diff --git a/augeas.spec b/augeas.spec index 7203a2b386f6ba0a93e30ee37ccac80c26c0d9a7..4e8890f1ed93d5d48fec7a43d4c8d8bf0011c56e 100644 --- a/augeas.spec +++ b/augeas.spec @@ -1,6 +1,6 @@ Name: augeas Version: 1.14.1 -Release: 1 +Release: 2 Summary: Augeas is a configuration editing tool for changing configuration files License: LGPLv2+ URL: https://augeas.net/ @@ -14,6 +14,7 @@ Obsoletes: augeas-libs < %{version}-%{release} Patch0001: avoid-NULL-pointer-dereference-in-function-re_case_expand.patch Patch6000: backport-revert-add-else-operator-to-augeas-path-filter-expressions.patch +Patch6001: backport-CVE-2025-2588.patch %if "0%{?product_family}" != "0" Patch9000: decrease-HASHCOUNT_T_MAX-to-avoid-the-OOM-during-the-Fuzz-test.patch %endif @@ -104,6 +105,9 @@ make check %doc %{_datadir}/bash-completion/completions/aug* %changelog +* Thu Apr 03 2025 zhangpan - 1.14.1-2 +- fix CVE-2025-2588 + * Thu Dec 28 2023 Paul Thomas - 1.14.1-1 - update to version 1.14.1 diff --git a/backport-CVE-2025-2588.patch b/backport-CVE-2025-2588.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e31b3a5169544ee3ffb5e7dd3c2730cd65a3830 --- /dev/null +++ b/backport-CVE-2025-2588.patch @@ -0,0 +1,76 @@ +From af2aa88ab37fc48167d8c5e43b1770a4ba2ff403 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 30 Mar 2025 12:27:04 +0300 +Subject: [PATCH] CVE-2025-2588: return _REG_ENOSYS if no specific error was + set yet parse_regexp failed (#854) + +parse_regexp() supposed to set an error on the parser state in case of a +failure. If no specific error was set, return _REG_ENOSYS to indicate a +generic failure. + +Fixes: https://github.com/hercules-team/augeas/issues/671 +Fixes: https://github.com/hercules-team/augeas/issues/778 +Fixes: https://github.com/hercules-team/augeas/issues/852 + +Signed-off-by: Alexander Bokovoy + +Reference:https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403 +Conflict:NA + +--- + src/fa.c | 2 ++ + src/fa.h | 3 ++- + tests/fatest.c | 6 ++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/fa.c b/src/fa.c +index 66ac70784..4de5675b9 100644 +--- a/src/fa.c ++++ b/src/fa.c +@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) { + return re; + + error: ++ if (re == NULL && parse->error == REG_NOERROR) ++ parse->error = _REG_ENOSYS; + re_unref(re); + return NULL; + } +diff --git a/src/fa.h b/src/fa.h +index 1fd754ad0..89c9b17e9 100644 +--- a/src/fa.h ++++ b/src/fa.h +@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm; + * + * On success, FA points to the newly allocated automaton constructed for + * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the +- * return value indicates the error. ++ * return value indicates the error. Special value _REG_ENOSYS indicates ++ * fa_compile() couldn't identify the syntax issue with regexp. + * + * The FA is case sensitive. Call FA_NOCASE to switch it to + * case-insensitive. +diff --git a/tests/fatest.c b/tests/fatest.c +index 0c9ca7696..6717af8f4 100644 +--- a/tests/fatest.c ++++ b/tests/fatest.c +@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) { + const char *p1 = "aB"; + const char *p2 = "[a-cUV]"; + const char *p3 = "[^a-z]"; ++ const char *wrong_regexp = "{&.{"; + char *s; + size_t len; + int r; +@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) { + CuAssertIntEquals(tc, 0, r); + CuAssertStrEquals(tc, "[^A-Za-z]", s); + free(s); ++ ++ /* Test that fa_expand_nocase does return _REG_ENOSYS */ ++ r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len); ++ CuAssertIntEquals(tc, _REG_ENOSYS, r); ++ free(s); + } + + static void testNoCaseComplement(CuTest *tc) {