Message ID | 20201015170253.968250-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/oniguruma: fix CVE-2020-26159 | expand |
On Thu, 15 Oct 2020 19:02:53 +0200 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply > a regular expression for compilation may be able to overflow a buffer by > one byte in concat_opt_exact_str in src/regcomp.c. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > .../0001-207-Out-of-bounds-write.patch | 25 +++++++++++++++++++ > package/oniguruma/oniguruma.mk | 3 +++ > 2 files changed, 28 insertions(+) > create mode 100644 package/oniguruma/0001-207-Out-of-bounds-write.patch Applied to master, thanks. Thomas
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply > a regular expression for compilation may be able to overflow a buffer by > one byte in concat_opt_exact_str in src/regcomp.c. > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2020.02.x and 2020.08.x, thanks.
diff --git a/package/oniguruma/0001-207-Out-of-bounds-write.patch b/package/oniguruma/0001-207-Out-of-bounds-write.patch new file mode 100644 index 0000000000..3317449702 --- /dev/null +++ b/package/oniguruma/0001-207-Out-of-bounds-write.patch @@ -0,0 +1,25 @@ +From cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kkosako0@gmail.com> +Date: Mon, 21 Sep 2020 12:58:29 +0900 +Subject: [PATCH] #207: Out-of-bounds write + +[Retrieved from: +https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0] +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> +--- + src/regcomp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/regcomp.c b/src/regcomp.c +index f6494b6d..a0a68561 100644 +--- a/src/regcomp.c ++++ b/src/regcomp.c +@@ -6257,7 +6257,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc) + + for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) { + len = enclen(enc, p); +- if (i + len > OPT_EXACT_MAXLEN) break; ++ if (i + len >= OPT_EXACT_MAXLEN) break; + for (j = 0; j < len && p < end; j++) + to->s[i++] = *p++; + } diff --git a/package/oniguruma/oniguruma.mk b/package/oniguruma/oniguruma.mk index d1ff1f115f..c2330c7380 100644 --- a/package/oniguruma/oniguruma.mk +++ b/package/oniguruma/oniguruma.mk @@ -12,4 +12,7 @@ ONIGURUMA_LICENSE = BSD-2-Clause ONIGURUMA_LICENSE_FILES = COPYING ONIGURUMA_INSTALL_STAGING = YES +# 0001-207-Out-of-bounds-write.patch +ONIGURUMA_IGNORE_CVES += CVE-2020-26159 + $(eval $(autotools-package))
Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- .../0001-207-Out-of-bounds-write.patch | 25 +++++++++++++++++++ package/oniguruma/oniguruma.mk | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 package/oniguruma/0001-207-Out-of-bounds-write.patch