From: Robert Yang <liezhi.yang@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [PATCH 1/2] libpcre2: Fix CVE-2017-8786
Date: Tue, 29 Aug 2017 17:48:56 -0700 [thread overview]
Message-ID: <b880c92a7789b5b0d630252ee84d0cc0e10863e8.1504054080.git.liezhi.yang@windriver.com> (raw)
In-Reply-To: <cover.1504054080.git.liezhi.yang@windriver.com>
The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly have unspecified other impact
via a crafted regular expression.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
.../libpcre/libpcre2/libpcre2-CVE-2017-8786.patch | 93 ++++++++++++++++++++++
meta/recipes-support/libpcre/libpcre2_10.23.bb | 1 +
2 files changed, 94 insertions(+)
create mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
new file mode 100644
index 0000000..eafafc1f
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
@@ -0,0 +1,93 @@
+libpcre2-10.23: Fix CVE-2017-8786
+
+The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
+service (heap-based buffer overflow) or possibly have unspecified other impact
+via a crafted regular expression.
+
+Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
+CVE: CVE-2017-8786
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+
+--- trunk/src/pcre2test.c 2017/03/21 16:18:54 692
++++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697
+@@ -1017,9 +1017,9 @@
+ if (test_mode == PCRE8_MODE) \
+ r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
+ else if (test_mode == PCRE16_MODE) \
+- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
+ else \
+- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+ if (test_mode == PCRE8_MODE) \
+@@ -1399,6 +1399,9 @@
+
+ /* ----- Common macros for two-mode cases ----- */
+
++#define BYTEONE (BITONE/8)
++#define BYTETWO (BITTWO/8)
++
+ #define CASTFLD(t,a,b) \
+ ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
+ (t)(G(a,BITTWO)->b))
+@@ -1481,9 +1484,9 @@
+
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+ if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
++ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
+ else \
+- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
++ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
+
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+ if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+@@ -1904,7 +1907,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+ a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
+@@ -2000,7 +2003,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+ a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
+@@ -2889,7 +2892,7 @@
+ {
+ if (pbuffer32 != NULL) free(pbuffer32);
+ pbuffer32_size = 4*len + 4;
+- if (pbuffer32_size < 256) pbuffer32_size = 256;
++ if (pbuffer32_size < 512) pbuffer32_size = 512;
+ pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+ if (pbuffer32 == NULL)
+ {
+@@ -7600,7 +7603,8 @@
+ int errcode;
+ char *endptr;
+
+-/* Ensure the relevant non-8-bit buffer is available. */
++/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at
++least 128 code units, because it is used for retrieving error messages. */
+
+ #ifdef SUPPORT_PCRE2_16
+ if (test_mode == PCRE16_MODE)
+@@ -7620,7 +7624,7 @@
+ #ifdef SUPPORT_PCRE2_32
+ if (test_mode == PCRE32_MODE)
+ {
+- pbuffer32_size = 256;
++ pbuffer32_size = 512;
+ pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+ if (pbuffer32 == NULL)
+ {
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb
index 794d973..63f8d51 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.23.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
file://pcre-cross.patch \
+ file://libpcre2-CVE-2017-8786.patch \
"
SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"
--
2.10.2
next prev parent reply other threads:[~2017-08-30 0:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-30 0:48 [PATCH 0/2] libpcre: 2 CVE fixes Robert Yang
2017-08-30 0:48 ` Robert Yang [this message]
2017-08-30 0:48 ` [PATCH 2/2] libpcre2: Fix CVE-2017-7186 Robert Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b880c92a7789b5b0d630252ee84d0cc0e10863e8.1504054080.git.liezhi.yang@windriver.com \
--to=liezhi.yang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.