* [PATCH] libpcre2: fix CVE-2017-7186
@ 2019-03-06 22:51 Ross Burton
2019-03-07 8:52 ` ChenQi
2019-03-07 13:08 ` Burton, Ross
0 siblings, 2 replies; 3+ messages in thread
From: Ross Burton @ 2019-03-06 22:51 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
.../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++
meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 +
2 files changed, 84 insertions(+)
create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
new file mode 100644
index 00000000000..7cd7c27c6c0
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
@@ -0,0 +1,83 @@
+libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to
+cause a denial of service (segmentation violation for read access, and
+application crash) by triggering an invalid Unicode property lookup.
+
+CVE: CVE-2017-7186
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+---
+ src/pcre2_internal.h | 15 ++++++++++++++-
+ src/pcre2_ucd.c | 14 ++++++++++++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h
+index 6a8774c..720bbc9 100644
+--- a/src/pcre2_internal.h
++++ b/src/pcre2_internal.h
+@@ -1774,10 +1774,17 @@ typedef struct {
+ /* UCD access macros */
+
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+ PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+ UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
+
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
++
+ #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch) GET_UCD(ch)->script
+ #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
+@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[];
+ #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
+ #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
+ #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
++#endif
+ #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
+ #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
+ #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
+@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[];
+ extern const uint32_t PRIV(vspace_list)[];
+ extern const uint32_t PRIV(ucd_caseless_sets)[];
+ extern const ucd_record PRIV(ucd_records)[];
++#if PCRE2_CODE_UNIT_WIDTH == 32
++extern const ucd_record PRIV(dummy_ucd_record)[];
++#endif
+ extern const uint8_t PRIV(ucd_stage1)[];
+ extern const uint16_t PRIV(ucd_stage2)[];
+ extern const uint32_t PRIV(ucp_gbtable)[];
+diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c
+index 116f537..56aa29d 100644
+--- a/src/pcre2_ucd.c
++++ b/src/pcre2_ucd.c
+@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0};
+
+ const char *PRIV(unicode_version) = "8.0.0";
+
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#if PCRE2_CODE_UNIT_WIDTH == 32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++ ucp_Common, /* script */
++ ucp_Cn, /* type unassigned */
++ ucp_gbOther, /* grapheme break property */
++ 0, /* case set */
++ 0, /* other case */
++ }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre2_internal.h (the actual
+ field names will be different):
+--
+2.12.1
diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb
index 3a0aa53029f..59953626c74 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.32.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0"
SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
file://pcre-cross.patch \
+ file://CVE-2017-7186.patch \
"
SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libpcre2: fix CVE-2017-7186
2019-03-06 22:51 [PATCH] libpcre2: fix CVE-2017-7186 Ross Burton
@ 2019-03-07 8:52 ` ChenQi
2019-03-07 13:08 ` Burton, Ross
1 sibling, 0 replies; 3+ messages in thread
From: ChenQi @ 2019-03-07 8:52 UTC (permalink / raw)
To: Ross Burton, openembedded-core
This patch seems to cause
https://autobuilder.yoctoproject.org/typhoon/#/builders/73/builds/370/steps/7/logs/errors
Best Regards,
Chen Qi
On 03/07/2019 06:51 AM, Ross Burton wrote:
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> ---
> .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++
> meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 +
> 2 files changed, 84 insertions(+)
> create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> new file mode 100644
> index 00000000000..7cd7c27c6c0
> --- /dev/null
> +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> @@ -0,0 +1,83 @@
> +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to
> +cause a denial of service (segmentation violation for read access, and
> +application crash) by triggering an invalid Unicode property lookup.
> +
> +CVE: CVE-2017-7186
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton@intel.com>
> +
> +---
> + src/pcre2_internal.h | 15 ++++++++++++++-
> + src/pcre2_ucd.c | 14 ++++++++++++++
> + 2 files changed, 28 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h
> +index 6a8774c..720bbc9 100644
> +--- a/src/pcre2_internal.h
> ++++ b/src/pcre2_internal.h
> +@@ -1774,10 +1774,17 @@ typedef struct {
> + /* UCD access macros */
> +
> + #define UCD_BLOCK_SIZE 128
> +-#define GET_UCD(ch) (PRIV(ucd_records) + \
> ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
> + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
> + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
> +
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
> ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
> ++#else
> ++#define GET_UCD(ch) REAL_GET_UCD(ch)
> ++#endif
> ++
> + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
> + #define UCD_SCRIPT(ch) GET_UCD(ch)->script
> + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
> +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[];
> + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
> + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
> + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
> ++#endif
> + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
> + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
> + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
> +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[];
> + extern const uint32_t PRIV(vspace_list)[];
> + extern const uint32_t PRIV(ucd_caseless_sets)[];
> + extern const ucd_record PRIV(ucd_records)[];
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++extern const ucd_record PRIV(dummy_ucd_record)[];
> ++#endif
> + extern const uint8_t PRIV(ucd_stage1)[];
> + extern const uint16_t PRIV(ucd_stage2)[];
> + extern const uint32_t PRIV(ucp_gbtable)[];
> +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c
> +index 116f537..56aa29d 100644
> +--- a/src/pcre2_ucd.c
> ++++ b/src/pcre2_ucd.c
> +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0};
> +
> + const char *PRIV(unicode_version) = "8.0.0";
> +
> ++/* If the 32-bit library is run in non-32-bit mode, character values
> ++greater than 0x10ffff may be encountered. For these we set up a
> ++special record. */
> ++
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++const ucd_record PRIV(dummy_ucd_record)[] = {{
> ++ ucp_Common, /* script */
> ++ ucp_Cn, /* type unassigned */
> ++ ucp_gbOther, /* grapheme break property */
> ++ 0, /* case set */
> ++ 0, /* other case */
> ++ }};
> ++#endif
> ++
> + /* When recompiling tables with a new Unicode version, please check the
> + types in this structure definition from pcre2_internal.h (the actual
> + field names will be different):
> +--
> +2.12.1
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> index 3a0aa53029f..59953626c74 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0"
>
> SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
> file://pcre-cross.patch \
> + file://CVE-2017-7186.patch \
> "
>
> SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libpcre2: fix CVE-2017-7186
2019-03-06 22:51 [PATCH] libpcre2: fix CVE-2017-7186 Ross Burton
2019-03-07 8:52 ` ChenQi
@ 2019-03-07 13:08 ` Burton, Ross
1 sibling, 0 replies; 3+ messages in thread
From: Burton, Ross @ 2019-03-07 13:08 UTC (permalink / raw)
To: OE-core
Retracting this, I can't tell the difference between 10.32 and 10.23.
Ross
On Wed, 6 Mar 2019 at 22:51, Ross Burton <ross.burton@intel.com> wrote:
>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> ---
> .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++
> meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 +
> 2 files changed, 84 insertions(+)
> create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> new file mode 100644
> index 00000000000..7cd7c27c6c0
> --- /dev/null
> +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> @@ -0,0 +1,83 @@
> +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to
> +cause a denial of service (segmentation violation for read access, and
> +application crash) by triggering an invalid Unicode property lookup.
> +
> +CVE: CVE-2017-7186
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton@intel.com>
> +
> +---
> + src/pcre2_internal.h | 15 ++++++++++++++-
> + src/pcre2_ucd.c | 14 ++++++++++++++
> + 2 files changed, 28 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h
> +index 6a8774c..720bbc9 100644
> +--- a/src/pcre2_internal.h
> ++++ b/src/pcre2_internal.h
> +@@ -1774,10 +1774,17 @@ typedef struct {
> + /* UCD access macros */
> +
> + #define UCD_BLOCK_SIZE 128
> +-#define GET_UCD(ch) (PRIV(ucd_records) + \
> ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
> + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
> + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
> +
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
> ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
> ++#else
> ++#define GET_UCD(ch) REAL_GET_UCD(ch)
> ++#endif
> ++
> + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
> + #define UCD_SCRIPT(ch) GET_UCD(ch)->script
> + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
> +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[];
> + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
> + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
> + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
> ++#endif
> + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
> + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
> + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
> +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[];
> + extern const uint32_t PRIV(vspace_list)[];
> + extern const uint32_t PRIV(ucd_caseless_sets)[];
> + extern const ucd_record PRIV(ucd_records)[];
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++extern const ucd_record PRIV(dummy_ucd_record)[];
> ++#endif
> + extern const uint8_t PRIV(ucd_stage1)[];
> + extern const uint16_t PRIV(ucd_stage2)[];
> + extern const uint32_t PRIV(ucp_gbtable)[];
> +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c
> +index 116f537..56aa29d 100644
> +--- a/src/pcre2_ucd.c
> ++++ b/src/pcre2_ucd.c
> +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0};
> +
> + const char *PRIV(unicode_version) = "8.0.0";
> +
> ++/* If the 32-bit library is run in non-32-bit mode, character values
> ++greater than 0x10ffff may be encountered. For these we set up a
> ++special record. */
> ++
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++const ucd_record PRIV(dummy_ucd_record)[] = {{
> ++ ucp_Common, /* script */
> ++ ucp_Cn, /* type unassigned */
> ++ ucp_gbOther, /* grapheme break property */
> ++ 0, /* case set */
> ++ 0, /* other case */
> ++ }};
> ++#endif
> ++
> + /* When recompiling tables with a new Unicode version, please check the
> + types in this structure definition from pcre2_internal.h (the actual
> + field names will be different):
> +--
> +2.12.1
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> index 3a0aa53029f..59953626c74 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0"
>
> SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
> file://pcre-cross.patch \
> + file://CVE-2017-7186.patch \
> "
>
> SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"
> --
> 2.11.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-07 13:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-06 22:51 [PATCH] libpcre2: fix CVE-2017-7186 Ross Burton
2019-03-07 8:52 ` ChenQi
2019-03-07 13:08 ` Burton, Ross
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.