All of lore.kernel.org
 help / color / mirror / Atom feed
* [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40
@ 2022-05-30 12:13 Davide Gardenal
  2022-05-30 15:49 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 5+ messages in thread
From: Davide Gardenal @ 2022-05-30 12:13 UTC (permalink / raw)
  To: openembedded-core; +Cc: Davide Gardenal

Minor bug fixes and security updates.
Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).

CVE: CVE-2022-1587

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 .../libpcre/libpcre2/CVE-2022-1586.patch      | 58 -------------------
 .../{libpcre2_10.39.bb => libpcre2_10.40.bb}  |  5 +-
 2 files changed, 2 insertions(+), 61 deletions(-)
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
 rename meta/recipes-support/libpcre/{libpcre2_10.39.bb => libpcre2_10.40.bb} (90%)

diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
deleted file mode 100644
index 10d88d7b73..0000000000
--- a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From e881ed5028622959cf8859c053501fb1b16387f1 Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Mon, 23 May 2022 13:52:39 +0530
-Subject: [PATCH] CVE-2022-1586
-
-Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
-
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- ChangeLog               | 3 +++
- src/pcre2_jit_compile.c | 2 +-
- src/pcre2_jit_test.c    | 3 +++
- 3 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index d27542d..cd3da65 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -63,6 +63,9 @@ Version 10.39 29-October-2021
- 
-   Reformat slightly to make it C89 compatible again.
- 
-+23. Fixed a unicode properrty matching issue in JIT. The character was not
-+fully read in caseless matching.
-+
- 
- Version 10.38 01-October-2021
- -----------------------------
-diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
-index db2ce65..5baca9b 100644
---- a/src/pcre2_jit_compile.c
-+++ b/src/pcre2_jit_compile.c
-@@ -7473,7 +7473,7 @@ while (*cc != XCL_END)
-     {
-     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
-     cc++;
--    if (*cc == PT_CLIST)
-+    if (*cc == PT_CLIST && *cc == XCL_PROP)
-       {
-       other_cases = PRIV(ucd_caseless_sets) + cc[1];
-       while (*other_cases != NOTACHAR)
-diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
-index 8dee16e..7bb307e 100644
---- a/src/pcre2_jit_test.c
-+++ b/src/pcre2_jit_test.c
-@@ -412,6 +412,9 @@ static struct regression_test_case regression_test_cases[] = {
- 	{ MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
- 	{ PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB  baaa" },
- 	{ MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
-+	{ MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
-+	{ MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
-+	{ CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
- 
- 	/* Possible empty brackets. */
- 	{ MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
--- 
-2.35.3
-
diff --git a/meta/recipes-support/libpcre/libpcre2_10.39.bb b/meta/recipes-support/libpcre/libpcre2_10.40.bb
similarity index 90%
rename from meta/recipes-support/libpcre/libpcre2_10.39.bb
rename to meta/recipes-support/libpcre/libpcre2_10.40.bb
index 36c51d700a..3843d43b69 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.39.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb
@@ -8,14 +8,13 @@ SUMMARY = "Perl Compatible Regular Expressions version 2"
 HOMEPAGE = "http://www.pcre.org"
 SECTION = "devel"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=43cfa999260dd853cd6cb174dc396f3d"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=41bfb977e4933c506588724ce69bf5d2"
 
 SRC_URI = "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${PV}/pcre2-${PV}.tar.bz2 \
-           file://CVE-2022-1586.patch \
 "
 UPSTREAM_CHECK_URI = "https://github.com/PhilipHazel/pcre2/releases"
 
-SRC_URI[sha256sum] = "0f03caf57f81d9ff362ac28cd389c055ec2bf0678d277349a1a4bee00ad6d440"
+SRC_URI[sha256sum] = "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c159d68"
 
 CVE_PRODUCT = "pcre2"
 
-- 
2.32.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40
  2022-05-30 12:13 [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40 Davide Gardenal
@ 2022-05-30 15:49 ` Steve Sakoman
  2022-05-30 15:58   ` Davide Gardenal
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Sakoman @ 2022-05-30 15:49 UTC (permalink / raw)
  To: Davide Gardenal
  Cc: Patches and discussions about the oe-core layer, Davide Gardenal

On Mon, May 30, 2022 at 2:13 AM Davide Gardenal
<davidegarde2000@gmail.com> wrote:
>
> Minor bug fixes and security updates.

There is a similar patch in master:

https://git.openembedded.org/openembedded-core/commit/?id=a4fed908dbb53f7e03257bf317af534dda6a471c

I wasn't going to take it unless requested, since the release notes said:

"Mainly a bug-fix release, but also includes an update to Unicode
property handling"

Would like some feedback from others on whether this is likely to be
an issue or not.

> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>
> CVE: CVE-2022-1587

If this is the case then you should submit a patch for master to
correct this.  If people agree that the version bump is suitable for
LTS I would then take the upgrade patch from master along with your
patch to fix the CVE confusion.

Thanks for helping with CVEs!

Steve

> Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
> ---
>  .../libpcre/libpcre2/CVE-2022-1586.patch      | 58 -------------------
>  .../{libpcre2_10.39.bb => libpcre2_10.40.bb}  |  5 +-
>  2 files changed, 2 insertions(+), 61 deletions(-)
>  delete mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
>  rename meta/recipes-support/libpcre/{libpcre2_10.39.bb => libpcre2_10.40.bb} (90%)
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
> deleted file mode 100644
> index 10d88d7b73..0000000000
> --- a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
> +++ /dev/null
> @@ -1,58 +0,0 @@
> -From e881ed5028622959cf8859c053501fb1b16387f1 Mon Sep 17 00:00:00 2001
> -From: Hitendra Prajapati <hprajapati@mvista.com>
> -Date: Mon, 23 May 2022 13:52:39 +0530
> -Subject: [PATCH] CVE-2022-1586
> -
> -Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
> -
> -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ----
> - ChangeLog               | 3 +++
> - src/pcre2_jit_compile.c | 2 +-
> - src/pcre2_jit_test.c    | 3 +++
> - 3 files changed, 7 insertions(+), 1 deletion(-)
> -
> -diff --git a/ChangeLog b/ChangeLog
> -index d27542d..cd3da65 100644
> ---- a/ChangeLog
> -+++ b/ChangeLog
> -@@ -63,6 +63,9 @@ Version 10.39 29-October-2021
> -
> -   Reformat slightly to make it C89 compatible again.
> -
> -+23. Fixed a unicode properrty matching issue in JIT. The character was not
> -+fully read in caseless matching.
> -+
> -
> - Version 10.38 01-October-2021
> - -----------------------------
> -diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
> -index db2ce65..5baca9b 100644
> ---- a/src/pcre2_jit_compile.c
> -+++ b/src/pcre2_jit_compile.c
> -@@ -7473,7 +7473,7 @@ while (*cc != XCL_END)
> -     {
> -     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
> -     cc++;
> --    if (*cc == PT_CLIST)
> -+    if (*cc == PT_CLIST && *cc == XCL_PROP)
> -       {
> -       other_cases = PRIV(ucd_caseless_sets) + cc[1];
> -       while (*other_cases != NOTACHAR)
> -diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
> -index 8dee16e..7bb307e 100644
> ---- a/src/pcre2_jit_test.c
> -+++ b/src/pcre2_jit_test.c
> -@@ -412,6 +412,9 @@ static struct regression_test_case regression_test_cases[] = {
> -       { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
> -       { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB  baaa" },
> -       { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
> -+      { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
> -+      { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
> -+      { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
> -
> -       /* Possible empty brackets. */
> -       { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
> ---
> -2.35.3
> -
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.39.bb b/meta/recipes-support/libpcre/libpcre2_10.40.bb
> similarity index 90%
> rename from meta/recipes-support/libpcre/libpcre2_10.39.bb
> rename to meta/recipes-support/libpcre/libpcre2_10.40.bb
> index 36c51d700a..3843d43b69 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.39.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb
> @@ -8,14 +8,13 @@ SUMMARY = "Perl Compatible Regular Expressions version 2"
>  HOMEPAGE = "http://www.pcre.org"
>  SECTION = "devel"
>  LICENSE = "BSD-3-Clause"
> -LIC_FILES_CHKSUM = "file://LICENCE;md5=43cfa999260dd853cd6cb174dc396f3d"
> +LIC_FILES_CHKSUM = "file://LICENCE;md5=41bfb977e4933c506588724ce69bf5d2"
>
>  SRC_URI = "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${PV}/pcre2-${PV}.tar.bz2 \
> -           file://CVE-2022-1586.patch \
>  "
>  UPSTREAM_CHECK_URI = "https://github.com/PhilipHazel/pcre2/releases"
>
> -SRC_URI[sha256sum] = "0f03caf57f81d9ff362ac28cd389c055ec2bf0678d277349a1a4bee00ad6d440"
> +SRC_URI[sha256sum] = "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c159d68"
>
>  CVE_PRODUCT = "pcre2"
>
> --
> 2.32.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166283): https://lists.openembedded.org/g/openembedded-core/message/166283
> Mute This Topic: https://lists.openembedded.org/mt/91429211/3617601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakoman@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40
  2022-05-30 15:49 ` [OE-core] " Steve Sakoman
@ 2022-05-30 15:58   ` Davide Gardenal
  2022-05-30 16:07     ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 5+ messages in thread
From: Davide Gardenal @ 2022-05-30 15:58 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

On Mon, May 30, 2022 at 08:49 AM, Steve Sakoman wrote:

> 
> 
>> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>> 
>> CVE: CVE-2022-1587
> 
> If this is the case then you should submit a patch for master to
> correct this. If people agree that the version bump is suitable for
> LTS I would then take the upgrade patch from master along with your
> patch to fix the CVE confusion.

Do you mean for kirkstone? Because master doesn't have that patch.

Also if this update is a problem I can just rename the patch so that cve-check can work properly.

Davide

[-- Attachment #2: Type: text/html, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40
  2022-05-30 15:58   ` Davide Gardenal
@ 2022-05-30 16:07     ` Steve Sakoman
  2022-05-31  7:23       ` Davide Gardenal
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Sakoman @ 2022-05-30 16:07 UTC (permalink / raw)
  To: Davide Gardenal; +Cc: openembedded-core

On Mon, May 30, 2022 at 5:58 AM Davide Gardenal
<davidegarde2000@gmail.com> wrote:
>
> On Mon, May 30, 2022 at 08:49 AM, Steve Sakoman wrote:
>
> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>
> CVE: CVE-2022-1587
>
> If this is the case then you should submit a patch for master to
> correct this. If people agree that the version bump is suitable for
> LTS I would then take the upgrade patch from master along with your
> patch to fix the CVE confusion.
>
> Do you mean for kirkstone? Because master doesn't have that patch.

My bad! Juggling three branches and looked at the wrong one :-(

> Also if this update is a problem I can just rename the patch so that cve-check can work properly.

Yes, could you fix the CVE namning issue in kirkstone with a separate
patch, and then resubmit the version bump patch based on this change?

I'll definitely take the CVE naming fix, and if there are no
objections to the version bump I'll take that one too.

Thanks again!

Steve


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40
  2022-05-30 16:07     ` [OE-core] " Steve Sakoman
@ 2022-05-31  7:23       ` Davide Gardenal
  0 siblings, 0 replies; 5+ messages in thread
From: Davide Gardenal @ 2022-05-31  7:23 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

On Mon, May 30, 2022 at 09:08 AM, Steve Sakoman wrote:

> 
> Yes, could you fix the CVE namning issue in kirkstone with a separate
> patch, and then resubmit the version bump patch based on this change?

I was checking the patch and realize that the CVE number is not wrong (I searched for the wrong CVE online),
I'm going to backport a patch for CVE-2022-1587 and then I will send the revision bump.

[-- Attachment #2: Type: text/html, Size: 436 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-05-31  7:23 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-30 12:13 [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40 Davide Gardenal
2022-05-30 15:49 ` [OE-core] " Steve Sakoman
2022-05-30 15:58   ` Davide Gardenal
2022-05-30 16:07     ` [OE-core] " Steve Sakoman
2022-05-31  7:23       ` Davide Gardenal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.