aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-01-25 10:30:30 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-01-25 10:30:30 +0000
commit656ff36b75f24b7f58cdc79362a8a975460fb1db (patch)
tree1474edfe462f0f0783cf13359f7f873e4fe2a384
parent655d521104ae64806748d619c3e3394c4974aa55 (diff)
downloadaports-656ff36b75f24b7f58cdc79362a8a975460fb1db.tar.bz2
aports-656ff36b75f24b7f58cdc79362a8a975460fb1db.tar.xz
main/pcre: security fix for CVE-2014-8964
ref #3731
-rw-r--r--main/pcre/APKBUILD15
-rw-r--r--main/pcre/CVE-2014-8964.patch68
2 files changed, 78 insertions, 5 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD
index f50b316237..3b7de6cc58 100644
--- a/main/pcre/APKBUILD
+++ b/main/pcre/APKBUILD
@@ -1,14 +1,16 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pcre
pkgver=8.36
-pkgrel=0
+pkgrel=1
pkgdesc="Perl-compatible regular expression library"
url="http://pcre.sourceforge.net"
arch="all"
license="BSD"
depends=
makedepends=""
-source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2"
+source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
+ CVE-2014-8964.patch
+ "
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
libpcrecpp libpcre16 libpcre32"
@@ -72,6 +74,9 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-md5sums="b767bc9af0c20bc9c1fe403b0d41ad97 pcre-8.36.tar.bz2"
-sha256sums="ef833457de0c40e82f573e34528f43a751ff20257ad0e86d272ed5637eb845bb pcre-8.36.tar.bz2"
-sha512sums="acd2bc6911be7b518ad4aca3c3ccbe98bdbeabf0e77d6b04009838c7825b563a001377f8c3a6a8a0583ec32ee9fefe05e3c1a69f272fe5084469a6b6c2148fbf pcre-8.36.tar.bz2"
+md5sums="b767bc9af0c20bc9c1fe403b0d41ad97 pcre-8.36.tar.bz2
+b12d6e88e250a051348aef84b3ab3cc6 CVE-2014-8964.patch"
+sha256sums="ef833457de0c40e82f573e34528f43a751ff20257ad0e86d272ed5637eb845bb pcre-8.36.tar.bz2
+20831da29fbc9aa4389bca0c3970090df453ef2205ff44dbb723e928e642dbde CVE-2014-8964.patch"
+sha512sums="acd2bc6911be7b518ad4aca3c3ccbe98bdbeabf0e77d6b04009838c7825b563a001377f8c3a6a8a0583ec32ee9fefe05e3c1a69f272fe5084469a6b6c2148fbf pcre-8.36.tar.bz2
+2e5503732f9f325ab3e038dc66dada8eeade4607253b52fb3db326efdd320044d0546a5d4d4b7eb80857e8c3de28b3564714e67feeab23b2ed52422bc7f5de85 CVE-2014-8964.patch"
diff --git a/main/pcre/CVE-2014-8964.patch b/main/pcre/CVE-2014-8964.patch
new file mode 100644
index 0000000000..1fb303624d
--- /dev/null
+++ b/main/pcre/CVE-2014-8964.patch
@@ -0,0 +1,68 @@
+From 48d2472840efc4dc54dfc698d64aa086332a9033 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Wed, 19 Nov 2014 20:57:13 +0000
+Subject: [PATCH] Fix zero-repeat assertion condition bug.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1513 2f5784b3-3f2a-0410-8824-cb99058d5e15
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+Petr Pisar: Ported to 8.36.
+
+diff --git a/pcre_exec.c b/pcre_exec.c
+index fdf7067..bb5620d 100644
+--- a/pcre_exec.c
++++ b/pcre_exec.c
+@@ -1404,8 +1404,11 @@ for (;;)
+ condition = TRUE;
+
+ /* Advance ecode past the assertion to the start of the first branch,
+- but adjust it so that the general choosing code below works. */
+-
++ but adjust it so that the general choosing code below works. If the
++ assertion has a quantifier that allows zero repeats we must skip over
++ the BRAZERO. This is a lunatic thing to do, but somebody did! */
++
++ if (*ecode == OP_BRAZERO) ecode++;
+ ecode += GET(ecode, 1);
+ while (*ecode == OP_ALT) ecode += GET(ecode, 1);
+ ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index c6816bf..015422e 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4078,4 +4078,10 @@ backtracking verbs. --/
+
+ /\x{whatever}/
+
++"((?=(?(?=(?(?=(?(?=())))*)))))"
++ a
++
++"(?(?=)?==)(((((((((?=)))))))))"
++ a
++
+ /-- End of testinput2 --/
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 1e87026..9a1b14e 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14206,4 +14206,14 @@ Failed: digits missing in \x{} or \o{} at offset 3
+ /\x{whatever}/
+ Failed: non-hex character in \x{} (closing brace missing?) at offset 3
+
++"((?=(?(?=(?(?=(?(?=())))*)))))"
++ a
++ 0:
++ 1:
++ 2:
++
++"(?(?=)?==)(((((((((?=)))))))))"
++ a
++No match
++
+ /-- End of testinput2 --/
+--
+1.9.3
+