Bug 240368 - devel/oniguruma: Update to 6.9.3 (Fixes CVE-2019-13224)
Summary: devel/oniguruma: Update to 6.9.3 (Fixes CVE-2019-13224)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Matthias Andree
URL: https://github.com/kkos/oniguruma/rel...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2019-09-06 14:28 UTC by Pascal Christen
Modified: 2019-09-07 21:08 UTC (History)
2 users (show)

See Also:
yuri: maintainer-feedback+
mandree: merge-quarterly+


Attachments
Patch for update (800 bytes, patch)
2019-09-06 14:28 UTC, Pascal Christen
yuri: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Christen 2019-09-06 14:28:37 UTC
Fixed CVE-2019-13224
    Fixed CVE-2019-13225
    Fixed many problems (found by libfuzzer programs)

https://github.com/kkos/oniguruma/releases/tag/v6.9.3
Comment 1 Pascal Christen 2019-09-06 14:28:57 UTC
Created attachment 207238 [details]
Patch for update
Comment 2 Pascal Christen 2019-09-06 14:59:05 UTC
Maybe it would make sense to bump revison of php7[1-3]-mbstring because it is affected....
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-06 15:16:14 UTC
Thank you for the report and patch Pascal
Comment 4 Yuri Victorovich freebsd_committer 2019-09-06 15:26:07 UTC
Thanks for your patch, Pascal.

I am super busy during the day. Since this is a security patch I've set the approval flag. Let some available committer commit it faster, if they have a chance.

Thanks again,
Yuri
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-06 15:33:32 UTC
^triage: Reset assignee, open to take. 

Yuri may re-assign himself when he becomes available
Comment 6 Matthias Andree freebsd_committer 2019-09-07 13:09:41 UTC
Grab
Comment 7 commit-hook freebsd_committer 2019-09-07 14:41:50 UTC
A commit references this bug:

Author: mandree
Date: Sat Sep  7 14:41:17 UTC 2019
New revision: 511409
URL: https://svnweb.freebsd.org/changeset/ports/511409

Log:
  Security update to 6.9.3

  PR:		240368
  Submitted by:	pascal.christen@hostpoint.ch
  Approved by:	yuri@ (maintainer)
  MFH:		2019Q3
  Security:	CVE-2019-13224
  Security:	CVE-2019-13225

Changes:
  head/devel/oniguruma/Makefile
  head/devel/oniguruma/distinfo
Comment 8 Matthias Andree freebsd_committer 2019-09-07 14:48:42 UTC
I have also requested MFH permission.

Who'll write the vuln.xml entries?
Comment 9 commit-hook freebsd_committer 2019-09-07 20:53:23 UTC
A commit references this bug:

Author: mandree
Date: Sat Sep  7 20:52:37 UTC 2019
New revision: 511422
URL: https://svnweb.freebsd.org/changeset/ports/511422

Log:
  MFH: r511409

  Security update to 6.9.3

  PR:		240368
  Submitted by:	pascal.christen@hostpoint.ch
  Approved by:	yuri@ (maintainer)
  Security:	CVE-2019-13224
  Security:	CVE-2019-13225

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/devel/oniguruma/Makefile
  branches/2019Q3/devel/oniguruma/distinfo
Comment 10 commit-hook freebsd_committer 2019-09-07 21:08:26 UTC
A commit references this bug:

Author: mandree
Date: Sat Sep  7 21:07:45 UTC 2019
New revision: 511427
URL: https://svnweb.freebsd.org/changeset/ports/511427

Log:
  Document devel/oniguruma < 6.9.3 vulnerabilities.

  PR:		240368
  Reported by:	Pascal Christen
  Obtained from:	MITRE
  Security:	a8d87c7a-d1b1-11e9-a616-0992a4564e7c
  Security:	CVE-2019-13224
  Security:	CVE-2019-13225

Changes:
  head/security/vuxml/vuln.xml