From patchwork Thu Oct 15 17:02:53 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1382819
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.133; helo=hemlock.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=J1sgG5lt;
	dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4CBwb43J4Cz9sRR
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Fri, 16 Oct 2020 04:03:09 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 5A46788102;
	Thu, 15 Oct 2020 17:03:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id gLdFSw2c3bdG; Thu, 15 Oct 2020 17:03:03 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 9B7BE8806C;
	Thu, 15 Oct 2020 17:03:03 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by ash.osuosl.org (Postfix) with ESMTP id CB7C21BF405
 for <buildroot@lists.busybox.net>; Thu, 15 Oct 2020 17:03:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by silver.osuosl.org (Postfix) with ESMTP id C17932E31A
 for <buildroot@lists.busybox.net>; Thu, 15 Oct 2020 17:03:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id MAt6ciROY7LY for <buildroot@lists.busybox.net>;
 Thu, 15 Oct 2020 17:03:01 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 by silver.osuosl.org (Postfix) with ESMTPS id 484BA20496
 for <buildroot@buildroot.org>; Thu, 15 Oct 2020 17:03:01 +0000 (UTC)
Received: by mail-wm1-f41.google.com with SMTP id e2so4579970wme.1
 for <buildroot@buildroot.org>; Thu, 15 Oct 2020 10:03:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=Gix6oqltpo92y5joFcT3y3w0pYQXwXlw5GJMXGNisP4=;
 b=J1sgG5lthrlQ8Dv6PRUUW1U1sgSh0KneX8JOBB6S+AnKvEtQandjRwpmA+I8XZpEvN
 pJBrvfMtZIupGD5cikQV5Uv4QDdVqh30wHY25rPS0SOnxcLieqQ1s1V1R3IppIcFPFsR
 L4R/Np8B5z4yrfxTMK/qBODdAaq76GXOEcuRvlMR0Qbgd8S83SrSDozySm5POmrCTAYw
 i9YfL5TLand1LADXagnURWnXP/Pk5kgvq5M21viUT9I+XqsuBidwwM/XT28h0/LcR2Dg
 bOdoLUKwuC3yfuqlbGke/y8HlzTWm6QfZouXmo/+h5M6qCJKiGy1WYWl9BxMDsUsT2ty
 tq2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=Gix6oqltpo92y5joFcT3y3w0pYQXwXlw5GJMXGNisP4=;
 b=qsWH5CR/cwvR2zfV3wgrK9mjMKKFAb32I2OCbwoAsorRKjHyDJpTPZvU3OFUWuivZZ
 SsukrYqNlzhozpCsZUPTR8hWY+IkqkunLPnx0Z6mN7fuiO+TpU6Tsnta/BlOa9nqi2qf
 CWHSBfK4MuNdhAaM2qHqT5jVTFoSuWt0HrOkJTixsa+xZyDwU5VTkJg73yz2S9RQaQ81
 EqtXV1fPG9D7rVzPtjYfGysIlyvJataAu36LLepbhHVyXOyYdTcIaOf1xxnEgwk5iE3K
 xknEtxJNLpl5tFESw+cfPhBCdGUY8TABTYyecgkPCJCQhGuEG0dwYjRUt75B5TQSJ9EZ
 ZFoQ==
X-Gm-Message-State: AOAM530qCpa/WfD51eaIf6V+k224gpK4yh0yNtsdvLuOZfdBiLNS5n77
 o36LhT5ZtXRWZnaEGR4w1TlX498ncUGKxQ==
X-Google-Smtp-Source: 
 ABdhPJwa1tsCLIpU8wZ1EUhS6fR9AZemXod/aDtOWDIjRuYsdYGsINYqX6Z9oufomlC+sPCWeBFfHw==
X-Received: by 2002:a1c:bbc6:: with SMTP id l189mr5281593wmf.52.1602781379230;
 Thu, 15 Oct 2020 10:02:59 -0700 (PDT)
Received: from kali.home
 (2a01cb0881b76d00c2afd0dfa851d2b9.ipv6.abo.wanadoo.fr.
 [2a01:cb08:81b7:6d00:c2af:d0df:a851:d2b9])
 by smtp.gmail.com with ESMTPSA id z127sm5625648wmc.2.2020.10.15.10.02.58
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 15 Oct 2020 10:02:58 -0700 (PDT)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Thu, 15 Oct 2020 19:02:53 +0200
Message-Id: <20201015170253.968250-1-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/oniguruma: fix CVE-2020-26159
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply
a regular expression for compilation may be able to overflow a buffer by
one byte in concat_opt_exact_str in src/regcomp.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 .../0001-207-Out-of-bounds-write.patch        | 25 +++++++++++++++++++
 package/oniguruma/oniguruma.mk                |  3 +++
 2 files changed, 28 insertions(+)
 create mode 100644 package/oniguruma/0001-207-Out-of-bounds-write.patch

diff --git a/package/oniguruma/0001-207-Out-of-bounds-write.patch b/package/oniguruma/0001-207-Out-of-bounds-write.patch
new file mode 100644
index 0000000000..3317449702
--- /dev/null
+++ b/package/oniguruma/0001-207-Out-of-bounds-write.patch
@@ -0,0 +1,25 @@
+From cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kkosako0@gmail.com>
+Date: Mon, 21 Sep 2020 12:58:29 +0900
+Subject: [PATCH] #207: Out-of-bounds write
+
+[Retrieved from:
+https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/regcomp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index f6494b6d..a0a68561 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -6257,7 +6257,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)
+ 
+   for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
+     len = enclen(enc, p);
+-    if (i + len > OPT_EXACT_MAXLEN) break;
++    if (i + len >= OPT_EXACT_MAXLEN) break;
+     for (j = 0; j < len && p < end; j++)
+       to->s[i++] = *p++;
+   }
diff --git a/package/oniguruma/oniguruma.mk b/package/oniguruma/oniguruma.mk
index d1ff1f115f..c2330c7380 100644
--- a/package/oniguruma/oniguruma.mk
+++ b/package/oniguruma/oniguruma.mk
@@ -12,4 +12,7 @@ ONIGURUMA_LICENSE = BSD-2-Clause
 ONIGURUMA_LICENSE_FILES = COPYING
 ONIGURUMA_INSTALL_STAGING = YES
 
+# 0001-207-Out-of-bounds-write.patch
+ONIGURUMA_IGNORE_CVES += CVE-2020-26159
+
 $(eval $(autotools-package))