main/pcre: various security fixes

CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 ref #4287 ref #4400
author: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 13:39:52 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 13:42:09 +0000
commit: 77345a923c72d9e8d0a4202d893239ba43b903a3 (patch)
tree: 8b4c38203e5f38698bad915f4d65ff2830117663 /main/pcre/CVE-2015-3217.patch
parent: 3cf1beea8339ec4437ecc19b66e003724691311f (diff)
download: aports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.bz2
aports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.xz
1 files changed, 59 insertions, 0 deletions
diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch
new file mode 100644
index 0000000000..8e74a99dad
--- /dev/null
+++ b/main/pcre/CVE-2015-3217.patch
@@ -0,0 +1,59 @@
+https://bugs.exim.org/show_bug.cgi?id=1638
+
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c	(revision 1558)
++++ b/pcre_compile.c	(revision 1562)
+@@ -1799,7 +1799,7 @@
+     case OP_ASSERTBACK:
+     case OP_ASSERTBACK_NOT:
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+-    cc += PRIV(OP_lengths)[*cc];
++    cc += 1 + LINK_SIZE;
+     break;
+ 
+     /* Skip over things that don't match chars */
+@@ -7187,15 +7187,15 @@
+               open_capitem *oc;
+               recno = ng->number;
+               if (is_recurse) break;
+-              for (oc = cd->open_caps; oc != NULL; oc = oc->next)         
+-                {          
+-                if (oc->number == recno)                                     
+-                  {               
+-                  oc->flag = TRUE;                                      
++              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++                {
++                if (oc->number == recno)
++                  {
++                  oc->flag = TRUE;
+                   break;
+-                  }                                                         
+-                }                          
+-              }    
++                  }
++                }
++              }
+             }
+ 
+           /* Count named back references. */
+@@ -7207,6 +7207,19 @@
+           16-bit data item. */
+ 
+           *lengthptr += IMM2_SIZE;
++
++          /* If this is a forward reference and we are within a (?|...) group,
++          the reference may end up as the number of a group which we are
++          currently inside, that is, it could be a recursive reference. In the
++          real compile this will be picked up and the reference wrapped with
++          OP_ONCE to make it atomic, so we must space in case this occurs. */
++
++          /* In fact, this can happen for a non-forward reference because
++          another group with the same number might be created later. This
++          issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
++          only mode, we finesse the bug by allowing more memory always. */
++
++          /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
+           }
+ 
+         /* In the real compile, search the name table. We check the name
author	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 13:39:52 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 13:42:09 +0000
commit	77345a923c72d9e8d0a4202d893239ba43b903a3 (patch)
tree	8b4c38203e5f38698bad915f4d65ff2830117663 /main/pcre/CVE-2015-3217.patch
parent	3cf1beea8339ec4437ecc19b66e003724691311f (diff)
download	aports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.bz2 aports-77345a923c72d9e8d0a4202d893239ba43b903a3.tar.xz