diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-07-07 13:39:52 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-07-07 13:43:11 +0000 |
commit | 1187799566cb8d6a53722bcb8a2bc5dafe23e80a (patch) | |
tree | a28c9993884468b29359dc80fe60d9a675acdd87 | |
parent | 022d2bf36da9563c91afc2db5ba9f0ac2f93c775 (diff) | |
download | alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.bz2 alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.xz alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.zip |
main/pcre: various security fixes
CVE-2015-3210
CVE-2015-3217
CVE-2015-5073
fixes #4291
fixes #4404
(cherry picked from commit 77345a923c72d9e8d0a4202d893239ba43b903a3)
-rw-r--r-- | main/pcre/APKBUILD | 24 | ||||
-rw-r--r-- | main/pcre/CVE-2015-3210.patch | 87 | ||||
-rw-r--r-- | main/pcre/CVE-2015-3217.patch | 59 | ||||
-rw-r--r-- | main/pcre/CVE-2015-5073.patch | 14 |
4 files changed, 178 insertions, 6 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index ef1e7a2444..f188fcada2 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=pcre | 2 | pkgname=pcre |
3 | pkgver=8.37 | 3 | pkgver=8.37 |
4 | pkgrel=0 | 4 | pkgrel=1 |
5 | pkgdesc="Perl-compatible regular expression library" | 5 | pkgdesc="Perl-compatible regular expression library" |
6 | url="http://pcre.sourceforge.net" | 6 | url="http://pcre.sourceforge.net" |
7 | arch="all" | 7 | arch="all" |
@@ -9,6 +9,9 @@ license="BSD" | |||
9 | depends= | 9 | depends= |
10 | makedepends="" | 10 | makedepends="" |
11 | source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 | 11 | source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 |
12 | CVE-2015-3210.patch | ||
13 | CVE-2015-3217.patch | ||
14 | CVE-2015-5073.patch | ||
12 | " | 15 | " |
13 | subpackages="$pkgname-dev $pkgname-doc $pkgname-tools | 16 | subpackages="$pkgname-dev $pkgname-doc $pkgname-tools |
14 | libpcrecpp libpcre16 libpcre32" | 17 | libpcrecpp libpcre16 libpcre32" |
@@ -18,12 +21,12 @@ prepare() { | |||
18 | cd "$_builddir" | 21 | cd "$_builddir" |
19 | for i in $source; do | 22 | for i in $source; do |
20 | case $i in | 23 | case $i in |
21 | *.patch) patch -p1 -i "$srcdir"/$i || return 1;; | 24 | *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; |
22 | esac | 25 | esac |
23 | done | 26 | done |
24 | } | 27 | } |
25 | 28 | ||
26 | build() { | 29 | build() { |
27 | cd "$_builddir" | 30 | cd "$_builddir" |
28 | ./configure \ | 31 | ./configure \ |
29 | --build=$CBUILD \ | 32 | --build=$CBUILD \ |
@@ -73,6 +76,15 @@ tools() { | |||
73 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ | 76 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ |
74 | } | 77 | } |
75 | 78 | ||
76 | md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2" | 79 | md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2 |
77 | sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2" | 80 | 7d59ff55389d5df2a000594d8aba2593 CVE-2015-3210.patch |
78 | sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2" | 81 | ebb29968952dae14ed8fde9cbb701619 CVE-2015-3217.patch |
82 | d49dfd30eacbb5ce0e6e1a90144fa723 CVE-2015-5073.patch" | ||
83 | sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2 | ||
84 | a11c73e5bcd977bc331896326cf8e3c8a63ece9a7ab6c307522bc84466a04c09 CVE-2015-3210.patch | ||
85 | 47a162e734c9e2054f2ab2f8e78f1e9950338352c02020a11424a6176b06a53b CVE-2015-3217.patch | ||
86 | 24ac18ca955a0961242ef71e565c2afa7b67209753f7043fc9a2405443558eeb CVE-2015-5073.patch" | ||
87 | sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2 | ||
88 | 4705296239db0b04567f77ae15c68203b9e9be7f7294568cbff096a069ea53fcd8428eb187b1dd39e469d55318410052995782b94bfeb5837ba4a02c7466a31d CVE-2015-3210.patch | ||
89 | 4eef9271b4fab53e3b69d4602c4f57086ec22ec69a1c12edfd391d0bfaf69a4bb5a190e3061871e86565c58e9da10ad72fa543f1c13d9c09d3c21f2c1c0dd9c6 CVE-2015-3217.patch | ||
90 | 5e7921d81e23a11df02648d90a7b4817e29e440662408a14b5c1dc4d227b217beecd788fa90ee4fddfaa47475badba78ce8f8521533bacf6a362e716ed6ad5b8 CVE-2015-5073.patch" | ||
diff --git a/main/pcre/CVE-2015-3210.patch b/main/pcre/CVE-2015-3210.patch new file mode 100644 index 0000000000..c97849fb70 --- /dev/null +++ b/main/pcre/CVE-2015-3210.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 | ||
2 | From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | ||
3 | Date: Fri, 15 May 2015 17:17:03 +0000 | ||
4 | Subject: [PATCH] Fix buffer overflow for named recursive back reference when | ||
5 | the name is duplicated. | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Upstream commit ported to pcre-8.37: | ||
11 | |||
12 | commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 | ||
13 | Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | ||
14 | Date: Fri May 15 17:17:03 2015 +0000 | ||
15 | |||
16 | Fix buffer overflow for named recursive back reference when the name is | ||
17 | duplicated. | ||
18 | |||
19 | git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 | ||
20 | |||
21 | This fixes CVE-2015-3210. | ||
22 | |||
23 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
24 | --- | ||
25 | pcre_compile.c | 16 ++++++++++++++-- | ||
26 | testdata/testinput2 | 2 ++ | ||
27 | testdata/testoutput2 | 2 ++ | ||
28 | 3 files changed, 18 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/pcre_compile.c b/pcre_compile.c | ||
31 | index 0efad26..6f06912 100644 | ||
32 | --- a/pcre_compile.c | ||
33 | +++ b/pcre_compile.c | ||
34 | @@ -7173,14 +7173,26 @@ for (;; ptr++) | ||
35 | number. If the name is not found, set the value to 0 for a forward | ||
36 | reference. */ | ||
37 | |||
38 | + recno = 0; | ||
39 | ng = cd->named_groups; | ||
40 | for (i = 0; i < cd->names_found; i++, ng++) | ||
41 | { | ||
42 | if (namelen == ng->length && | ||
43 | STRNCMP_UC_UC(name, ng->name, namelen) == 0) | ||
44 | - break; | ||
45 | + { | ||
46 | + open_capitem *oc; | ||
47 | + recno = ng->number; | ||
48 | + if (is_recurse) break; | ||
49 | + for (oc = cd->open_caps; oc != NULL; oc = oc->next) | ||
50 | + { | ||
51 | + if (oc->number == recno) | ||
52 | + { | ||
53 | + oc->flag = TRUE; | ||
54 | + break; | ||
55 | + } | ||
56 | + } | ||
57 | + } | ||
58 | } | ||
59 | - recno = (i < cd->names_found)? ng->number : 0; | ||
60 | |||
61 | /* Count named back references. */ | ||
62 | |||
63 | diff --git a/testdata/testinput2 b/testdata/testinput2 | ||
64 | index 58fe53b..83bb471 100644 | ||
65 | --- a/testdata/testinput2 | ||
66 | +++ b/testdata/testinput2 | ||
67 | @@ -4152,4 +4152,6 @@ backtracking verbs. --/ | ||
68 | |||
69 | /((?2){73}(?2))((?1))/ | ||
70 | |||
71 | +"(?J)(?'d'(?'d'\g{d}))" | ||
72 | + | ||
73 | /-- End of testinput2 --/ | ||
74 | diff --git a/testdata/testoutput2 b/testdata/testoutput2 | ||
75 | index b718df0..7dff52a 100644 | ||
76 | --- a/testdata/testoutput2 | ||
77 | +++ b/testdata/testoutput2 | ||
78 | @@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 | ||
79 | |||
80 | /((?2){73}(?2))((?1))/ | ||
81 | |||
82 | +"(?J)(?'d'(?'d'\g{d}))" | ||
83 | + | ||
84 | /-- End of testinput2 --/ | ||
85 | -- | ||
86 | 2.4.3 | ||
87 | |||
diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch new file mode 100644 index 0000000000..8e74a99dad --- /dev/null +++ b/main/pcre/CVE-2015-3217.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | https://bugs.exim.org/show_bug.cgi?id=1638 | ||
2 | |||
3 | Index: pcre_compile.c | ||
4 | =================================================================== | ||
5 | --- a/pcre_compile.c (revision 1558) | ||
6 | +++ b/pcre_compile.c (revision 1562) | ||
7 | @@ -1799,7 +1799,7 @@ | ||
8 | case OP_ASSERTBACK: | ||
9 | case OP_ASSERTBACK_NOT: | ||
10 | do cc += GET(cc, 1); while (*cc == OP_ALT); | ||
11 | - cc += PRIV(OP_lengths)[*cc]; | ||
12 | + cc += 1 + LINK_SIZE; | ||
13 | break; | ||
14 | |||
15 | /* Skip over things that don't match chars */ | ||
16 | @@ -7187,15 +7187,15 @@ | ||
17 | open_capitem *oc; | ||
18 | recno = ng->number; | ||
19 | if (is_recurse) break; | ||
20 | - for (oc = cd->open_caps; oc != NULL; oc = oc->next) | ||
21 | - { | ||
22 | - if (oc->number == recno) | ||
23 | - { | ||
24 | - oc->flag = TRUE; | ||
25 | + for (oc = cd->open_caps; oc != NULL; oc = oc->next) | ||
26 | + { | ||
27 | + if (oc->number == recno) | ||
28 | + { | ||
29 | + oc->flag = TRUE; | ||
30 | break; | ||
31 | - } | ||
32 | - } | ||
33 | - } | ||
34 | + } | ||
35 | + } | ||
36 | + } | ||
37 | } | ||
38 | |||
39 | /* Count named back references. */ | ||
40 | @@ -7207,6 +7207,19 @@ | ||
41 | 16-bit data item. */ | ||
42 | |||
43 | *lengthptr += IMM2_SIZE; | ||
44 | + | ||
45 | + /* If this is a forward reference and we are within a (?|...) group, | ||
46 | + the reference may end up as the number of a group which we are | ||
47 | + currently inside, that is, it could be a recursive reference. In the | ||
48 | + real compile this will be picked up and the reference wrapped with | ||
49 | + OP_ONCE to make it atomic, so we must space in case this occurs. */ | ||
50 | + | ||
51 | + /* In fact, this can happen for a non-forward reference because | ||
52 | + another group with the same number might be created later. This | ||
53 | + issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance | ||
54 | + only mode, we finesse the bug by allowing more memory always. */ | ||
55 | + | ||
56 | + /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; | ||
57 | } | ||
58 | |||
59 | /* In the real compile, search the name table. We check the name | ||
diff --git a/main/pcre/CVE-2015-5073.patch b/main/pcre/CVE-2015-5073.patch new file mode 100644 index 0000000000..e6981ecb2c --- /dev/null +++ b/main/pcre/CVE-2015-5073.patch | |||
@@ -0,0 +1,14 @@ | |||
1 | Index: pcre_compile.c | ||
2 | =================================================================== | ||
3 | --- a/pcre_compile.c (revision 1569) | ||
4 | +++ b/pcre_compile.c (revision 1575) | ||
5 | @@ -9449,7 +9449,7 @@ | ||
6 | exceptional ones forgo this. We scan the pattern to check that they are fixed | ||
7 | length, and set their lengths. */ | ||
8 | |||
9 | -if (cd->check_lookbehind) | ||
10 | +if (errorcode == 0 && cd->check_lookbehind) | ||
11 | { | ||
12 | pcre_uchar *cc = (pcre_uchar *)codestart; | ||
13 | |||
14 | |||