* [PATCH 0/2] libpcre: 2 CVE fixes @ 2017-08-30 0:48 Robert Yang 2017-08-30 0:48 ` [PATCH 1/2] libpcre2: Fix CVE-2017-8786 Robert Yang 2017-08-30 0:48 ` [PATCH 2/2] libpcre2: Fix CVE-2017-7186 Robert Yang 0 siblings, 2 replies; 3+ messages in thread From: Robert Yang @ 2017-08-30 0:48 UTC (permalink / raw) To: openembedded-core The following changes since commit 2454019844c762613a2c78ed7f7f2d30960c0bfd: libsdl: Move PACKAGECONFIG options from meta-mingw (2017-08-29 12:08:24 +0100) are available in the git repository at: git://git.openembedded.org/openembedded-core-contrib rbt/pcre http://cgit.openembedded.org/openembedded-core-contrib/log/?h=rbt/pcre Robert Yang (2): libpcre2: Fix CVE-2017-8786 libpcre2: Fix CVE-2017-7186 .../libpcre/libpcre2/libpcre2-CVE-2017-7186.patch | 96 ++++++++++++++++++++++ .../libpcre/libpcre2/libpcre2-CVE-2017-8786.patch | 93 +++++++++++++++++++++ meta/recipes-support/libpcre/libpcre2_10.23.bb | 2 + 3 files changed, 191 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch create mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch -- 2.10.2 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] libpcre2: Fix CVE-2017-8786 2017-08-30 0:48 [PATCH 0/2] libpcre: 2 CVE fixes Robert Yang @ 2017-08-30 0:48 ` Robert Yang 2017-08-30 0:48 ` [PATCH 2/2] libpcre2: Fix CVE-2017-7186 Robert Yang 1 sibling, 0 replies; 3+ messages in thread From: Robert Yang @ 2017-08-30 0:48 UTC (permalink / raw) To: openembedded-core The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../libpcre/libpcre2/libpcre2-CVE-2017-8786.patch | 93 ++++++++++++++++++++++ meta/recipes-support/libpcre/libpcre2_10.23.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch new file mode 100644 index 0000000..eafafc1f --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch @@ -0,0 +1,93 @@ +libpcre2-10.23: Fix CVE-2017-8786 + +The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of +service (heap-based buffer overflow) or possibly have unspecified other impact +via a crafted regular expression. + +Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch] +CVE: CVE-2017-8786 + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> + +--- trunk/src/pcre2test.c 2017/03/21 16:18:54 692 ++++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697 +@@ -1017,9 +1017,9 @@ + if (test_mode == PCRE8_MODE) \ + r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \ + else if (test_mode == PCRE16_MODE) \ +- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \ ++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \ + else \ +- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) ++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) + + #define PCRE2_GET_OVECTOR_COUNT(a,b) \ + if (test_mode == PCRE8_MODE) \ +@@ -1399,6 +1399,9 @@ + + /* ----- Common macros for two-mode cases ----- */ + ++#define BYTEONE (BITONE/8) ++#define BYTETWO (BITTWO/8) ++ + #define CASTFLD(t,a,b) \ + ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \ + (t)(G(a,BITTWO)->b)) +@@ -1481,9 +1484,9 @@ + + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ + if (test_mode == G(G(PCRE,BITONE),_MODE)) \ +- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \ ++ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \ + else \ +- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size)) ++ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO)) + + #define PCRE2_GET_OVECTOR_COUNT(a,b) \ + if (test_mode == G(G(PCRE,BITONE),_MODE)) \ +@@ -1904,7 +1907,7 @@ + #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ + a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j) + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ +- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)) ++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)) + #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16)) + #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16)) + #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b) +@@ -2000,7 +2003,7 @@ + #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ + a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j) + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ +- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) ++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) + #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32)) + #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32)) + #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b) +@@ -2889,7 +2892,7 @@ + { + if (pbuffer32 != NULL) free(pbuffer32); + pbuffer32_size = 4*len + 4; +- if (pbuffer32_size < 256) pbuffer32_size = 256; ++ if (pbuffer32_size < 512) pbuffer32_size = 512; + pbuffer32 = (uint32_t *)malloc(pbuffer32_size); + if (pbuffer32 == NULL) + { +@@ -7600,7 +7603,8 @@ + int errcode; + char *endptr; + +-/* Ensure the relevant non-8-bit buffer is available. */ ++/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at ++least 128 code units, because it is used for retrieving error messages. */ + + #ifdef SUPPORT_PCRE2_16 + if (test_mode == PCRE16_MODE) +@@ -7620,7 +7624,7 @@ + #ifdef SUPPORT_PCRE2_32 + if (test_mode == PCRE32_MODE) + { +- pbuffer32_size = 256; ++ pbuffer32_size = 512; + pbuffer32 = (uint32_t *)malloc(pbuffer32_size); + if (pbuffer32 == NULL) + { diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb index 794d973..63f8d51 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.23.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b" SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ + file://libpcre2-CVE-2017-8786.patch \ " SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649" -- 2.10.2 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] libpcre2: Fix CVE-2017-7186 2017-08-30 0:48 [PATCH 0/2] libpcre: 2 CVE fixes Robert Yang 2017-08-30 0:48 ` [PATCH 1/2] libpcre2: Fix CVE-2017-8786 Robert Yang @ 2017-08-30 0:48 ` Robert Yang 1 sibling, 0 replies; 3+ messages in thread From: Robert Yang @ 2017-08-30 0:48 UTC (permalink / raw) To: openembedded-core A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the library. For who is interested in a detailed description of the bug, will follow a feedback from upstream: This was a genuine bug in the 32-bit library. Thanks for finding it. The crash was caused by trying to find a Unicode property for a code value greater than 0x10ffff, the Unicode maximum, when running in non-UTF mode (where character values can be up to 0xffffffff). Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../libpcre/libpcre2/libpcre2-CVE-2017-7186.patch | 96 ++++++++++++++++++++++ meta/recipes-support/libpcre/libpcre2_10.23.bb | 1 + 2 files changed, 97 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch new file mode 100644 index 0000000..bfa3bfe --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch @@ -0,0 +1,96 @@ +libpcre2-10.23: Fix CVE-2017-7186 + +A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the +library. For who is interested in a detailed description of the bug, will +follow a feedback from upstream: + +This was a genuine bug in the 32-bit library. Thanks for finding it. The crash +was caused by trying to find a Unicode property for a code value greater than +0x10ffff, the Unicode maximum, when running in non-UTF mode (where character +values can be up to 0xffffffff). + +The complete ASan output: + +# pcretest -32 -d $FILE +==14788==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bbffed4df (pc 0x7f1bbee3fe6b bp 0x7fff8b50d8c0 sp 0x7fff8b50d3a0 T0) +==14788==The signal is caused by a READ memory access. + #0 0x7f1bbee3fe6a in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18 + #1 0x7f1bbee09226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8 + #2 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9 + #3 0x7f1bbddd678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 + #4 0x41b438 in _init (/usr/bin/pcretest+0x41b438) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18 in match +==14788==ABORTING + +Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?view=patch&r1=316&r2=670&sortby=date \ + https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?view=patch&r1=600&r2=670&sortby=date] +CVE: CVE-2017-7186 + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> + +--- trunk/src/pcre2_ucd.c 2015/07/17 15:44:51 316 ++++ trunk/src/pcre2_ucd.c 2017/02/24 18:25:32 670 +@@ -41,6 +41,20 @@ + + const char *PRIV(unicode_version) = "8.0.0"; + ++/* If the 32-bit library is run in non-32-bit mode, character values ++greater than 0x10ffff may be encountered. For these we set up a ++special record. */ ++ ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++const ucd_record PRIV(dummy_ucd_record)[] = {{ ++ ucp_Common, /* script */ ++ ucp_Cn, /* type unassigned */ ++ ucp_gbOther, /* grapheme break property */ ++ 0, /* case set */ ++ 0, /* other case */ ++ }}; ++#endif ++ + /* When recompiling tables with a new Unicode version, please check the + types in this structure definition from pcre2_internal.h (the actual + field names will be different): +--- trunk/src/pcre2_internal.h 2016/11/19 12:46:24 600 ++++ trunk/src/pcre2_internal.h 2017/02/24 18:25:32 670 +@@ -1774,10 +1774,17 @@ + /* UCD access macros */ + + #define UCD_BLOCK_SIZE 128 +-#define GET_UCD(ch) (PRIV(ucd_records) + \ ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) + ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \ ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) ++#else ++#define GET_UCD(ch) REAL_GET_UCD(ch) ++#endif ++ + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype + #define UCD_SCRIPT(ch) GET_UCD(ch)->script + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)] +@@ -1834,6 +1841,9 @@ + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_) + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_) + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_) ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_) ++#endif + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_) + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_) + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_) +@@ -1858,6 +1868,9 @@ + extern const uint32_t PRIV(vspace_list)[]; + extern const uint32_t PRIV(ucd_caseless_sets)[]; + extern const ucd_record PRIV(ucd_records)[]; ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++extern const ucd_record PRIV(dummy_ucd_record)[]; ++#endif + extern const uint8_t PRIV(ucd_stage1)[]; + extern const uint16_t PRIV(ucd_stage2)[]; + extern const uint32_t PRIV(ucp_gbtable)[]; diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb index 63f8d51..ca2b028 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.23.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb @@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b" SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ file://libpcre2-CVE-2017-8786.patch \ + file://libpcre2-CVE-2017-7186.patch \ " SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649" -- 2.10.2 ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-08-30 0:48 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-08-30 0:48 [PATCH 0/2] libpcre: 2 CVE fixes Robert Yang 2017-08-30 0:48 ` [PATCH 1/2] libpcre2: Fix CVE-2017-8786 Robert Yang 2017-08-30 0:48 ` [PATCH 2/2] libpcre2: Fix CVE-2017-7186 Robert Yang
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.