diff --git a/CVE-2017-9228.patch b/CVE-2017-9228.patch deleted file mode 100644 index d2b8c1d..0000000 --- a/CVE-2017-9228.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5c8ed2a12935501759ebf1792ee4949b429c195b Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Wed, 24 May 2017 13:43:25 +0900 -Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class() - -Signed-off-by: hanxinke ---- - src/regparse.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/regparse.c b/src/regparse.c -index fcc05cf..3689519 100644 ---- a/src/regparse.c -+++ b/src/regparse.c -@@ -6071,7 +6071,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type, - } - } - -- *state = CCS_VALUE; -+ if (*state != CCS_START) -+ *state = CCS_VALUE; -+ - *type = CCV_CLASS; - return 0; - } --- -2.0.1 - diff --git a/CVE-2019-13224.patch b/CVE-2019-13224.patch deleted file mode 100644 index 04af20e..0000000 --- a/CVE-2019-13224.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ad793dcb677988667b2d23e3fd4480b44113fdd1 Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Thu, 27 Jun 2019 17:25:26 +0900 -Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for - onig_new_deluxe() - -Signed-off-by: hanxinke ---- - src/regext.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/regext.c b/src/regext.c -index 996d043..de122c7 100644 ---- a/src/regext.c -+++ b/src/regext.c -@@ -29,6 +29,7 @@ - - #include "regint.h" - -+#if 0 - static void - conv_ext0be32(const UChar* s, const UChar* end, UChar* conv) - { -@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e - - return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; - } -+#endif - - extern int - onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, -@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, - if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL; - - if (ci->pattern_enc != ci->target_enc) { -- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end, -- &cpat, &cpat_end); -- if (r != 0) return r; -+ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; - } - else { - cpat = (UChar* )pattern; --- -2.0.1 - diff --git a/CVE-2019-13225.patch b/CVE-2019-13225.patch deleted file mode 100644 index e958d8f..0000000 --- a/CVE-2019-13225.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 5ed8bad6a362c8a77cbd40196cd8867681029bcd Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Thu, 27 Jun 2019 14:11:55 +0900 -Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else - pattern to bytecode. - -Signed-off-by: hanxinke ---- - src/regcomp.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/src/regcomp.c b/src/regcomp.c -index 83b9252..6c9da7e 100644 ---- a/src/regcomp.c -+++ b/src/regcomp.c -@@ -1100,8 +1100,9 @@ compile_length_enclosure_node(EnclosureNode* node, regex_t* reg) - len += tlen; - } - -+ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END; -+ - if (IS_NOT_NULL(Else)) { -- len += SIZE_OP_JUMP; - tlen = compile_length_tree(Else, reg); - if (tlen < 0) return tlen; - len += tlen; -@@ -1243,7 +1244,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) - - case ENCLOSURE_IF_ELSE: - { -- int cond_len, then_len, jump_len; -+ int cond_len, then_len, else_len, jump_len; - Node* cond = NODE_ENCLOSURE_BODY(node); - Node* Then = node->te.Then; - Node* Else = node->te.Else; -@@ -1260,8 +1261,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) - else - then_len = 0; - -- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END; -- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP; -+ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP; - - r = add_opcode_rel_addr(reg, OP_PUSH, jump_len); - if (r != 0) return r; -@@ -1276,9 +1276,19 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) - } - - if (IS_NOT_NULL(Else)) { -- int else_len = compile_length_tree(Else, reg); -- r = add_opcode_rel_addr(reg, OP_JUMP, else_len); -- if (r != 0) return r; -+ else_len = compile_length_tree(Else, reg); -+ if (else_len < 0) return else_len; -+ } -+ else -+ else_len = 0; -+ -+ r = add_opcode_rel_addr(reg, OP_JUMP, else_len + SIZE_OP_ATOMIC_END); -+ if (r != 0) return r; -+ -+ r = add_opcode(reg, OP_ATOMIC_END); -+ if (r != 0) return r; -+ -+ if (IS_NOT_NULL(Else)) { - r = compile_tree(Else, reg, env); - } - } --- -2.0.1 - diff --git a/CVE-2019-16163.patch b/CVE-2019-16163.patch deleted file mode 100644 index 4fbce00..0000000 --- a/CVE-2019-16163.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Mon, 29 Jul 2019 12:52:56 +0900 -Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing - functions in regcomp.c making recursive calls to themselves. - ---- - src/regparse.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/regparse.c b/src/regparse.c -index 3689519..9652bfd 100644 ---- a/src/regparse.c -+++ b/src/regparse.c -@@ -6190,6 +6190,7 @@ parse_char_class(Node** np, OnigToken* tok, UChar** src, UChar* end, ScanEnv* en - env->parse_depth++; - if (env->parse_depth > ParseDepthLimit) - return ONIGERR_PARSE_DEPTH_LIMIT_OVER; -+ - prev_cc = (CClassNode* )NULL; - r = fetch_token_in_cc(tok, src, end, env); - if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) { -@@ -7714,13 +7715,17 @@ static int - parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end, - ScanEnv* env) - { -- int r, len, group = 0; -+ int r, len, group; - Node* qn; - Node** targetp; -+ unsigned int parse_depth; - -+ group = 0; - *np = NULL; - if (tok->type == (enum TokenSyms )term) - goto end_of_token; -+ -+ parse_depth = env->parse_depth; - - switch (tok->type) { - case TK_ALT: -@@ -8028,6 +8033,10 @@ parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end, - if (is_invalid_quantifier_target(*targetp)) - return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID; - -+ parse_depth++; -+ if (parse_depth > ParseDepthLimit) -+ return ONIGERR_PARSE_DEPTH_LIMIT_OVER; -+ - qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper, - (r == TK_INTERVAL ? 1 : 0)); - CHECK_NULL_RETURN_MEMERR(qn); --- -2.19.1 - diff --git a/CVE-2019-19012.patch b/CVE-2019-19012.patch deleted file mode 100644 index b1bef02..0000000 --- a/CVE-2019-19012.patch +++ /dev/null @@ -1,227 +0,0 @@ -Origin: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719 -Origin: https://github.com/kkos/oniguruma/commit/db64ef3189f54917a5008a02bdb000adc514a90a -Origin: https://github.com/kkos/oniguruma/commit/bfc36d3d8139b8be4d3df630d625c58687b0c7d4 -Origin: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f -Origin: https://github.com/kkos/oniguruma/commit/b6cb7580a7e0c56fc325fe9370b9d34044910aed -Author: K.Kosako -Reviewed-by: Sylvain Beucler -Last-Update: 2019-11-22 - -fix #164: Integer overflow related to reg->dmax in search_in_range() - -Index: src/regexec.c -=================================================================== ---- a/src/regexec.c -+++ b/src/regexec.c -@@ -27,6 +27,7 @@ - * SUCH DAMAGE. - */ - #include "regint.h" -+#include - - #define IS_MBC_WORD_ASCII_MODE(enc,s,end,mode) \ - ((mode) == 0 ? ONIGENC_IS_MBC_WORD(enc,s,end) : ONIGENC_IS_MBC_WORD_ASCII(enc,s,end)) -@@ -4367,14 +4368,14 @@ forward_search_range(regex_t* reg, const - #endif - - p = s; -- if (reg->dmin > 0) { -+ if (reg->dmin != 0) { -+ if (end - p <= reg->dmin) -+ return 0; /* fail */ - if (ONIGENC_IS_SINGLEBYTE(reg->enc)) { - p += reg->dmin; - } - else { - UChar *q = p + reg->dmin; -- -- if (q >= end) return 0; /* fail */ - while (p < q) p += enclen(reg->enc, p); - } - } -@@ -4403,7 +4404,7 @@ forward_search_range(regex_t* reg, const - } - - if (p && p < range) { -- if (p - reg->dmin < s) { -+ if (p - s < reg->dmin) { - retry_gate: - pprev = p; - p += enclen(reg->enc, p); -@@ -4451,6 +4452,7 @@ forward_search_range(regex_t* reg, const - *low_prev = onigenc_get_prev_char_head(reg->enc, - (pprev ? pprev : str), p); - } -+ *high = p; - } - else { - if (reg->dmax != INFINITE_LEN) { -@@ -4475,9 +4477,12 @@ forward_search_range(regex_t* reg, const - } - } - } -+ /* no needs to adjust *high, *high is used as range check only */ -+ if (p - str < reg->dmin) -+ *high = (UChar* )str; -+ else -+ *high = p - reg->dmin; - } -- /* no needs to adjust *high, *high is used as range check only */ -- *high = p - reg->dmin; - - #ifdef ONIG_DEBUG_SEARCH - fprintf(stderr, -@@ -4500,7 +4505,6 @@ backward_search_range(regex_t* reg, cons - { - UChar *p; - -- range += reg->dmin; - p = s; - - retry: -@@ -4581,10 +4585,22 @@ backward_search_range(regex_t* reg, cons - } - } - -- /* no needs to adjust *high, *high is used as range check only */ - if (reg->dmax != INFINITE_LEN) { -- *low = p - reg->dmax; -- *high = p - reg->dmin; -+ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmax) -+ *low = (UChar* )str; -+ else -+ *low = p - reg->dmax; -+ -+ if (reg->dmin != 0) { -+ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmin) -+ *high = (UChar* )str; -+ else -+ *high = p - reg->dmin; -+ } -+ else { -+ *high = p; -+ } -+ - *high = onigenc_get_right_adjust_char_head(reg->enc, adjrange, *high); - } - -@@ -4714,13 +4730,16 @@ onig_search_with_param(regex_t* reg, con - goto mismatch_no_msa; - - if (range > start) { -- if ((OnigLen )(min_semi_end - start) > reg->anchor_dmax) { -+ if (min_semi_end - start > reg->anchor_dmax) { - start = min_semi_end - reg->anchor_dmax; - if (start < end) - start = onigenc_get_right_adjust_char_head(reg->enc, str, start); - } -- if ((OnigLen )(max_semi_end - (range - 1)) < reg->anchor_dmin) { -- range = max_semi_end - reg->anchor_dmin + 1; -+ if (max_semi_end - (range - 1) < reg->anchor_dmin) { -+ if (max_semi_end - str + 1 < reg->anchor_dmin) -+ goto mismatch_no_msa; -+ else -+ range = max_semi_end - reg->anchor_dmin + 1; - } - - if (start > range) goto mismatch_no_msa; -@@ -4728,13 +4747,18 @@ onig_search_with_param(regex_t* reg, con - Backward search is used. */ - } - else { -- if ((OnigLen )(min_semi_end - range) > reg->anchor_dmax) { -+ if (min_semi_end - range > reg->anchor_dmax) { - range = min_semi_end - reg->anchor_dmax; - } -- if ((OnigLen )(max_semi_end - start) < reg->anchor_dmin) { -- start = max_semi_end - reg->anchor_dmin; -- start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); -+ if (max_semi_end - start < reg->anchor_dmin) { -+ if (max_semi_end - str < reg->anchor_dmin) -+ goto mismatch_no_msa; -+ else { -+ start = max_semi_end - reg->anchor_dmin; -+ start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); -+ } - } -+ - if (range > start) goto mismatch_no_msa; - } - } -@@ -4801,15 +4825,19 @@ onig_search_with_param(regex_t* reg, con - if (reg->optimize != OPTIMIZE_NONE) { - UChar *sch_range, *low, *high, *low_prev; - -- sch_range = (UChar* )range; - if (reg->dmax != 0) { - if (reg->dmax == INFINITE_LEN) - sch_range = (UChar* )end; - else { -- sch_range += reg->dmax; -- if (sch_range > end) sch_range = (UChar* )end; -- } -+ if ((end - range) < reg->dmax) -+ sch_range = (UChar* )end; -+ else { -+ sch_range = (UChar* )range + reg->dmax; -+ } -+ } - } -+ else -+ sch_range = (UChar* )range; - - if ((end - start) < reg->threshold_len) - goto mismatch; -@@ -4868,18 +4896,28 @@ onig_search_with_param(regex_t* reg, con - - if (reg->optimize != OPTIMIZE_NONE) { - UChar *low, *high, *adjrange, *sch_start; -+ const UChar *min_range; - - if (range < end) - adjrange = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, range); - else - adjrange = (UChar* )end; - -+ if (end - range > reg->dmin) -+ min_range = range + reg->dmin; -+ else -+ min_range = end; -+ - if (reg->dmax != INFINITE_LEN && - (end - range) >= reg->threshold_len) { - do { -- sch_start = s + reg->dmax; -- if (sch_start > end) sch_start = (UChar* )end; -- if (backward_search_range(reg, str, end, sch_start, range, adjrange, -+ if (end - s > reg->dmax) -+ sch_start = s + reg->dmax; -+ else { -+ sch_start = (UChar* )end; -+ } -+ -+ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, - &low, &high) <= 0) - goto mismatch; - -@@ -4897,19 +4935,7 @@ onig_search_with_param(regex_t* reg, con - else { /* check only. */ - if ((end - range) < reg->threshold_len) goto mismatch; - -- sch_start = s; -- if (reg->dmax != 0) { -- if (reg->dmax == INFINITE_LEN) -- sch_start = (UChar* )end; -- else { -- sch_start += reg->dmax; -- if (sch_start > end) sch_start = (UChar* )end; -- else -- sch_start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, -- start, sch_start); -- } -- } -- if (backward_search_range(reg, str, end, sch_start, range, adjrange, -+ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, - &low, &high) <= 0) goto mismatch; - } - } diff --git a/CVE-2019-19203.patch b/CVE-2019-19203.patch deleted file mode 100644 index 36c1d91..0000000 --- a/CVE-2019-19203.patch +++ /dev/null @@ -1,126 +0,0 @@ -From aa0188eaedc056dca8374ac03d0177429b495515 Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Thu, 7 Nov 2019 14:13:55 +0900 -Subject: [PATCH] fix #163: heap-buffer-overflow in gb18030_mbc_enc_len - ---- - src/gb18030.c | 16 +++++++++++++++- - src/regparse.c | 32 ++++++++++++++++++++++---------- - 2 files changed, 37 insertions(+), 11 deletions(-) - -diff --git a/src/gb18030.c b/src/gb18030.c -index ad5bf96..da6cfab 100644 ---- a/src/gb18030.c -+++ b/src/gb18030.c -@@ -75,6 +75,20 @@ gb18030_mbc_enc_len(const UChar* p) - return 2; - } - -+static int -+gb18030_code_to_mbclen(OnigCodePoint code) -+{ -+ if ((code & 0xff000000) != 0) return 4; -+ else if ((code & 0xff0000) != 0) return ONIGERR_INVALID_CODE_POINT_VALUE; -+ else if ((code & 0xff00) != 0) return 2; -+ else { -+ if (GB18030_MAP[(int )(code & 0xff)] == CM) -+ return ONIGERR_INVALID_CODE_POINT_VALUE; -+ -+ return 1; -+ } -+} -+ - static int - is_valid_mbc_string(const UChar* p, const UChar* end) - { -@@ -513,7 +527,7 @@ OnigEncodingType OnigEncodingGB18030 = { - 1, /* min enc length */ - onigenc_is_mbc_newline_0x0a, - gb18030_mbc_to_code, -- onigenc_mb4_code_to_mbclen, -+ gb18030_code_to_mbclen, - gb18030_code_to_mbc, - gb18030_mbc_case_fold, - onigenc_ascii_apply_all_case_fold, -diff --git a/src/regparse.c b/src/regparse.c -index 70c36d5..5bf25e8 100644 ---- a/src/regparse.c -+++ b/src/regparse.c -@@ -5885,6 +5885,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env) - - int c, r; - int ascii_mode; -+ int is_single; - const OnigCodePoint *ranges; - OnigCodePoint limit; - OnigCodePoint sb_out; -@@ -5906,6 +5907,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env) - } - - r = 0; -+ is_single = ONIGENC_IS_SINGLEBYTE(enc); - limit = ascii_mode ? ASCII_LIMIT : SINGLE_BYTE_SIZE; - - switch (ctype) { -@@ -5922,19 +5924,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env) - case ONIGENC_CTYPE_ALNUM: - if (not != 0) { - for (c = 0; c < (int )limit; c++) { -- if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) -- BITSET_SET_BIT(cc->bs, c); -+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) { -+ if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) -+ BITSET_SET_BIT(cc->bs, c); -+ } - } - for (c = limit; c < SINGLE_BYTE_SIZE; c++) { -- BITSET_SET_BIT(cc->bs, c); -+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) -+ BITSET_SET_BIT(cc->bs, c); - } - -- ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); -+ if (is_single == 0) -+ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); - } - else { - for (c = 0; c < (int )limit; c++) { -- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) -- BITSET_SET_BIT(cc->bs, c); -+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) { -+ if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) -+ BITSET_SET_BIT(cc->bs, c); -+ } - } - } - break; -@@ -5944,21 +5952,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env) - case ONIGENC_CTYPE_WORD: - if (not != 0) { - for (c = 0; c < (int )limit; c++) { -- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0 /* check invalid code point */ -+ /* check invalid code point */ -+ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) - && ! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) - BITSET_SET_BIT(cc->bs, c); - } - for (c = limit; c < SINGLE_BYTE_SIZE; c++) { -- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0) -+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) - BITSET_SET_BIT(cc->bs, c); - } -+ if (ascii_mode != 0 && is_single == 0) -+ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); - } - else { - for (c = 0; c < (int )limit; c++) { -- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) -+ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) -+ && ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype)) - BITSET_SET_BIT(cc->bs, c); - } -- if (ascii_mode == 0) -+ if (ascii_mode == 0 && is_single == 0) - ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf); - } - break; diff --git a/CVE-2019-19204.patch b/CVE-2019-19204.patch deleted file mode 100644 index db32ec9..0000000 --- a/CVE-2019-19204.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Wed, 6 Nov 2019 17:32:29 +0900 -Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier - due to double PFETCH - ---- - src/regparse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/regparse.c b/src/regparse.c -index 324c414..70c36d5 100644 ---- a/src/regparse.c -+++ b/src/regparse.c -@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env) - if (PEND) goto invalid; - PFETCH(c); - if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) { -- if (c != MC_ESC(env->syntax)) goto invalid; -+ if (c != MC_ESC(env->syntax) || PEND) goto invalid; - PFETCH(c); - } - if (c != '}') goto invalid; diff --git a/CVE-2019-19246.patch b/CVE-2019-19246.patch deleted file mode 100644 index 78bc3ac..0000000 --- a/CVE-2019-19246.patch +++ /dev/null @@ -1,21 +0,0 @@ -From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001 -From: "K.Kosako" -Date: Tue, 13 Aug 2019 13:37:30 +0900 -Subject: [PATCH] fix heap-buffer-overflow - ---- - src/regexec.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/regexec.c b/src/regexec.c -index 0753b07..634ee42 100644 ---- a/src/regexec.c -+++ b/src/regexec.c -@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag, - lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf); - q = lowbuf; - while (lowlen > 0) { -+ if (t >= tend) return 0; - if (*t++ != *q++) return 0; - lowlen--; - } diff --git a/onig-6.9.0.tar.gz b/onig-6.9.0.tar.gz deleted file mode 100644 index 25461c2..0000000 Binary files a/onig-6.9.0.tar.gz and /dev/null differ diff --git a/onig-6.9.6.tar.gz b/onig-6.9.6.tar.gz new file mode 100644 index 0000000..8d454d1 Binary files /dev/null and b/onig-6.9.6.tar.gz differ diff --git a/oniguruma.spec b/oniguruma.spec index 879fbcc..8374031 100644 --- a/oniguruma.spec +++ b/oniguruma.spec @@ -1,6 +1,6 @@ Name: oniguruma -Version: 6.9.0 -Release: 3 +Version: 6.9.6 +Release: 1 Summary: Regular expressions library License: BSD URL: https://github.com/kkos/oniguruma/ @@ -8,14 +8,6 @@ Source0: https://github.com/kkos/oniguruma/releases/download/v%{version}/oni BuildRequires: gcc -Patch0001: CVE-2017-9228.patch -Patch0002: CVE-2019-13224.patch -Patch0003: CVE-2019-13225.patch -Patch0004: CVE-2019-16163.patch -Patch0005: CVE-2019-19203.patch -Patch0006: CVE-2019-19204.patch -Patch0007: CVE-2019-19246.patch -Patch0008: CVE-2019-19012.patch %description Oniguruma is a regular expressions library. @@ -71,6 +63,9 @@ make check %doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE %changelog +* Sat Jan 23 2021 zoulin - 6.9.6-1 +- update version to 6.9.6 + * Mon Jan 04 2020 wangxiao - 6.9.0-3 - fix CVE-2019-19012