Bug 220438 - devel/oniguruma6: Update to 6.4.0
Summary: devel/oniguruma6: Update to 6.4.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Bernard Spil
Keywords: needs-qa, security
Depends on:
Reported: 2017-07-02 21:58 UTC by Yuri Victorovich
Modified: 2017-10-09 03:08 UTC (History)
7 users (show)

See Also:
bugzilla: maintainer-feedback? (rob)
koobs: merge-quarterly?

patch (1.22 KB, patch)
2017-07-02 21:58 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.73 KB, patch)
2017-07-02 22:13 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.82 KB, patch)
2017-07-02 22:18 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.89 KB, patch)
2017-07-03 04:46 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.17 KB, patch)
2017-07-08 22:53 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.24 KB, patch)
2017-07-24 18:14 UTC, Yuri Victorovich
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer 2017-07-02 21:58:24 UTC
Created attachment 184019 [details]
Comment 1 Yuri Victorovich freebsd_committer 2017-07-02 21:59:15 UTC
* Removed post-patch because it didn't match anything. This patch has been applied upstream.
Comment 2 Yuri Victorovich freebsd_committer 2017-07-02 22:13:25 UTC
Created attachment 184021 [details]

Added port options to reflect configure options:
COMBEXPL: Perform combination explosion check
CRNL: Enable CR+NL as line terminator
Comment 3 Yuri Victorovich freebsd_committer 2017-07-02 22:18:19 UTC
Created attachment 184022 [details]

* Moved USE_GITHUB after USES as per Porter's Handbook section 13.1.7. USES and USE_x
Comment 4 Yuri Victorovich freebsd_committer 2017-07-03 04:46:38 UTC
Created attachment 184026 [details]

* Updated to 6.4.0
* Ignoring testcases with the Japanese character set
Comment 5 Yuri Victorovich freebsd_committer 2017-07-03 05:02:06 UTC
Builds in poudriere.
Comment 6 Bernard Spil freebsd_committer 2017-07-07 10:01:33 UTC
This is now also security-relevant:

Security: b396cf6c-62e6-11e7-9def-b499baebfeaf

CVE Name 	CVE-2017-9224
CVE Name 	CVE-2017-9226
CVE Name 	CVE-2017-9227
CVE Name 	CVE-2017-9228
CVE Name 	CVE-2017-9228
Comment 7 Yuri Victorovich freebsd_committer 2017-07-07 15:48:15 UTC
CVE-2017-9225 is missing.
The last one must have been CVE-2017-9229.

The upstream bug report: https://github.com/kkos/oniguruma/issues/64
Comment 8 Yuri Victorovich freebsd_committer 2017-07-08 05:48:33 UTC
All those security issues are fixed in 6.4.0, see the current README on github.
Comment 9 commit-hook freebsd_committer 2017-07-08 22:44:26 UTC
A commit references this bug:

Author: brnrd
Date: Sat Jul  8 22:43:41 UTC 2017
New revision: 445350
URL: https://svnweb.freebsd.org/changeset/ports/445350

  devel/oniguruma6: Update to 6.4.0 (security)

   - Security update to 6.4.0

  PR:		220438
  Security:	b396cf6c-62e6-11e7-9def-b499baebfeaf
  Sponsored by:	Essen DevSummit

Comment 10 Bernard Spil freebsd_committer 2017-07-08 22:46:46 UTC
The 6.4.0 bits have now been committed to make sure the vulnerability is fixed. The other changes in the patch have not been committed yet, please regenerate the patch. Contact me on maintainer-timeout and I'll pull the trigger.
Comment 11 Yuri Victorovich freebsd_committer 2017-07-08 22:53:13 UTC
Created attachment 184195 [details]

Regenerated the patch.
Comment 12 Pierre Guinoiseau 2017-07-09 21:48:25 UTC
Any chance the fix could be backported to devel/oniguruma5? It's a dependency for many ports.
Comment 13 Yuri Victorovich freebsd_committer 2017-07-09 21:51:39 UTC
(In reply to Pierre Guinoiseau from comment #12)

Dependency on devel/oniguruma5 should be changed to devel/oniguruma6, unless there are build problems.

I found only these 4 dependencies:
> devel/libslang2/Makefile:ONIG_LIB_DEPENDS=	libonig.so:devel/oniguruma5
> lang/php71/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php70/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> mail/sylpheed/Makefile:ONIGURUMA_BUILD_DEPENDS=	${LOCALBASE}/lib/libonig.a:devel/oniguruma5
Comment 14 Pierre Guinoiseau 2017-07-09 22:08:31 UTC
There are 8 actually:
> devel/libslang2/Makefile:ONIG_LIB_DEPENDS=	libonig.so:devel/oniguruma5
> japanese/jd/Makefile:ONIGURUMA_LIB_DEPENDS=		libonig.so:devel/oniguruma5
> lang/mosh/Makefile:		libonig.so:devel/oniguruma5
> lang/php56/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php70/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> lang/php71/Makefile.ext:LIB_DEPENDS+=	libonig.so:devel/oniguruma5
> mail/sylpheed/Makefile:ONIGURUMA_LIB_DEPENDS=		libonig.so:devel/oniguruma5
> textproc/jq/Makefile:ONIGURUMA_LIB_DEPENDS=	libonig.so:devel/oniguruma5
Comment 15 Yuri Victorovich freebsd_committer 2017-07-09 22:15:50 UTC
Keeping many onigurumaN ports is a mistake. All dependencies should be updated, and  other ports should be deleted.
Comment 16 Yuri Victorovich freebsd_committer 2017-07-09 22:21:06 UTC
bug#220586 changes the dependency of textproc/jq
Comment 17 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-10 02:57:32 UTC
Assign to committer resolving.

Pending MFH (MFH: 2017Q3) not included in commit message (see comment 9)(In reply to Pierre Guinoiseau from comment #12)
Comment 18 commit-hook freebsd_committer 2017-07-11 08:36:21 UTC
A commit references this bug:

Author: tz
Date: Tue Jul 11 08:35:50 UTC 2017
New revision: 445474
URL: https://svnweb.freebsd.org/changeset/ports/445474

  MFH: r445350

  devel/oniguruma6: Update to 6.4.0 (security)

   - Security update to 6.4.0

  PR:		220438
  Security:	b396cf6c-62e6-11e7-9def-b499baebfeaf
  Sponsored by:	Essen DevSummit

  Approved by: 	ports-secteam (junovitch)

_U  branches/2017Q3/
Comment 19 Bernard Spil freebsd_committer 2017-07-24 17:27:58 UTC
Can you please check if this builds for you with the patch? I'm getting a build-failure on 11.1 with the COMBEXPL option

> /bin/sh ../libtool  --tag=CC    --mode=compile cc -DHAVE_CONFIG_H  -I.  -I.. -I/usr/local/include   -Wall -O2 -fno-strict-aliasing -pipe -march=native  -DIGNORE_EUC_JP -fstack-protector -MT regcomp.lo -MD -MP -MF .deps/regcomp.Tpo -c -o regcomp.lo regcomp.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I/usr/local/include -Wall -O2 -fno-strict-aliasing -pipe -march=native -DIGNORE_EUC_JP -fstack-protector -MT regcomp.lo -MD -MP -MF .deps/regcomp.Tpo -c regcomp.c  -fPIC -DPIC -o .libs/regcomp.o
> regcomp.c:3622:42: error: no member named 'regnum' in 'EnclosureNode'
>          if (env->curr_max_regnum < en->regnum)
>                                      ~~  ^
> regcomp.c:3623:40: error: no member named 'regnum' in 'EnclosureNode'
>             env->curr_max_regnum = en->regnum;
>                                    ~~  ^
> make[4]: stopped in /usr/ports/devel/oniguruma6/work/oniguruma-6.4.0/src
Comment 20 Yuri Victorovich freebsd_committer 2017-07-24 18:14:14 UTC
Created attachment 184671 [details]

Sotty, I missed this one. Please replace the patch.
The only difference is:

> COMBEXPL_BROKEN=        Build fails: https://github.com/kkos/oniguruma/issues/66
Comment 21 Michael Büker 2017-07-31 08:28:56 UTC
(In reply to Yuri Victorovich from comment #15)
I agree that port dependencies should be updated to oniguruma6. Does it make sense to file a bug against those ports (like php56, php70, php71 etc.) and request a change in dependency?
Comment 22 Yuri Victorovich freebsd_committer 2017-07-31 08:55:04 UTC
(In reply to m.bueker from comment #21)

It's best to delete all oniguruma ports except the last, rename oniguruma6 to just oniguruma, and switch all dependencies to it.

Multiple onigurumaN ports have no meaning whatsoever.
Comment 23 Michael Büker 2017-07-31 09:19:05 UTC
(In reply to Yuri Victorovich from comment #22)
Mathieu has suggested basically the same thing here:

> The problem that does not seem to be addressed is that
> oniguruma5 and 6 conflict with each other, as half the
> ports tree needs one and the other half the other, it
> is a real pain.  What you should be working on is
> removing oniguruma5, not fixing it.
> (Or make it not conflict with oniguruma6)

So, how can we make this happen?
Comment 24 Yuri Victorovich freebsd_committer 2017-07-31 15:15:02 UTC
(In reply to Michael Bueker from comment #23)

> So, how can we make this happen?

1. Make sure all ports build with oniguruma6
2. Write the message to the mailing list ports@ asking to delete oniguruma4,   oniguruma5, and to rename oniguruma6 to oniguruma. List all depending ports.
Comment 25 Michael Büker 2017-10-08 18:56:20 UTC
(In reply to Yuri Victorovich from comment #24)

These steps have now been completed, as per the discussion in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220818.

This report can now be closed, as the next steps have been distilled into:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222867 to delete oniguruma4
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222868 to delete oniguruma5
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222869 to rename oniguruma6 to oniguruma