aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-07-07 13:39:52 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-07-07 13:42:09 +0000
commit77345a923c72d9e8d0a4202d893239ba43b903a3 (patch)
tree8b4c38203e5f38698bad915f4d65ff2830117663
parent3cf1beea8339ec4437ecc19b66e003724691311f (diff)
downloadaports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.bz2
aports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.xz
main/pcre: various security fixes
-rw-r--r--main/pcre/APKBUILD22
-rw-r--r--main/pcre/CVE-2015-3210.patch87
-rw-r--r--main/pcre/CVE-2015-3217.patch59
-rw-r--r--main/pcre/CVE-2015-5073.patch14
4 files changed, 177 insertions, 5 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD
index 96be9cbcac..5bea964766 100644
--- a/main/pcre/APKBUILD
+++ b/main/pcre/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pcre
pkgver=8.37
-pkgrel=1
+pkgrel=2
pkgdesc="Perl-compatible regular expression library"
url="http://pcre.sourceforge.net"
arch="all"
@@ -9,6 +9,9 @@ license="BSD"
depends=
makedepends=""
source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
+ CVE-2015-3210.patch
+ CVE-2015-3217.patch
+ CVE-2015-5073.patch
"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
libpcrecpp libpcre16 libpcre32"
@@ -18,7 +21,7 @@ prepare() {
cd "$_builddir"
for i in $source; do
case $i in
- *.patch) patch -p1 -i "$srcdir"/$i || return 1;;
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
@@ -73,6 +76,15 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2"
-sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2"
-sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2"
+md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2
+7d59ff55389d5df2a000594d8aba2593 CVE-2015-3210.patch
+ebb29968952dae14ed8fde9cbb701619 CVE-2015-3217.patch
+d49dfd30eacbb5ce0e6e1a90144fa723 CVE-2015-5073.patch"
+sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2
+a11c73e5bcd977bc331896326cf8e3c8a63ece9a7ab6c307522bc84466a04c09 CVE-2015-3210.patch
+47a162e734c9e2054f2ab2f8e78f1e9950338352c02020a11424a6176b06a53b CVE-2015-3217.patch
+24ac18ca955a0961242ef71e565c2afa7b67209753f7043fc9a2405443558eeb CVE-2015-5073.patch"
+sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2
+4705296239db0b04567f77ae15c68203b9e9be7f7294568cbff096a069ea53fcd8428eb187b1dd39e469d55318410052995782b94bfeb5837ba4a02c7466a31d CVE-2015-3210.patch
+4eef9271b4fab53e3b69d4602c4f57086ec22ec69a1c12edfd391d0bfaf69a4bb5a190e3061871e86565c58e9da10ad72fa543f1c13d9c09d3c21f2c1c0dd9c6 CVE-2015-3217.patch
+5e7921d81e23a11df02648d90a7b4817e29e440662408a14b5c1dc4d227b217beecd788fa90ee4fddfaa47475badba78ce8f8521533bacf6a362e716ed6ad5b8 CVE-2015-5073.patch"
diff --git a/main/pcre/CVE-2015-3210.patch b/main/pcre/CVE-2015-3210.patch
new file mode 100644
index 0000000000..c97849fb70
--- /dev/null
+++ b/main/pcre/CVE-2015-3210.patch
@@ -0,0 +1,87 @@
+From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Fri, 15 May 2015 17:17:03 +0000
+Subject: [PATCH] Fix buffer overflow for named recursive back reference when
+ the name is duplicated.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream commit ported to pcre-8.37:
+
+commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19
+Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Fri May 15 17:17:03 2015 +0000
+
+ Fix buffer overflow for named recursive back reference when the name is
+ duplicated.
+
+ git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15
+
+This fixes CVE-2015-3210.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_compile.c | 16 ++++++++++++++--
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 0efad26..6f06912 100644
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7173,14 +7173,26 @@ for (;; ptr++)
+ number. If the name is not found, set the value to 0 for a forward
+ reference. */
+
++ recno = 0;
+ ng = cd->named_groups;
+ for (i = 0; i < cd->names_found; i++, ng++)
+ {
+ if (namelen == ng->length &&
+ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+- break;
++ {
++ open_capitem *oc;
++ recno = ng->number;
++ if (is_recurse) break;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
++ break;
++ }
++ }
++ }
+ }
+- recno = (i < cd->names_found)? ng->number : 0;
+
+ /* Count named back references. */
+
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 58fe53b..83bb471 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4152,4 +4152,6 @@ backtracking verbs. --/
+
+ /((?2){73}(?2))((?1))/
+
++"(?J)(?'d'(?'d'\g{d}))"
++
+ /-- End of testinput2 --/
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index b718df0..7dff52a 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
+
+ /((?2){73}(?2))((?1))/
+
++"(?J)(?'d'(?'d'\g{d}))"
++
+ /-- End of testinput2 --/
+--
+2.4.3
+
diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch
new file mode 100644
index 0000000000..8e74a99dad
--- /dev/null
+++ b/main/pcre/CVE-2015-3217.patch
@@ -0,0 +1,59 @@
+https://bugs.exim.org/show_bug.cgi?id=1638
+
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c (revision 1558)
++++ b/pcre_compile.c (revision 1562)
+@@ -1799,7 +1799,7 @@
+ case OP_ASSERTBACK:
+ case OP_ASSERTBACK_NOT:
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+- cc += PRIV(OP_lengths)[*cc];
++ cc += 1 + LINK_SIZE;
+ break;
+
+ /* Skip over things that don't match chars */
+@@ -7187,15 +7187,15 @@
+ open_capitem *oc;
+ recno = ng->number;
+ if (is_recurse) break;
+- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+- {
+- if (oc->number == recno)
+- {
+- oc->flag = TRUE;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
+ break;
+- }
+- }
+- }
++ }
++ }
++ }
+ }
+
+ /* Count named back references. */
+@@ -7207,6 +7207,19 @@
+ 16-bit data item. */
+
+ *lengthptr += IMM2_SIZE;
++
++ /* If this is a forward reference and we are within a (?|...) group,
++ the reference may end up as the number of a group which we are
++ currently inside, that is, it could be a recursive reference. In the
++ real compile this will be picked up and the reference wrapped with
++ OP_ONCE to make it atomic, so we must space in case this occurs. */
++
++ /* In fact, this can happen for a non-forward reference because
++ another group with the same number might be created later. This
++ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
++ only mode, we finesse the bug by allowing more memory always. */
++
++ /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
+ }
+
+ /* In the real compile, search the name table. We check the name
diff --git a/main/pcre/CVE-2015-5073.patch b/main/pcre/CVE-2015-5073.patch
new file mode 100644
index 0000000000..e6981ecb2c
--- /dev/null
+++ b/main/pcre/CVE-2015-5073.patch
@@ -0,0 +1,14 @@
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c (revision 1569)
++++ b/pcre_compile.c (revision 1575)
+@@ -9449,7 +9449,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+ {
+ pcre_uchar *cc = (pcre_uchar *)codestart;
+
+