Comment 1 Yuri Victorovich 2017-07-02 21:59:15 UTC

* Removed post-patch because it didn't match anything. This patch has been applied upstream.

Comment 2 Yuri Victorovich 2017-07-02 22:13:25 UTC

Created attachment 184021 [details]
patch

Added port options to reflect configure options:
COMBEXPL: Perform combination explosion check
CRNL: Enable CR+NL as line terminator

Comment 3 Yuri Victorovich 2017-07-02 22:18:19 UTC

Created attachment 184022 [details]
patch

* Moved USE_GITHUB after USES as per Porter's Handbook section 13.1.7. USES and USE_x

Comment 4 Yuri Victorovich 2017-07-03 04:46:38 UTC

Created attachment 184026 [details]
patch

* Updated to 6.4.0
* Ignoring testcases with the Japanese character set

Comment 5 Yuri Victorovich 2017-07-03 05:02:06 UTC

Builds in poudriere.

Comment 6 Bernard Spil 2017-07-07 10:01:33 UTC

This is now also security-relevant:

Security: b396cf6c-62e6-11e7-9def-b499baebfeaf

CVE Name 	CVE-2017-9224
CVE Name 	CVE-2017-9226
CVE Name 	CVE-2017-9227
CVE Name 	CVE-2017-9228
CVE Name 	CVE-2017-9228

Comment 7 Yuri Victorovich 2017-07-07 15:48:15 UTC

CVE-2017-9225 is missing.
The last one must have been CVE-2017-9229.

The upstream bug report: https://github.com/kkos/oniguruma/issues/64

Comment 8 Yuri Victorovich 2017-07-08 05:48:33 UTC

All those security issues are fixed in 6.4.0, see the current README on github.

Comment 9 commit-hook 2017-07-08 22:44:26 UTC

A commit references this bug:

Author: brnrd
Date: Sat Jul  8 22:43:41 UTC 2017
New revision: 445350
URL: https://svnweb.freebsd.org/changeset/ports/445350

Log:
  devel/oniguruma6: Update to 6.4.0 (security)

   - Security update to 6.4.0

  PR:		220438
  Security:	b396cf6c-62e6-11e7-9def-b499baebfeaf
  Sponsored by:	Essen DevSummit

Changes:
  head/devel/oniguruma6/Makefile
  head/devel/oniguruma6/distinfo

Comment 10 Bernard Spil 2017-07-08 22:46:46 UTC

The 6.4.0 bits have now been committed to make sure the vulnerability is fixed. The other changes in the patch have not been committed yet, please regenerate the patch. Contact me on maintainer-timeout and I'll pull the trigger.

Comment 11 Yuri Victorovich 2017-07-08 22:53:13 UTC

Created attachment 184195 [details]
patch

Regenerated the patch.

Any chance the fix could be backported to devel/oniguruma5? It's a dependency for many ports.

Comment 13 Yuri Victorovich 2017-07-09 21:51:39 UTC

(In reply to Pierre Guinoiseau from comment #12)

Dependency on devel/oniguruma5 should be changed to devel/oniguruma6, unless there are build problems.

I found only these 4 dependencies:
> devel/libslang2/Makefile:ONIG_LIB_DEPENDS=	libonig.so:devel/oniguruma5
> lang/php71/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php70/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> mail/sylpheed/Makefile:ONIGURUMA_BUILD_DEPENDS=	${LOCALBASE}/lib/libonig.a:devel/oniguruma5

There are 8 actually:
> devel/libslang2/Makefile:ONIG_LIB_DEPENDS=	libonig.so:devel/oniguruma5
> japanese/jd/Makefile:ONIGURUMA_LIB_DEPENDS=		libonig.so:devel/oniguruma5
> lang/mosh/Makefile:		libonig.so:devel/oniguruma5
> lang/php56/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php70/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php71/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> mail/sylpheed/Makefile:ONIGURUMA_LIB_DEPENDS=		libonig.so:devel/oniguruma5
> textproc/jq/Makefile:ONIGURUMA_LIB_DEPENDS=	libonig.so:devel/oniguruma5

Comment 15 Yuri Victorovich 2017-07-09 22:15:50 UTC

Keeping many onigurumaN ports is a mistake. All dependencies should be updated, and  other ports should be deleted.

Comment 16 Yuri Victorovich 2017-07-09 22:21:06 UTC

bug#220586 changes the dependency of textproc/jq

Comment 17 Kubilay Kocak 2017-07-10 02:57:32 UTC

Assign to committer resolving.

Pending MFH (MFH: 2017Q3) not included in commit message (see comment 9)(In reply to Pierre Guinoiseau from comment #12)

Comment 18 commit-hook 2017-07-11 08:36:21 UTC

A commit references this bug:

Author: tz
Date: Tue Jul 11 08:35:50 UTC 2017
New revision: 445474
URL: https://svnweb.freebsd.org/changeset/ports/445474

Log:
  MFH: r445350

  devel/oniguruma6: Update to 6.4.0 (security)

   - Security update to 6.4.0

  PR:		220438
  Security:	b396cf6c-62e6-11e7-9def-b499baebfeaf
  Sponsored by:	Essen DevSummit

  Approved by: 	ports-secteam (junovitch)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/devel/oniguruma6/Makefile
  branches/2017Q3/devel/oniguruma6/distinfo

Comment 19 Bernard Spil 2017-07-24 17:27:58 UTC

Can you please check if this builds for you with the patch? I'm getting a build-failure on 11.1 with the COMBEXPL option

> /bin/sh ../libtool  --tag=CC    --mode=compile cc -DHAVE_CONFIG_H  -I.  -I.. -I/usr/local/include   -Wall -O2 -fno-strict-aliasing -pipe -march=native  -DIGNORE_EUC_JP -fstack-protector -MT regcomp.lo -MD -MP -MF .deps/regcomp.Tpo -c -o regcomp.lo regcomp.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I/usr/local/include -Wall -O2 -fno-strict-aliasing -pipe -march=native -DIGNORE_EUC_JP -fstack-protector -MT regcomp.lo -MD -MP -MF .deps/regcomp.Tpo -c regcomp.c  -fPIC -DPIC -o .libs/regcomp.o
> regcomp.c:3622:42: error: no member named 'regnum' in 'EnclosureNode'
>          if (env->curr_max_regnum < en->regnum)
>                                      ~~  ^
> regcomp.c:3623:40: error: no member named 'regnum' in 'EnclosureNode'
>             env->curr_max_regnum = en->regnum;
>                                    ~~  ^
> make[4]: stopped in /usr/ports/devel/oniguruma6/work/oniguruma-6.4.0/src

Comment 20 Yuri Victorovich 2017-07-24 18:14:14 UTC

Created attachment 184671 [details]
patch

Sotty, I missed this one. Please replace the patch.
The only difference is:

> COMBEXPL_BROKEN=        Build fails: https://github.com/kkos/oniguruma/issues/66

(In reply to Yuri Victorovich from comment #15)
I agree that port dependencies should be updated to oniguruma6. Does it make sense to file a bug against those ports (like php56, php70, php71 etc.) and request a change in dependency?

Comment 22 Yuri Victorovich 2017-07-31 08:55:04 UTC

(In reply to m.bueker from comment #21)

It's best to delete all oniguruma ports except the last, rename oniguruma6 to just oniguruma, and switch all dependencies to it.

Multiple onigurumaN ports have no meaning whatsoever.

(In reply to Yuri Victorovich from comment #22)
Mathieu has suggested basically the same thing here:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220818#c7
> The problem that does not seem to be addressed is that
> oniguruma5 and 6 conflict with each other, as half the
> ports tree needs one and the other half the other, it
> is a real pain.  What you should be working on is
> removing oniguruma5, not fixing it.
> (Or make it not conflict with oniguruma6)

So, how can we make this happen?

Comment 24 Yuri Victorovich 2017-07-31 15:15:02 UTC

(In reply to Michael Bueker from comment #23)


> So, how can we make this happen?

1. Make sure all ports build with oniguruma6
2. Write the message to the mailing list ports@ asking to delete oniguruma4,   oniguruma5, and to rename oniguruma6 to oniguruma. List all depending ports.

(In reply to Yuri Victorovich from comment #24)

These steps have now been completed, as per the discussion in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220818.

This report can now be closed, as the next steps have been distilled into:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222867 to delete oniguruma4
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222868 to delete oniguruma5
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222869 to rename oniguruma6 to oniguruma