From 77345a923c72d9e8d0a4202d893239ba43b903a3 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 7 Jul 2015 13:39:52 +0000 Subject: main/pcre: various security fixes CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 ref #4287 ref #4400 --- main/pcre/APKBUILD | 22 ++++++++--- main/pcre/CVE-2015-3210.patch | 87 +++++++++++++++++++++++++++++++++++++++++++ main/pcre/CVE-2015-3217.patch | 59 +++++++++++++++++++++++++++++ main/pcre/CVE-2015-5073.patch | 14 +++++++ 4 files changed, 177 insertions(+), 5 deletions(-) create mode 100644 main/pcre/CVE-2015-3210.patch create mode 100644 main/pcre/CVE-2015-3217.patch create mode 100644 main/pcre/CVE-2015-5073.patch (limited to 'main') diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index 96be9cbcac..5bea964766 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=pcre pkgver=8.37 -pkgrel=1 +pkgrel=2 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" @@ -9,6 +9,9 @@ license="BSD" depends= makedepends="" source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 + CVE-2015-3210.patch + CVE-2015-3217.patch + CVE-2015-5073.patch " subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" @@ -18,7 +21,7 @@ prepare() { cd "$_builddir" for i in $source; do case $i in - *.patch) patch -p1 -i "$srcdir"/$i || return 1;; + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done } @@ -73,6 +76,15 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2" -sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2" -sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2" +md5sums="ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2 +7d59ff55389d5df2a000594d8aba2593 CVE-2015-3210.patch +ebb29968952dae14ed8fde9cbb701619 CVE-2015-3217.patch +d49dfd30eacbb5ce0e6e1a90144fa723 CVE-2015-5073.patch" +sha256sums="51679ea8006ce31379fb0860e46dd86665d864b5020fc9cd19e71260eef4789d pcre-8.37.tar.bz2 +a11c73e5bcd977bc331896326cf8e3c8a63ece9a7ab6c307522bc84466a04c09 CVE-2015-3210.patch +47a162e734c9e2054f2ab2f8e78f1e9950338352c02020a11424a6176b06a53b CVE-2015-3217.patch +24ac18ca955a0961242ef71e565c2afa7b67209753f7043fc9a2405443558eeb CVE-2015-5073.patch" +sha512sums="19344c9add2ebbd26c528505d07d3b028d79bc3e6103d51453a449cebd76bc76f5bc7ddd9ef0de41f98c50be74a2d9a65db539ed60f1add1086d99bde8a81466 pcre-8.37.tar.bz2 +4705296239db0b04567f77ae15c68203b9e9be7f7294568cbff096a069ea53fcd8428eb187b1dd39e469d55318410052995782b94bfeb5837ba4a02c7466a31d CVE-2015-3210.patch +4eef9271b4fab53e3b69d4602c4f57086ec22ec69a1c12edfd391d0bfaf69a4bb5a190e3061871e86565c58e9da10ad72fa543f1c13d9c09d3c21f2c1c0dd9c6 CVE-2015-3217.patch +5e7921d81e23a11df02648d90a7b4817e29e440662408a14b5c1dc4d227b217beecd788fa90ee4fddfaa47475badba78ce8f8521533bacf6a362e716ed6ad5b8 CVE-2015-5073.patch" diff --git a/main/pcre/CVE-2015-3210.patch b/main/pcre/CVE-2015-3210.patch new file mode 100644 index 0000000000..c97849fb70 --- /dev/null +++ b/main/pcre/CVE-2015-3210.patch @@ -0,0 +1,87 @@ +From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Fri, 15 May 2015 17:17:03 +0000 +Subject: [PATCH] Fix buffer overflow for named recursive back reference when + the name is duplicated. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit ported to pcre-8.37: + +commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 +Author: ph10 +Date: Fri May 15 17:17:03 2015 +0000 + + Fix buffer overflow for named recursive back reference when the name is + duplicated. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +This fixes CVE-2015-3210. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 16 ++++++++++++++-- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 0efad26..6f06912 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7173,14 +7173,26 @@ for (;; ptr++) + number. If the name is not found, set the value to 0 for a forward + reference. */ + ++ recno = 0; + ng = cd->named_groups; + for (i = 0; i < cd->names_found; i++, ng++) + { + if (namelen == ng->length && + STRNCMP_UC_UC(name, ng->name, namelen) == 0) +- break; ++ { ++ open_capitem *oc; ++ recno = ng->number; ++ if (is_recurse) break; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; ++ break; ++ } ++ } ++ } + } +- recno = (i < cd->names_found)? ng->number : 0; + + /* Count named back references. */ + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 58fe53b..83bb471 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4152,4 +4152,6 @@ backtracking verbs. --/ + + /((?2){73}(?2))((?1))/ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index b718df0..7dff52a 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 + + /((?2){73}(?2))((?1))/ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ +-- +2.4.3 + diff --git a/main/pcre/CVE-2015-3217.patch b/main/pcre/CVE-2015-3217.patch new file mode 100644 index 0000000000..8e74a99dad --- /dev/null +++ b/main/pcre/CVE-2015-3217.patch @@ -0,0 +1,59 @@ +https://bugs.exim.org/show_bug.cgi?id=1638 + +Index: pcre_compile.c +=================================================================== +--- a/pcre_compile.c (revision 1558) ++++ b/pcre_compile.c (revision 1562) +@@ -1799,7 +1799,7 @@ + case OP_ASSERTBACK: + case OP_ASSERTBACK_NOT: + do cc += GET(cc, 1); while (*cc == OP_ALT); +- cc += PRIV(OP_lengths)[*cc]; ++ cc += 1 + LINK_SIZE; + break; + + /* Skip over things that don't match chars */ +@@ -7187,15 +7187,15 @@ + open_capitem *oc; + recno = ng->number; + if (is_recurse) break; +- for (oc = cd->open_caps; oc != NULL; oc = oc->next) +- { +- if (oc->number == recno) +- { +- oc->flag = TRUE; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; + break; +- } +- } +- } ++ } ++ } ++ } + } + + /* Count named back references. */ +@@ -7207,6 +7207,19 @@ + 16-bit data item. */ + + *lengthptr += IMM2_SIZE; ++ ++ /* If this is a forward reference and we are within a (?|...) group, ++ the reference may end up as the number of a group which we are ++ currently inside, that is, it could be a recursive reference. In the ++ real compile this will be picked up and the reference wrapped with ++ OP_ONCE to make it atomic, so we must space in case this occurs. */ ++ ++ /* In fact, this can happen for a non-forward reference because ++ another group with the same number might be created later. This ++ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance ++ only mode, we finesse the bug by allowing more memory always. */ ++ ++ /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; + } + + /* In the real compile, search the name table. We check the name diff --git a/main/pcre/CVE-2015-5073.patch b/main/pcre/CVE-2015-5073.patch new file mode 100644 index 0000000000..e6981ecb2c --- /dev/null +++ b/main/pcre/CVE-2015-5073.patch @@ -0,0 +1,14 @@ +Index: pcre_compile.c +=================================================================== +--- a/pcre_compile.c (revision 1569) ++++ b/pcre_compile.c (revision 1575) +@@ -9449,7 +9449,7 @@ + exceptional ones forgo this. We scan the pattern to check that they are fixed + length, and set their lengths. */ + +-if (cd->check_lookbehind) ++if (errorcode == 0 && cd->check_lookbehind) + { + pcre_uchar *cc = (pcre_uchar *)codestart; + + -- cgit v1.2.3