Bug 220818 - devel/oniguruma5: Fix multiple vulnerabilities in 5.9.6_p1
Summary: devel/oniguruma5: Fix multiple vulnerabilities in 5.9.6_p1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2017-07-18 05:41 UTC by takefu
Modified: 2017-11-26 20:46 UTC (History)
7 users (show)

See Also:
bugzilla: maintainer-feedback? (rob)
koobs: merge-quarterly?


Attachments
oniguruma5-5.9.6_2.patch (5.44 KB, patch)
2017-07-18 05:41 UTC, takefu
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-18 13:24:50 UTC
Are these patches from upstream? If so, please add comments to the header of those patches referencing links to the upstream commits/bugs if that information is available

Note: The existing VuXML entry (for package: oniguruma5) will need to be updated to reflect which package version is/is-not vulnerable (ie: 5.9.6_p1, as provided in this patch)
Comment 2 takefu 2017-07-20 07:41:11 UTC
(In reply to Kubilay Kocak from comment #1)

I modified the patch published by my hand and applied it to 5.9.6_p1.
I think there is also vulnerability in 5.9.6_p1 before patch preparation, but it is not yet investigated.
I do not have the environment to test a series of vulnerabilities.
Comment 3 dnewman 2017-07-22 00:15:37 UTC
Been watching since the oniguruma5 vulnerability was posted. There is no sign of upgrade maintenance of oniguruma5.

Would it make more sense to change dependencies to oniguruma6, which already has been patched?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220438

Thanks.
Comment 4 takefu 2017-07-24 00:33:29 UTC
(In reply to dnewman from comment #3)

I am not sure if the change is appropriate for dependency on oniguruma6.
However, in my surroundings there is no problem with oniguruma6.
Therefore, I think that there is no effect on the change itself.

The patch I submitted this time was made for hackers where dependency on oniguruma5 remains.
Comment 5 dnewman 2017-07-25 17:52:16 UTC
(In reply to takefu from comment #4)
OK, thanks. I'm OK with patching oniguruma5 as well, since other ports/packages may depend on it.

In comment 1 on this thread, Kubilay Kocak asked for some revisions to the patch before proceeding. Are those changes you are able to make? Many thanks!
Comment 6 Michael Bueker 2017-07-31 08:25:22 UTC
(In reply to dnewman from comment #5)
Those modifications are just referencing the github diffs linked by takefu in the patch files.

So, the top lines of patch-regexec.c should read:
Patches taken from
https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b
and
https://github.com/kkos/oniguruma/commit/9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814

While the top lines from patch-regparse.c should read:
Patches taken from
https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
and
https://github.com/kkos/oniguruma/commit/f015fbdd95f76438cd86366467bb2b39870dd7c6
and
https://github.com/kkos/oniguruma/commit/b4bf968ad52afe14e60a2dc8a95d3555c543353a

With the port patched, there's only the matter of the VuXML entry left.
Comment 7 Mathieu Arnold freebsd_committer 2017-07-31 09:08:21 UTC
The problem that does not seem to be addressed is that oniguruma5 and 6 conflict with each other, as half the ports tree needs one and the other half the other, it is a real pain.  What you should be working on is removing oniguruma5, not fixing it. (Or make it not conflict with oniguruma6)
Comment 8 Michael Bueker 2017-07-31 09:16:54 UTC
(In reply to Mathieu Arnold from comment #7)
Actually, that's exactly what Yuri says, who's working on oniguruma 6:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220438#c22
> It's best to delete all oniguruma ports except the last, rename
> oniguruma6 to just oniguruma, and switch all dependencies to it.
> 
> Multiple onigurumaN ports have no meaning whatsoever.

How do we move on from here to build consensus on this?
Comment 9 Mathieu Arnold freebsd_committer 2017-07-31 13:23:37 UTC
I have no idea.  My point is that the current situation is bad.

There should either be only one oniguruma port, or if there are more than one, they should be able to live in harmony and not conflict.

It may be easier to have only one, yes.
Comment 10 dnewman 2017-07-31 20:08:36 UTC
(In reply to Mathieu Arnold from comment #9)

I concur -- this would be simpler with one current version of oniguruma. That is not the situation we have now.

See also these other efforts to move to oniguruma6:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220809

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220438

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220586

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220598

While I very much appreciate takefu's effort to fix oniguruma5, I believe it would be cleaner to consolidate all this work and just support the (security-patched) release of oniguruma (currently version 6).
Comment 11 Kurt Jaeger freebsd_committer 2017-08-13 13:15:44 UTC
For a patch o5 -> o6 to mail/sylpheed see 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221471
Comment 12 Kurt Jaeger freebsd_committer 2017-08-13 20:02:36 UTC
There's one more port that depends on o5:

japanese/jd

That port is marked BROKEN right now, so testing looks difficult.
Comment 13 Kurt Jaeger freebsd_committer 2017-10-08 17:13:26 UTC
The last port that required o5 was obsolete and deleted.
Comment 14 Michael Bueker 2017-10-08 17:43:28 UTC
(In reply to Kurt Jaeger from comment #13)

From the linked ticket #220438 and the information on freshports.org, it seems that lang/mosh still depends on o5.

If and when that is fixed, I suggest to close this ticket and open one to delete the oniguruma5 ports entirely.
Comment 15 Michael Bueker 2017-10-08 18:54:51 UTC
(In reply to Michael Bueker from comment #14)

Kurt has fixed the last remaining dependency. This report can now be closed, as the results of the discussion have been distilled into:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222867 to delete oniguruma4
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222868 to delete oniguruma5
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222869 to rename oniguruma6 to oniguruma
Comment 16 takefu 2017-10-10 01:26:20 UTC
(In reply to Michael Bueker from comment #15)

Thanks everyone.
Comment 17 vali gholami 2017-11-26 20:46:41 UTC
MARKED AS SPAM