diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-25 10:30:30 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-25 10:30:30 +0000 |
commit | 656ff36b75f24b7f58cdc79362a8a975460fb1db (patch) | |
tree | 1474edfe462f0f0783cf13359f7f873e4fe2a384 | |
parent | 655d521104ae64806748d619c3e3394c4974aa55 (diff) | |
download | aports-656ff36b75f24b7f58cdc79362a8a975460fb1db.tar.bz2 aports-656ff36b75f24b7f58cdc79362a8a975460fb1db.tar.xz |
main/pcre: security fix for CVE-2014-8964
ref #3731
-rw-r--r-- | main/pcre/APKBUILD | 15 | ||||
-rw-r--r-- | main/pcre/CVE-2014-8964.patch | 68 |
2 files changed, 78 insertions, 5 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index f50b316237..3b7de6cc58 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -1,14 +1,16 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pcre pkgver=8.36 -pkgrel=0 +pkgrel=1 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" license="BSD" depends= makedepends="" -source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2" +source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 + CVE-2014-8964.patch + " subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" @@ -72,6 +74,9 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="b767bc9af0c20bc9c1fe403b0d41ad97 pcre-8.36.tar.bz2" -sha256sums="ef833457de0c40e82f573e34528f43a751ff20257ad0e86d272ed5637eb845bb pcre-8.36.tar.bz2" -sha512sums="acd2bc6911be7b518ad4aca3c3ccbe98bdbeabf0e77d6b04009838c7825b563a001377f8c3a6a8a0583ec32ee9fefe05e3c1a69f272fe5084469a6b6c2148fbf pcre-8.36.tar.bz2" +md5sums="b767bc9af0c20bc9c1fe403b0d41ad97 pcre-8.36.tar.bz2 +b12d6e88e250a051348aef84b3ab3cc6 CVE-2014-8964.patch" +sha256sums="ef833457de0c40e82f573e34528f43a751ff20257ad0e86d272ed5637eb845bb pcre-8.36.tar.bz2 +20831da29fbc9aa4389bca0c3970090df453ef2205ff44dbb723e928e642dbde CVE-2014-8964.patch" +sha512sums="acd2bc6911be7b518ad4aca3c3ccbe98bdbeabf0e77d6b04009838c7825b563a001377f8c3a6a8a0583ec32ee9fefe05e3c1a69f272fe5084469a6b6c2148fbf pcre-8.36.tar.bz2 +2e5503732f9f325ab3e038dc66dada8eeade4607253b52fb3db326efdd320044d0546a5d4d4b7eb80857e8c3de28b3564714e67feeab23b2ed52422bc7f5de85 CVE-2014-8964.patch" diff --git a/main/pcre/CVE-2014-8964.patch b/main/pcre/CVE-2014-8964.patch new file mode 100644 index 0000000000..1fb303624d --- /dev/null +++ b/main/pcre/CVE-2014-8964.patch @@ -0,0 +1,68 @@ +From 48d2472840efc4dc54dfc698d64aa086332a9033 Mon Sep 17 00:00:00 2001 +From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> +Date: Wed, 19 Nov 2014 20:57:13 +0000 +Subject: [PATCH] Fix zero-repeat assertion condition bug. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1513 2f5784b3-3f2a-0410-8824-cb99058d5e15 +Signed-off-by: Petr Písař <ppisar@redhat.com> + +Petr Pisar: Ported to 8.36. + +diff --git a/pcre_exec.c b/pcre_exec.c +index fdf7067..bb5620d 100644 +--- a/pcre_exec.c ++++ b/pcre_exec.c +@@ -1404,8 +1404,11 @@ for (;;) + condition = TRUE; + + /* Advance ecode past the assertion to the start of the first branch, +- but adjust it so that the general choosing code below works. */ +- ++ but adjust it so that the general choosing code below works. If the ++ assertion has a quantifier that allows zero repeats we must skip over ++ the BRAZERO. This is a lunatic thing to do, but somebody did! */ ++ ++ if (*ecode == OP_BRAZERO) ecode++; + ecode += GET(ecode, 1); + while (*ecode == OP_ALT) ecode += GET(ecode, 1); + ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode]; +diff --git a/testdata/testinput2 b/testdata/testinput2 +index c6816bf..015422e 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4078,4 +4078,10 @@ backtracking verbs. --/ + + /\x{whatever}/ + ++"((?=(?(?=(?(?=(?(?=())))*)))))" ++ a ++ ++"(?(?=)?==)(((((((((?=)))))))))" ++ a ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 1e87026..9a1b14e 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14206,4 +14206,14 @@ Failed: digits missing in \x{} or \o{} at offset 3 + /\x{whatever}/ + Failed: non-hex character in \x{} (closing brace missing?) at offset 3 + ++"((?=(?(?=(?(?=(?(?=())))*)))))" ++ a ++ 0: ++ 1: ++ 2: ++ ++"(?(?=)?==)(((((((((?=)))))))))" ++ a ++No match ++ + /-- End of testinput2 --/ +-- +1.9.3 + |