From 3143910eec12a5b23e853b3177bf316ac186b87a Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Fri, 31 Mar 2017 14:09:36 +0300 Subject: [PATCH] pcre: add upstream security fixes Take Debian adapted patches of upstream. Fixes: CVE-2017-6004: crafted regular expression may cause denial of service CVE-2017-7186: invalid Unicode property lookup may cause denial of service Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard --- package/pcre/0003-CVE-2017-6004.patch | 21 ++++++++++ package/pcre/0004-CVE-2017-7186.patch | 60 +++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 package/pcre/0003-CVE-2017-6004.patch create mode 100644 package/pcre/0004-CVE-2017-7186.patch diff --git a/package/pcre/0003-CVE-2017-6004.patch b/package/pcre/0003-CVE-2017-6004.patch new file mode 100644 index 0000000000..d0b6d51ba7 --- /dev/null +++ b/package/pcre/0003-CVE-2017-6004.patch @@ -0,0 +1,21 @@ +Description: CVE-2017-6004: crafted regular expression may cause denial of service +Origin: upstream, https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch +Bug: https://bugs.exim.org/show_bug.cgi?id=2035 +Bug-Debian: https://bugs.debian.org/855405 +Forwarded: not-needed +Author: Salvatore Bonaccorso +Last-Update: 2017-02-17 + +Signed-off-by: Baruch Siach + +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC + + if (*matchingpath == OP_FAIL) + stacksize = 0; +- if (*matchingpath == OP_RREF) ++ else if (*matchingpath == OP_RREF) + { + stacksize = GET2(matchingpath, 1); + if (common->currententry == NULL) diff --git a/package/pcre/0004-CVE-2017-7186.patch b/package/pcre/0004-CVE-2017-7186.patch new file mode 100644 index 0000000000..980923ae4c --- /dev/null +++ b/package/pcre/0004-CVE-2017-7186.patch @@ -0,0 +1,60 @@ +Description: Upstream fix for CVE-2017-7186 (Upstream rev 1688) + Fix Unicode property crash for 32-bit characters greater than 0x10ffff. +Author: Matthew Vernon +X-Dgit-Generated: 2:8.39-3 c4c2c7c4f74d53b263af2471d8e11db88096bd13 + +Signed-off-by: Baruch Siach +--- + +--- pcre3-8.39.orig/pcre_internal.h ++++ pcre3-8.39/pcre_internal.h +@@ -2772,6 +2772,9 @@ extern const pcre_uint8 PRIV(ucd_stage1 + extern const pcre_uint16 PRIV(ucd_stage2)[]; + extern const pcre_uint32 PRIV(ucp_gentype)[]; + extern const pcre_uint32 PRIV(ucp_gbtable)[]; ++#ifdef COMPILE_PCRE32 ++extern const ucd_record PRIV(dummy_ucd_record)[]; ++#endif + #ifdef SUPPORT_JIT + extern const int PRIV(ucp_typerange)[]; + #endif +@@ -2780,9 +2783,15 @@ extern const int PRIV(ucp_typera + /* UCD access macros */ + + #define UCD_BLOCK_SIZE 128 +-#define GET_UCD(ch) (PRIV(ucd_records) + \ ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) ++ ++#ifdef COMPILE_PCRE32 ++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) ++#else ++#define GET_UCD(ch) REAL_GET_UCD(ch) ++#endif + + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype + #define UCD_SCRIPT(ch) GET_UCD(ch)->script +--- pcre3-8.39.orig/pcre_ucd.c ++++ pcre3-8.39/pcre_ucd.c +@@ -38,6 +38,20 @@ const pcre_uint16 PRIV(ucd_stage2)[] = { + const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0}; + #else + ++/* If the 32-bit library is run in non-32-bit mode, character values ++greater than 0x10ffff may be encountered. For these we set up a ++special record. */ ++ ++#ifdef COMPILE_PCRE32 ++const ucd_record PRIV(dummy_ucd_record)[] = {{ ++ ucp_Common, /* script */ ++ ucp_Cn, /* type unassigned */ ++ ucp_gbOther, /* grapheme break property */ ++ 0, /* case set */ ++ 0, /* other case */ ++ }}; ++#endif ++ + /* When recompiling tables with a new Unicode version, please check the + types in this structure definition from pcre_internal.h (the actual + field names will be different):