All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit branch/2017.02.x] pcre: add upstream security fixes
@ 2017-04-03  8:30 Peter Korsgaard
  0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2017-04-03  8:30 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=9eb481bbfea238ee6c0b9258ef039a9a20a3dac4
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2017.02.x

Take Debian adapted patches of upstream.

Fixes:

CVE-2017-6004: crafted regular expression may cause denial of service

CVE-2017-7186: invalid Unicode property lookup may cause denial of service

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3143910eec12a5b23e853b3177bf316ac186b87a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/pcre/0003-CVE-2017-6004.patch | 21 ++++++++++++
 package/pcre/0004-CVE-2017-7186.patch | 60 +++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

diff --git a/package/pcre/0003-CVE-2017-6004.patch b/package/pcre/0003-CVE-2017-6004.patch
new file mode 100644
index 0000000..d0b6d51
--- /dev/null
+++ b/package/pcre/0003-CVE-2017-6004.patch
@@ -0,0 +1,21 @@
+Description: CVE-2017-6004: crafted regular expression may cause denial of service
+Origin: upstream, https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
+Bug: https://bugs.exim.org/show_bug.cgi?id=2035
+Bug-Debian: https://bugs.debian.org/855405
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-02-17
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC
+ 
+     if (*matchingpath == OP_FAIL)
+       stacksize = 0;
+-    if (*matchingpath == OP_RREF)
++    else if (*matchingpath == OP_RREF)
+       {
+       stacksize = GET2(matchingpath, 1);
+       if (common->currententry == NULL)
diff --git a/package/pcre/0004-CVE-2017-7186.patch b/package/pcre/0004-CVE-2017-7186.patch
new file mode 100644
index 0000000..980923a
--- /dev/null
+++ b/package/pcre/0004-CVE-2017-7186.patch
@@ -0,0 +1,60 @@
+Description: Upstream fix for CVE-2017-7186 (Upstream rev 1688)
+ Fix Unicode property crash for 32-bit characters greater than 0x10ffff.
+Author: Matthew Vernon <matthew@debian.org>
+X-Dgit-Generated: 2:8.39-3 c4c2c7c4f74d53b263af2471d8e11db88096bd13
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+
+--- pcre3-8.39.orig/pcre_internal.h
++++ pcre3-8.39/pcre_internal.h
+@@ -2772,6 +2772,9 @@ extern const pcre_uint8  PRIV(ucd_stage1
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record  PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int         PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@ extern const int         PRIV(ucp_typera
+ /* UCD access macros */
+ 
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++        
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif 
+ 
+ #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
+--- pcre3-8.39.orig/pcre_ucd.c
++++ pcre3-8.39/pcre_ucd.c
+@@ -38,6 +38,20 @@ const pcre_uint16 PRIV(ucd_stage2)[] = {
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+ 
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++  ucp_Common,    /* script */
++  ucp_Cn,        /* type unassigned */
++  ucp_gbOther,   /* grapheme break property */
++  0,             /* case set */
++  0,             /* other case */
++  }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2017-04-03  8:30 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-03  8:30 [Buildroot] [git commit branch/2017.02.x] pcre: add upstream security fixes Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.