiQB2gd4cJRbpiN30TIX3YOMbnRPL
2S3jPrmsSIpbGYsfnn6ZkjfavwW9fwfjTUehrn6jX2bKwuwdRxIt5z57V1uuex9N
MpBQWL8jKfMMscfz3YzOJPdz0XicVYAHBN0zswapHtZDfnlOwNoj3I6iPng0QEGj
vQ2zD/P0wSoD8JeMfotOKeHaCXoWcQxmJmacGPS2BnA03OvKlSC7HGNyLnOu7Dws
ye8oCglZNpLmF/1cr7nvrHSnpiPc4MvyYxnFDSTFvB15ugsgoMaNdf2gvEXiUHNo
R+ZY2wCil3R4IKvpvKGYqpReNKOACjc+EhNU5KzrWvA39jdvJmkGZTc9IqV8E+Z+
q2q4ponTuPY47s2iB5SGBHIo5bpuhdwqREsB6VsCWyWde9gDm6A=
=aAPj
-----END PGP SIGNATURE-----

diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
--- libonig-5.9.5/debian/changelog      2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/changelog      2017-05-28 16:59:55.000000000 +0200
@@ -1,3 +1,15 @@
+libonig (5.9.5-3.2+deb8u1) stable; urgency=medium
+
+  * New debian/patches/0500-CVE-2017-922[4-9].patch:
+    - Cherrypicked from upstream to correct:
+      + CVE-2017-9224 (Closes: #863312)
+      + CVE-2017-9226 (Closes: #863314)
+      + CVE-2017-9227 (Closes: #863315)
+      + CVE-2017-9228 (Closes: #863316)
+      + CVE-2017-9229 (Closes: #863318)
+
+ -- Jörg Frings-Fürst <deb...@jff-webhosting.net>  Sun, 28 May 2017 16:59:55 
+0200
+
 libonig (5.9.5-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 
libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch   1970-01-01 
01:00:00.000000000 +0100
+++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch   2017-05-26 
07:07:41.000000000 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory 
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 5.9.5-3.2-deb8u1/regexec.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regexec.c
++++ 5.9.5-3.2-deb8u1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+       break;
+ 
+     case OP_EXACT1:  MOP_IN(OP_EXACT1);
+-#if 0
+       DATA_ENSURE(1);
+       if (*p != *s) goto fail;
+       p++; s++;
+-#endif
+-      if (*p != *s++) goto fail;
+-      DATA_ENSURE(0);
+-      p++;
+       MOP_OUT;
+       break;
+ 
+@@ -3128,6 +3123,8 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       UChar *q = p + reg->dmin;
++
++      if (q >= end) return 0; /* fail */
+       while (p < q) p += enclen(reg->enc, p);
+     }
+   }
+@@ -3207,18 +3204,25 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+-      *low = p - reg->dmax;
+-      if (*low > s) {
+-        *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+-                                                            *low, (const 
UChar** )low_prev);
+-        if (low_prev && IS_NULL(*low_prev))
+-          *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                                 (pprev ? pprev : s), *low);
++        if (p - str < reg->dmax) {
++          *low = (UChar* )str;
++          if (low_prev)
++            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+       }
+       else {
+-        if (low_prev)
+-          *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                             (pprev ? pprev : str), *low);
++          *low = p - reg->dmax;
++          if (*low > s) {
++            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++                                                 *low, (const UChar** 
)low_prev);
++            if (low_prev && IS_NULL(*low_prev))
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : s), 
*low);
++          }
++          else {
++            if (low_prev)
++              *low_prev = onigenc_get_prev_char_head(reg->enc,
++                                                     (pprev ? pprev : str), 
*low);
++          }
+       }
+       }
+     }
+Index: 5.9.5-3.2-deb8u1/regparse.c
+===================================================================
+--- 5.9.5-3.2-deb8u1.orig/regparse.c
++++ 5.9.5-3.2-deb8u1/regparse.c
+@@ -3064,7 +3064,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
+       PUNFETCH;
+       prev = p;
+       num = scan_unsigned_octal_number(&p, end, 3, enc);
+-      if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+       if (p == prev) {  /* can't read nothing. */
+         num = 0; /* but, it's not error */
+       }
+@@ -3436,7 +3436,7 @@ fetch_token(OnigToken* tok, UChar** src,
+       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+       prev = p;
+       num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+-      if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
++        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
+       if (p == prev) {  /* can't read nothing. */
+         num = 0; /* but, it's not error */
+       }
+@@ -4068,7 +4068,9 @@ next_state_class(CClassNode* cc, OnigCod
+     }
+   }
+ 
+-  *state = CCS_VALUE;
++  if (*state != CCS_START)
++    *state = CCS_VALUE;
++
+   *type  = CCV_CLASS;
+   return 0;
+ }
+@@ -4083,8 +4085,12 @@ next_state_val(CClassNode* cc, OnigCodeP
+ 
+   switch (*state) {
+   case CCS_VALUE:
+-    if (*type == CCV_SB)
++    if (*type == CCV_SB) {
++      if (*vs > 0xff)
++          return ONIGERR_INVALID_CODE_POINT_VALUE;
++
+       BITSET_SET_BIT(cc->bs, (int )(*vs));
++    }
+     else if (*type == CCV_CODE_POINT) {
+       r = add_code_range(&(cc->mbuf), env, *vs, *vs);
+       if (r < 0) return r;
diff -Nru libonig-5.9.5/debian/patches/series 
libonig-5.9.5/debian/patches/series
--- libonig-5.9.5/debian/patches/series 2014-12-28 12:11:12.000000000 +0100
+++ libonig-5.9.5/debian/patches/series 2017-05-26 07:02:15.000000000 +0200
@@ -1 +1,2 @@
-001-changes_build_sys.diff
\ Kein Zeilenumbruch am Dateiende.
+001-changes_build_sys.diff
+0500-CVE-2017-922[4-9].patch

Bug#863562: jessie-pu: package libonig/5.9.5-3.2

Reply via email to