[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: gnu: pcre2: Fix CVE-2017-8786.
|
From: |
Leo Famulari |
|
Subject: |
01/02: gnu: pcre2: Fix CVE-2017-8786. |
|
Date: |
Sun, 7 May 2017 17:46:09 -0400 (EDT) |
lfam pushed a commit to branch master
in repository guix.
commit 37f46a4bc51886c0d0df797bfbb13a50fe647567
Author: Leo Famulari <address@hidden>
Date: Sun May 7 17:13:38 2017 -0400
gnu: pcre2: Fix CVE-2017-8786.
* gnu/packages/patches/pcre2-CVE-2017-8786.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pcre.scm (pcre2)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/pcre2-CVE-2017-8786.patch | 155 +++++++++++++++++++++++++
gnu/packages/pcre.scm | 3 +-
3 files changed, 158 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index ce7fb68..dcf9b14 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -859,6 +859,7 @@ dist_patch_DATA =
\
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/pcre-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-7186.patch \
+ %D%/packages/patches/pcre2-CVE-2017-8786.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/patches/pcre2-CVE-2017-8786.patch
b/gnu/packages/patches/pcre2-CVE-2017-8786.patch
new file mode 100644
index 0000000..6071d58
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2017-8786.patch
@@ -0,0 +1,155 @@
+Fix CVE-2017-8786:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8786
+https://bugs.exim.org/show_bug.cgi?id=2079
+https://blogs.gentoo.org/ago/2017/04/29/libpcre-heap-based-buffer-overflow-write-in-pcre2test-c/
+
+Patch copied from upstream source repository:
+
+https://vcs.pcre.org/pcre2?view=revision&revision=696
+https://vcs.pcre.org/pcre2?view=revision&revision=697
+
+--- trunk/doc/pcre2api.3 2017/03/21 16:48:40 695
++++ trunk/doc/pcre2api.3 2017/03/21 17:46:21 696
+@@ -1,4 +1,4 @@
+-.TH PCRE2API 3 "24 December 2016" "PCRE2 10.23"
++.TH PCRE2API 3 "21 March 2017" "PCRE2 10.30"
+ .SH NAME
+ PCRE2 - Perl-compatible regular expressions (revised API)
+ .sp
+@@ -2633,8 +2633,8 @@
+ A text message for an error code from any PCRE2 function (compile, match, or
+ auxiliary) can be obtained by calling \fBpcre2_get_error_message()\fP. The
code
+ is passed as the first argument, with the remaining two arguments specifying a
+-code unit buffer and its length, into which the text message is placed. Note
+-that the message is returned in code units of the appropriate width for the
++code unit buffer and its length in code units, into which the text message is
++placed. The message is returned in code units of the appropriate width for the
+ library that is being used.
+ .P
+ The returned message is terminated with a trailing zero, and the function
+@@ -3321,6 +3321,6 @@
+ .rs
+ .sp
+ .nf
+-Last updated: 23 December 2016
+-Copyright (c) 1997-2016 University of Cambridge.
++Last updated: 21 March 2017
++Copyright (c) 1997-2017 University of Cambridge.
+ .fi
+--- trunk/src/pcre2_error.c 2017/03/21 16:48:40 695
++++ trunk/src/pcre2_error.c 2017/03/21 17:46:21 696
+@@ -271,7 +271,7 @@
+ Arguments:
+ enumber error number
+ buffer where to put the message (zero terminated)
+- size size of the buffer
++ size size of the buffer in code units
+
+ Returns: length of message if all is well
+ negative on error
+--- trunk/src/pcre2test.c 2017/03/21 17:46:21 696
++++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697
+@@ -1017,9 +1017,9 @@
+ if (test_mode == PCRE8_MODE) \
+ r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
+ else if (test_mode == PCRE16_MODE) \
+- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
+ else \
+- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+ if (test_mode == PCRE8_MODE) \
+@@ -1399,6 +1399,9 @@
+
+ /* ----- Common macros for two-mode cases ----- */
+
++#define BYTEONE (BITONE/8)
++#define BYTETWO (BITTWO/8)
++
+ #define CASTFLD(t,a,b) \
+ ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
+ (t)(G(a,BITTWO)->b))
+@@ -1481,9 +1484,9 @@
+
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+ if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+- r =
G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
++ r =
G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE));
\
+ else \
+- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
++ r =
G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
+
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+ if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+@@ -1904,7 +1907,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+ a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
+@@ -2000,7 +2003,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+ a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
+--- trunk/src/pcre2test.c 2017/03/21 16:48:40 695
++++ trunk/src/pcre2test.c 2017/03/21 17:46:21 696
+@@ -2889,7 +2889,7 @@
+ {
+ if (pbuffer32 != NULL) free(pbuffer32);
+ pbuffer32_size = 4*len + 4;
+- if (pbuffer32_size < 256) pbuffer32_size = 256;
++ if (pbuffer32_size < 512) pbuffer32_size = 512;
+ pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+ if (pbuffer32 == NULL)
+ {
+@@ -7600,7 +7600,8 @@
+ int errcode;
+ char *endptr;
+
+-/* Ensure the relevant non-8-bit buffer is available. */
++/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at
++least 128 code units, because it is used for retrieving error messages. */
+
+ #ifdef SUPPORT_PCRE2_16
+ if (test_mode == PCRE16_MODE)
+@@ -7620,7 +7621,7 @@
+ #ifdef SUPPORT_PCRE2_32
+ if (test_mode == PCRE32_MODE)
+ {
+- pbuffer32_size = 256;
++ pbuffer32_size = 512;
+ pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+ if (pbuffer32 == NULL)
+ {
+--- trunk/testdata/testinput2 2017/03/21 16:48:40 695
++++ trunk/testdata/testinput2 2017/03/21 17:46:21 696
+@@ -5017,4 +5017,6 @@
+
+ /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended
+
++/\g{3/
++
+ # End of testinput2
+--- trunk/testdata/testoutput2 2017/03/21 16:48:40 695
++++ trunk/testdata/testoutput2 2017/03/21 17:46:21 696
+@@ -15570,6 +15570,9 @@
+
+ /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended
+
++/\g{3/
++Failed: error 157 at offset 2: \g is not followed by a braced,
angle-bracketed, or quoted name/number or by a plain number
++
+ # End of testinput2
+ Error -63: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 1946f52..b632b9f 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -92,7 +92,8 @@ POSIX regular expression API.")
(sha256
(base32
"0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))
- (patches (search-patches "pcre2-CVE-2017-7186.patch"))))
+ (patches (search-patches "pcre2-CVE-2017-7186.patch"
+ "pcre2-CVE-2017-8786.patch"))))
(build-system gnu-build-system)
(inputs `(("bzip2" ,bzip2)
("readline" ,readline)