main/pcre: various security fixes

CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 fixes #4291 fixes #4404 (cherry picked from commit 77345a923c72d9e8d0a4202d893239ba43b903a3)
author: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 13:39:52 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 13:43:11 +0000
commit: 1187799566cb8d6a53722bcb8a2bc5dafe23e80a (patch)
tree: a28c9993884468b29359dc80fe60d9a675acdd87
parent: 022d2bf36da9563c91afc2db5ba9f0ac2f93c775 (diff)
download: alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.bz2
alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.xz
alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.zip
4 files changed, 178 insertions, 6 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD
index ef1e7a2444..f188fcada2 100644
--- a/main/pcre/APKBUILD
+++ b/main/pcre/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=pcre
 pkgver=8.37
-pkgrel=0
+pkgrel=1
 pkgdesc="Perl-compatible regular expression library"
 url="http://pcre.sourceforge.net"
 arch="all"
@@ -9,6 +9,9 @@ license="BSD"
 depends=
 makedepends=""
 source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
+        CVE-2015-3210.patch
+        CVE-2015-3217.patch
+        CVE-2015-5073.patch
        "
 subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
        libpcrecpp libpcre16 libpcre32"
@@ -18,12 +21,12 @@ prepare() {
        cd "$_builddir"
        for i in $source; do
                case $i in
-                *.patch) patch -p1 -i "$srcdir"/$i || return 1;;
+                *.patch) msg $i;  patch -p1 -i "$srcdir"/$i || return 1;;
                esac
        done
 }
-build() { 
+build() {
        cd "$_builddir"
        ./configure \
                --build=$CBUILD \
@@ -73,6 +76,15 @@ tools() {
        mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
-md5sums="ed91be292cb01d21bc7e526816c26981  pcre-8.37.tar.bz2"
+md5sums="ed91be292cb01d21bc7e526816c26981  pcre-8.37.tar.bz2
-sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d  pcre-8.37.tar.bz2"
+7d59ff55389d5df2a000594d8aba2593  CVE-2015-3210.patch
-sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466  pcre-8.37.tar.bz2"
+ebb29968952dae14ed8fde9cbb701619  CVE-2015-3217.patch
+d49dfd30eacbb5ce0e6e1a90144fa723  CVE-2015-5073.patch"
+sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d  pcre-8.37.tar.bz2
+a11c73e5bcd977bc331896326cf8e3c8a63ece9a7ab6c307522bc84466a04c09  CVE-2015-3210.patch
+47a162e734c9e2054f2ab2f8e78f1e9950338352c02020a11424a6176b06a53b  CVE-2015-3217.patch
+24ac18ca955a0961242ef71e565c2afa7b67209753f7043fc9a2405443558eeb  CVE-2015-5073.patch"
+sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466  pcre-8.37.tar.bz2
+4705296239db0b04567f77ae15c68203b9e9be7f7294568cbff096a069ea53fcd8428eb187b1dd39e469d55318410052995782b94bfeb5837ba4a02c7466a31d  CVE-2015-3210.patch
+4eef9271b4fab53e3b69d4602c4f57086ec22ec69a1c12edfd391d0bfaf69a4bb5a190e3061871e86565c58e9da10ad72fa543f1c13d9c09d3c21f2c1c0dd9c6  CVE-2015-3217.patch
+5e7921d81e23a11df02648d90a7b4817e29e440662408a14b5c1dc4d227b217beecd788fa90ee4fddfaa47475badba78ce8f8521533bacf6a362e716ed6ad5b8  CVE-2015-5073.patch"
diff --git a/main/pcre/CVE-2015-3210.patch b/main/pcre/CVE-2015-3210.patch
new file mode 100644
index 0000000000..c97849fb70
--- /dev/null
+++ b/main/pcre/CVE-2015-3210.patch
@@ -0,0 +1,87 @@
+From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Fri, 15 May 2015 17:17:03 +0000
+Subject: [PATCH] Fix buffer overflow for named recursive back reference when
+ the name is duplicated.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream commit ported to pcre-8.37:
+commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19
+Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date:   Fri May 15 17:17:03 2015 +0000
+    Fix buffer overflow for named recursive back reference when the name is
+    duplicated.
+    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15
+This fixes CVE-2015-3210.
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_compile.c       | 16 ++++++++++++++--
+ testdata/testinput2  |  2 ++
+ testdata/testoutput2 |  2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 0efad26..6f06912 100644
+--- a/pcre_compile.c
+++ b/pcre_compile.c
+@@ -7173,14 +7173,26 @@ for (;; ptr++)
+           number. If the name is not found, set the value to 0 for a forward
+           reference. */
+ 
+          recno = 0;
+           ng = cd->named_groups;
+           for (i = 0; i < cd->names_found; i++, ng++)
+             {
+             if (namelen == ng->length &&
+                 STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+-              break;
+              {
+              open_capitem *oc;
+              recno = ng->number;
+              if (is_recurse) break;
+              for (oc = cd->open_caps; oc != NULL; oc = oc->next)         
+                {          
+                if (oc->number == recno)                                     
+                  {               
+                  oc->flag = TRUE;                                      
+                  break;
+                  }                                                         
+                }                          
+              }    
+             }
+-          recno = (i < cd->names_found)? ng->number : 0;
+ 
+           /* Count named back references. */
+ 
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 58fe53b..83bb471 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -4152,4 +4152,6 @@ backtracking verbs. --/
+ 
+ /((?2){73}(?2))((?1))/
+ 
+"(?J)(?'d'(?'d'\g{d}))"
+
+ /-- End of testinput2 --/
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index b718df0..7dff52a 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
+ 
+ /((?2){73}(?2))((?1))/
+ 
+"(?J)(?'d'(?'d'\g{d}))"
+
+ /-- End of testinput2 --/
+-- 
+2.4.3
diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch
new file mode 100644
index 0000000000..8e74a99dad
--- /dev/null
+++ b/main/pcre/CVE-2015-3217.patch
@@ -0,0 +1,59 @@
+https://bugs.exim.org/show_bug.cgi?id=1638
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c    (revision 1558)
+++ b/pcre_compile.c    (revision 1562)
+@@ -1799,7 +1799,7 @@
+     case OP_ASSERTBACK:
+     case OP_ASSERTBACK_NOT:
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+-    cc += PRIV(OP_lengths)[*cc];
+    cc += 1 + LINK_SIZE;
+     break;
+ 
+     /* Skip over things that don't match chars */
+@@ -7187,15 +7187,15 @@
+               open_capitem *oc;
+               recno = ng->number;
+               if (is_recurse) break;
+-              for (oc = cd->open_caps; oc != NULL; oc = oc->next)         
+-                {          
+-                if (oc->number == recno)                                     
+-                  {               
+-                  oc->flag = TRUE;                                      
+              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+                {
+                if (oc->number == recno)
+                  {
+                  oc->flag = TRUE;
+                   break;
+-                  }                                                         
+-                }                          
+-              }    
+                  }
+                }
+              }
+             }
+ 
+           /* Count named back references. */
+@@ -7207,6 +7207,19 @@
+           16-bit data item. */
+ 
+           *lengthptr += IMM2_SIZE;
+
+          /* If this is a forward reference and we are within a (?|...) group,
+          the reference may end up as the number of a group which we are
+          currently inside, that is, it could be a recursive reference. In the
+          real compile this will be picked up and the reference wrapped with
+          OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+          /* In fact, this can happen for a non-forward reference because
+          another group with the same number might be created later. This
+          issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
+          only mode, we finesse the bug by allowing more memory always. */
+
+          /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
+           }
+ 
+         /* In the real compile, search the name table. We check the name
diff --git a/main/pcre/CVE-2015-5073.patch b/main/pcre/CVE-2015-5073.patch
new file mode 100644
index 0000000000..e6981ecb2c
--- /dev/null
+++ b/main/pcre/CVE-2015-5073.patch
@@ -0,0 +1,14 @@
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c    (revision 1569)
+++ b/pcre_compile.c    (revision 1575)
+@@ -9449,7 +9449,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+ 
+-if (cd->check_lookbehind)
+if (errorcode == 0 && cd->check_lookbehind)
+   {
+   pcre_uchar *cc = (pcre_uchar *)codestart;
+
author	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 13:39:52 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 13:43:11 +0000
commit	1187799566cb8d6a53722bcb8a2bc5dafe23e80a (patch)
tree	a28c9993884468b29359dc80fe60d9a675acdd87
parent	022d2bf36da9563c91afc2db5ba9f0ac2f93c775 (diff)
download	alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.bz2 alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.tar.xz alpine_aports-1187799566cb8d6a53722bcb8a2bc5dafe23e80a.zip

diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index ef1e7a2444..f188fcada2 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD
@@ -1,7 +1,7 @@
1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2	pkgname=pcre	2	pkgname=pcre
3	pkgver=8.37	3	pkgver=8.37
4	pkgrel=0	4	pkgrel=1
5	pkgdesc="Perl-compatible regular expression library"	5	pkgdesc="Perl-compatible regular expression library"
6	url="http://pcre.sourceforge.net"	6	url="http://pcre.sourceforge.net"
7	arch="all"	7	arch="all"
@@ -9,6 +9,9 @@ license="BSD"
9	depends=	9	depends=
10	makedepends=""	10	makedepends=""
11	source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2	11	source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
		12	CVE-2015-3210.patch
		13	CVE-2015-3217.patch
		14	CVE-2015-5073.patch
12	"	15	"
13	subpackages="$pkgname-dev $pkgname-doc $pkgname-tools	16	subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
14	libpcrecpp libpcre16 libpcre32"	17	libpcrecpp libpcre16 libpcre32"
@@ -18,12 +21,12 @@ prepare() {
18	cd "$_builddir"	21	cd "$_builddir"
19	for i in $source; do	22	for i in $source; do
20	case $i in	23	case $i in
21	*.patch) patch -p1 -i "$srcdir"/$i \|\| return 1;;	24	*.patch) msg $i; patch -p1 -i "$srcdir"/$i \|\| return 1;;
22	esac	25	esac
23	done	26	done
24	}	27	}
25		28
26	build() {	29	build() {
27	cd "$_builddir"	30	cd "$_builddir"
28	./configure \	31	./configure \
29	--build=$CBUILD \	32	--build=$CBUILD \
@@ -73,6 +76,15 @@ tools() {
73	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/	76	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
74	}	77	}
75		78
76	md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2"	79	md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2
77	sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2"	80	7d59ff55389d5df2a000594d8aba2593 CVE-2015-3210.patch
78	sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2"	81	ebb29968952dae14ed8fde9cbb701619 CVE-2015-3217.patch
		82	d49dfd30eacbb5ce0e6e1a90144fa723 CVE-2015-5073.patch"
		83	sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2
		84	a11c73e5bcd977bc331896326cf8e3c8a63ece9a7ab6c307522bc84466a04c09 CVE-2015-3210.patch
		85	47a162e734c9e2054f2ab2f8e78f1e9950338352c02020a11424a6176b06a53b CVE-2015-3217.patch
		86	24ac18ca955a0961242ef71e565c2afa7b67209753f7043fc9a2405443558eeb CVE-2015-5073.patch"
		87	sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2
		88	4705296239db0b04567f77ae15c68203b9e9be7f7294568cbff096a069ea53fcd8428eb187b1dd39e469d55318410052995782b94bfeb5837ba4a02c7466a31d CVE-2015-3210.patch
		89	4eef9271b4fab53e3b69d4602c4f57086ec22ec69a1c12edfd391d0bfaf69a4bb5a190e3061871e86565c58e9da10ad72fa543f1c13d9c09d3c21f2c1c0dd9c6 CVE-2015-3217.patch
		90	5e7921d81e23a11df02648d90a7b4817e29e440662408a14b5c1dc4d227b217beecd788fa90ee4fddfaa47475badba78ce8f8521533bacf6a362e716ed6ad5b8 CVE-2015-5073.patch"


diff --git a/main/pcre/CVE-2015-3210.patch b/main/pcre/CVE-2015-3210.patch new file mode 100644 index 0000000000..c97849fb70 --- /dev/null +++ b/main/pcre/CVE-2015-3210.patch
@@ -0,0 +1,87 @@
		1	From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001
		2	From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
		3	Date: Fri, 15 May 2015 17:17:03 +0000
		4	Subject: [PATCH] Fix buffer overflow for named recursive back reference when
		5	the name is duplicated.
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	Upstream commit ported to pcre-8.37:
		11
		12	commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19
		13	Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
		14	Date: Fri May 15 17:17:03 2015 +0000
		15
		16	Fix buffer overflow for named recursive back reference when the name is
		17	duplicated.
		18
		19	git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15
		20
		21	This fixes CVE-2015-3210.
		22
		23	Signed-off-by: Petr Písař <ppisar@redhat.com>
		24	---
		25	pcre_compile.c \| 16 ++++++++++++++--
		26	testdata/testinput2 \| 2 ++
		27	testdata/testoutput2 \| 2 ++
		28	3 files changed, 18 insertions(+), 2 deletions(-)
		29
		30	diff --git a/pcre_compile.c b/pcre_compile.c
		31	index 0efad26..6f06912 100644
		32	--- a/pcre_compile.c
		33	+++ b/pcre_compile.c
		34	@@ -7173,14 +7173,26 @@ for (;; ptr++)
		35	number. If the name is not found, set the value to 0 for a forward
		36	reference. */
		37
		38	+ recno = 0;
		39	ng = cd->named_groups;
		40	for (i = 0; i < cd->names_found; i++, ng++)
		41	{
		42	if (namelen == ng->length &&
		43	STRNCMP_UC_UC(name, ng->name, namelen) == 0)
		44	- break;
		45	+ {
		46	+ open_capitem *oc;
		47	+ recno = ng->number;
		48	+ if (is_recurse) break;
		49	+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
		50	+ {
		51	+ if (oc->number == recno)
		52	+ {
		53	+ oc->flag = TRUE;
		54	+ break;
		55	+ }
		56	+ }
		57	+ }
		58	}
		59	- recno = (i < cd->names_found)? ng->number : 0;
		60
		61	/* Count named back references. */
		62
		63	diff --git a/testdata/testinput2 b/testdata/testinput2
		64	index 58fe53b..83bb471 100644
		65	--- a/testdata/testinput2
		66	+++ b/testdata/testinput2
		67	@@ -4152,4 +4152,6 @@ backtracking verbs. --/
		68
		69	/((?2){73}(?2))((?1))/
		70
		71	+"(?J)(?'d'(?'d'\g{d}))"
		72	+
		73	/-- End of testinput2 --/
		74	diff --git a/testdata/testoutput2 b/testdata/testoutput2
		75	index b718df0..7dff52a 100644
		76	--- a/testdata/testoutput2
		77	+++ b/testdata/testoutput2
		78	@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
		79
		80	/((?2){73}(?2))((?1))/
		81
		82	+"(?J)(?'d'(?'d'\g{d}))"
		83	+
		84	/-- End of testinput2 --/
		85	--
		86	2.4.3
		87


diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch new file mode 100644 index 0000000000..8e74a99dad --- /dev/null +++ b/main/pcre/CVE-2015-3217.patch
@@ -0,0 +1,59 @@
		1	https://bugs.exim.org/show_bug.cgi?id=1638
		2
		3	Index: pcre_compile.c
		4	===================================================================
		5	--- a/pcre_compile.c (revision 1558)
		6	+++ b/pcre_compile.c (revision 1562)
		7	@@ -1799,7 +1799,7 @@
		8	case OP_ASSERTBACK:
		9	case OP_ASSERTBACK_NOT:
		10	do cc += GET(cc, 1); while (*cc == OP_ALT);
		11	- cc += PRIV(OP_lengths)[*cc];
		12	+ cc += 1 + LINK_SIZE;
		13	break;
		14
		15	/* Skip over things that don't match chars */
		16	@@ -7187,15 +7187,15 @@
		17	open_capitem *oc;
		18	recno = ng->number;
		19	if (is_recurse) break;
		20	- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
		21	- {
		22	- if (oc->number == recno)
		23	- {
		24	- oc->flag = TRUE;
		25	+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
		26	+ {
		27	+ if (oc->number == recno)
		28	+ {
		29	+ oc->flag = TRUE;
		30	break;
		31	- }
		32	- }
		33	- }
		34	+ }
		35	+ }
		36	+ }
		37	}
		38
		39	/* Count named back references. */
		40	@@ -7207,6 +7207,19 @@
		41	16-bit data item. */
		42
		43	*lengthptr += IMM2_SIZE;
		44	+
		45	+ /* If this is a forward reference and we are within a (?\|...) group,
		46	+ the reference may end up as the number of a group which we are
		47	+ currently inside, that is, it could be a recursive reference. In the
		48	+ real compile this will be picked up and the reference wrapped with
		49	+ OP_ONCE to make it atomic, so we must space in case this occurs. */
		50	+
		51	+ /* In fact, this can happen for a non-forward reference because
		52	+ another group with the same number might be created later. This
		53	+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
		54	+ only mode, we finesse the bug by allowing more memory always. */
		55	+
		56	+ /* if (recno == 0) / lengthptr += 2 + 2*LINK_SIZE;
		57	}
		58
		59	/* In the real compile, search the name table. We check the name


diff --git a/main/pcre/CVE-2015-5073.patch b/main/pcre/CVE-2015-5073.patch new file mode 100644 index 0000000000..e6981ecb2c --- /dev/null +++ b/main/pcre/CVE-2015-5073.patch
@@ -0,0 +1,14 @@
		1	Index: pcre_compile.c
		2	===================================================================
		3	--- a/pcre_compile.c (revision 1569)
		4	+++ b/pcre_compile.c (revision 1575)
		5	@@ -9449,7 +9449,7 @@
		6	exceptional ones forgo this. We scan the pattern to check that they are fixed
		7	length, and set their lengths. */
		8
		9	-if (cd->check_lookbehind)
		10	+if (errorcode == 0 && cd->check_lookbehind)
		11	{
		12	pcre_uchar cc = (pcre_uchar )codestart;
		13
		14