From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=qtLS8MGr;
 spf=pass (domain: linaro.org, ip: 209.85.221.68, mailfrom: leif.lindholm@linaro.org)
Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68])
 by groups.io with SMTP; Thu, 08 Aug 2019 07:51:51 -0700
Received: by mail-wr1-f68.google.com with SMTP id p17so95206140wrf.11
        for <devel@edk2.groups.io>; Thu, 08 Aug 2019 07:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=kYl7Kawzla5VUpwRSd88WTMtRcQR23PLAC9r8qs2oJ4=;
        b=qtLS8MGrmV2MHLfvjrKpWgQh9mVW7IfJD6hjM1K8YVPiTaZyIxKlqcGrTitk5bBW49
         aomP7QhrfzQRazx+KYuPjEYIUl/K3RyEphZudDxyEbKHYnKUJyiklXssijdxGKZNB3nc
         Ij1vGv7hd/PiYMuP0InzpjBMTqW99Gv/b/W48VtHGsA2omcPY2F4aK/+LAWV7Dt8Rxl3
         Mff2v8EPTYp20KbkjuPwjJzWlhSg5V10H9NSXD9kizm76ogkVCBBKbIDypaDZMWVELu7
         eJkiWxC1X7szD0KLrFrC+me1kMgfV6uAgLvhQddZ+J7L6XzM+vdb4K/C5V5CbVq6ul75
         smfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=kYl7Kawzla5VUpwRSd88WTMtRcQR23PLAC9r8qs2oJ4=;
        b=lu5iPvXSQ2Sn2p/STDUzt12i53bVOMnXOst/vSFO+2Rv/L4jxczrzCCf4JVXmKkjWB
         YFqCd7CFBjnI+Kw95OpBB0tTKCxXbJp2eS2BB1tBnq6n5TTcweoFnSeL5DCbjDorJ3z0
         5vjUB2/Ndykn6vfR1ZsRaP89/x03EXkrGReqtyPY/bPz0n0CxPLsNI6bsFKReevILG5a
         15H446hecMQOM8sytbe2p/v2zdl39oWF3qIKOIByJsQ/RzQ3BHsAOkMI4QcgpXd1aGfB
         e1wTZRvQeTya2kfgAV1rbLwC3zLkTbr8DAWTci5lOO5yXUUgchIQoVUy0k2V1AhV0w8r
         Rwbg==
X-Gm-Message-State: APjAAAWf4sD5OkD2JQKvfIgPsj9Evi7Oynu9cJ8ws8F2fk6NSI4cZYk6
	PwjX22SOPqc4xKK7APVM+5MbqA==
X-Google-Smtp-Source: APXvYqwEyw5CaOSMautHpu62klvSe+ZCP8f0CcPXxf2HrUGtWBWqkk8eCSC866PvYBiYjGpa3ZrutQ==
X-Received: by 2002:a05:6000:145:: with SMTP id r5mr17398250wrx.208.1565275909489;
        Thu, 08 Aug 2019 07:51:49 -0700 (PDT)
Return-Path: <leif.lindholm@linaro.org>
Received: from bivouac.eciton.net (bivouac.eciton.net. [2a00:1098:0:86:1000:23:0:2])
        by smtp.gmail.com with ESMTPSA id o20sm241275896wrh.8.2019.08.08.07.51.48
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Thu, 08 Aug 2019 07:51:48 -0700 (PDT)
Date: Thu, 8 Aug 2019 15:51:47 +0100
From: "Leif Lindholm" <leif.lindholm@linaro.org>
To: "Gao, Liming" <liming.gao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Wu, Hao A" <hao.a.wu@intel.com>,
	Cinnamon Shia <cinnamon.shia@hpe.com>,
	"afish@apple.com" <afish@apple.com>,
	"Laszlo Ersek (lersek@redhat.com)" <lersek@redhat.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Cetola, Stephano" <stephano.cetola@intel.com>
Subject: Re: [edk2-devel] [Patch] MdeModulePkg RegularExpressionDxe: Update Oniguruma from v6.9.0 to v6.9.3
Message-ID: <20190808145147.GB25813@bivouac.eciton.net>
References: <15B8F5E6C2C74026.10163@groups.io>
 <4A89E2EF3DFEDB4C8BFDE51014F606A14E4CCE86@SHSMSX104.ccr.corp.intel.com>
MIME-Version: 1.0
In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E4CCE86@SHSMSX104.ccr.corp.intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Aug 08, 2019 at 01:52:36PM +0000, Gao, Liming wrote:
> Hi, all
>   This patch is big. I upload it into https://github.com/lgao4/edk2/tree/Oniguruma6.9.3 for your review. 
> 
> Hi, Stewards:
>    Oniguruma version v6.9.3 is released for security fix. So, I plan to include this update for 201908 stable tag. If you have any comments, please let me know. 

This version was only released 3 days ago, so I am OK with it being
included. (If this had been posted as an update to 6.9.2, I would have
questioned why it was being brought in so late in the cycle.)

Do we have confidence that we can achieve substantial testing before
the stable tag?

Is it feasible to convert this to a git submodule for future updates?

Best Regards,

Leif

> Thanks
> Liming
> >-----Original Message-----
> >From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
> >Liming Gao
> >Sent: Thursday, August 08, 2019 9:31 PM
> >To: devel@edk2.groups.io
> >Cc: Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A <hao.a.wu@intel.com>;
> >Cinnamon Shia <cinnamon.shia@hpe.com>
> >Subject: [edk2-devel] [Patch] MdeModulePkg RegularExpressionDxe: Update
> >Oniguruma from v6.9.0 to v6.9.3
> >
> >BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2066
> >Update Oniguruma to the latest version v6.9.3.
> >Oniguruma https://github.com/kkos/oniguruma
> >This release is the security fix release. It includes the changes:
> >Fixed CVE-2019-13224
> >Fixed CVE-2019-13225
> >Fixed many problems (found by libfuzzer programs)
> >
> >Verify VS2015, GCC5 build.
> >Verify RegularExpressionProtocol GetInfo() and Match() function.
> >
> >Cc: Jian J Wang <jian.j.wang@intel.com>
> >Cc: Hao A Wu <hao.a.wu@intel.com>
> >Cc: Cinnamon Shia <cinnamon.shia@hpe.com>
> >Signed-off-by: Liming Gao <liming.gao@intel.com>
> >---
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/ascii.c
> >|    2 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c
> >| 2433 +++++++++++--------
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regenc.c
> >|   82 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regerror.c
> >|   63 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regexec.c
> >| 2672 +++++++++++----------
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/reggnu.c
> >|   22 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c
> >|  702 +++---
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regposerr.c
> >|   12 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regposix.c
> >|   16 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regsyntax.c
> >|   12 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode.c
> >|  289 ++-
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_egcb
> >_data.c           |   31 +-
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_fold1
> >_key.c           | 2689 ++++++++++-----------
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_fold2
> >_key.c           |    4 +-
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_fold3
> >_key.c           |    4 +-
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_fold_
> >data.c           | 2256 +++++++++---------
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_prop
> >erty_data.c       | 8545 +++++++++++++++++++++++++++++++++++------------
> >--------------------
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_prop
> >erty_data_posix.c |  410 ++--
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_unfol
> >d_key.c          | 3253 +++++++++++++-------------
> >
> >MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/unicode_wb_d
> >ata.c             | 1023 ++++++++
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/utf16_le.c
> >|   36 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/oniguruma.h
> >|   21 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regenc.h
> >|   23 +-
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regint.h
> >|  438 ++--
> > MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.h
> >|  313 ++-
> > 25 files changed, 14055 insertions(+), 11296 deletions(-)
> >
> 
>