fix CVE-2025-2588

(cherry picked from commit 373284f7b6e7df53ae58192fdc544a9fe6faffe2)
2025-04-03 08:26:18 +00:00 · 2025-04-03 08:26:18 +00:00 · a1e0136e5d
commit a1e0136e5d
parent b62b12860f
2 changed files with 81 additions and 1 deletions
--- a/augeas.spec
+++ b/augeas.spec
@ -1,6 +1,6 @@
 Name:               augeas
 Version:            1.14.1
-Release:            1
+Release:            2
 Summary:            Augeas is a configuration editing tool for changing configuration files
 License:            LGPLv2+
 URL:                https://augeas.net/
@ -14,6 +14,7 @@ Obsoletes:          augeas-libs < %{version}-%{release}
 Patch0001: 	    avoid-NULL-pointer-dereference-in-function-re_case_expand.patch
 Patch6000:	    backport-revert-add-else-operator-to-augeas-path-filter-expressions.patch
 Patch6001:	    backport-CVE-2025-2588.patch
 %if "0%{?product_family}" != "0"
 Patch9000:          decrease-HASHCOUNT_T_MAX-to-avoid-the-OOM-during-the-Fuzz-test.patch
 %endif
@ -104,6 +105,9 @@ make check
 %doc %{_datadir}/bash-completion/completions/aug*
 %changelog
 * Thu Apr 03 2025 zhangpan <zhangpan103@h-partners.com> - 1.14.1-2
 - fix CVE-2025-2588
 * Thu Dec 28 2023 Paul Thomas <paulthomas100199@gmail.com> - 1.14.1-1
 - update to version 1.14.1
--- a/backport-CVE-2025-2588.patch
+++ b/backport-CVE-2025-2588.patch
@ -0,0 +1,76 @@
 From af2aa88ab37fc48167d8c5e43b1770a4ba2ff403 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abbra@users.noreply.github.com>
 Date: Sun, 30 Mar 2025 12:27:04 +0300
 Subject: [PATCH] CVE-2025-2588: return _REG_ENOSYS if no specific error was
 set yet parse_regexp failed (#854)
 parse_regexp() supposed to set an error on the parser state in case of a
 failure. If no specific error was set, return _REG_ENOSYS to indicate a
 generic failure.
 Fixes: https://github.com/hercules-team/augeas/issues/671
 Fixes: https://github.com/hercules-team/augeas/issues/778
 Fixes: https://github.com/hercules-team/augeas/issues/852
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reference:https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403
 Conflict:NA
 ---
 src/fa.c       | 2 ++
 src/fa.h       | 3 ++-
 tests/fatest.c | 6 ++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 diff --git a/src/fa.c b/src/fa.c
 index 66ac70784..4de5675b9 100644
 --- a/src/fa.c
 +++ b/src/fa.c
@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
     return re;
  error:
 +    if (re == NULL && parse->error == REG_NOERROR)
 +        parse->error = _REG_ENOSYS;
     re_unref(re);
     return NULL;
 }
 diff --git a/src/fa.h b/src/fa.h
 index 1fd754ad0..89c9b17e9 100644
 --- a/src/fa.h
 +++ b/src/fa.h
@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
  *
  * On success, FA points to the newly allocated automaton constructed for
  * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
 - * return value indicates the error.
 + * return value indicates the error. Special value _REG_ENOSYS indicates
 + * fa_compile() couldn't identify the syntax issue with regexp.
  *
  * The FA is case sensitive. Call FA_NOCASE to switch it to
  * case-insensitive.
 diff --git a/tests/fatest.c b/tests/fatest.c
 index 0c9ca7696..6717af8f4 100644
 --- a/tests/fatest.c
 +++ b/tests/fatest.c
@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
     const char *p1 = "aB";
     const char *p2 = "[a-cUV]";
     const char *p3 = "[^a-z]";
 +    const char *wrong_regexp = "{&.{";
     char *s;
     size_t len;
     int r;
@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
     CuAssertIntEquals(tc, 0, r);
     CuAssertStrEquals(tc, "[^A-Za-z]", s);
     free(s);
 +
 +    /* Test that fa_expand_nocase does return _REG_ENOSYS */
 +    r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
 +    CuAssertIntEquals(tc, _REG_ENOSYS, r);
 +    free(s);
 }
 static void testNoCaseComplement(CuTest *tc) {