1 |
vapier 15/07/06 16:37:06 |
2 |
|
3 |
Added: libpcre-8.37-CVE-2015-3210.patch |
4 |
libpcre-8.37-CVE-2015-5073.patch |
5 |
Log: |
6 |
Add backport from upstream for CVE-2015-3210 #551240 by Thomas D. Add backport from upstream for CVE-2015-5073 #553300 by Agostino Sarubbo. |
7 |
|
8 |
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key D2E96200) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: libpcre-8.37-CVE-2015-3210.patch |
17 |
=================================================================== |
18 |
https://bugs.exim.org/show_bug.cgi?id=1636 |
19 |
https://bugs.gentoo.org/551240 |
20 |
https://bugzilla.redhat.com/1236659 |
21 |
|
22 |
From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 |
23 |
From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
24 |
Date: Fri, 15 May 2015 17:17:03 +0000 |
25 |
Subject: [PATCH] Fix buffer overflow for named recursive back reference when |
26 |
the name is duplicated. |
27 |
MIME-Version: 1.0 |
28 |
Content-Type: text/plain; charset=UTF-8 |
29 |
Content-Transfer-Encoding: 8bit |
30 |
|
31 |
Upstream commit ported to pcre-8.37: |
32 |
|
33 |
commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 |
34 |
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
35 |
Date: Fri May 15 17:17:03 2015 +0000 |
36 |
|
37 |
Fix buffer overflow for named recursive back reference when the name is |
38 |
duplicated. |
39 |
|
40 |
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 |
41 |
|
42 |
This fixes CVE-2015-3210. |
43 |
|
44 |
Signed-off-by: Petr Písař <ppisar@××××××.com> |
45 |
--- |
46 |
pcre_compile.c | 16 ++++++++++++++-- |
47 |
testdata/testinput2 | 2 ++ |
48 |
testdata/testoutput2 | 2 ++ |
49 |
3 files changed, 18 insertions(+), 2 deletions(-) |
50 |
|
51 |
diff --git a/pcre_compile.c b/pcre_compile.c |
52 |
index 0efad26..6f06912 100644 |
53 |
--- a/pcre_compile.c |
54 |
+++ b/pcre_compile.c |
55 |
@@ -7173,14 +7173,26 @@ for (;; ptr++) |
56 |
number. If the name is not found, set the value to 0 for a forward |
57 |
reference. */ |
58 |
|
59 |
+ recno = 0; |
60 |
ng = cd->named_groups; |
61 |
for (i = 0; i < cd->names_found; i++, ng++) |
62 |
{ |
63 |
if (namelen == ng->length && |
64 |
STRNCMP_UC_UC(name, ng->name, namelen) == 0) |
65 |
- break; |
66 |
+ { |
67 |
+ open_capitem *oc; |
68 |
+ recno = ng->number; |
69 |
+ if (is_recurse) break; |
70 |
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) |
71 |
+ { |
72 |
+ if (oc->number == recno) |
73 |
+ { |
74 |
+ oc->flag = TRUE; |
75 |
+ break; |
76 |
+ } |
77 |
+ } |
78 |
+ } |
79 |
} |
80 |
- recno = (i < cd->names_found)? ng->number : 0; |
81 |
|
82 |
/* Count named back references. */ |
83 |
|
84 |
diff --git a/testdata/testinput2 b/testdata/testinput2 |
85 |
index 58fe53b..83bb471 100644 |
86 |
--- a/testdata/testinput2 |
87 |
+++ b/testdata/testinput2 |
88 |
@@ -4152,4 +4152,6 @@ backtracking verbs. --/ |
89 |
|
90 |
/((?2){73}(?2))((?1))/ |
91 |
|
92 |
+"(?J)(?'d'(?'d'\g{d}))" |
93 |
+ |
94 |
/-- End of testinput2 --/ |
95 |
diff --git a/testdata/testoutput2 b/testdata/testoutput2 |
96 |
index b718df0..7dff52a 100644 |
97 |
--- a/testdata/testoutput2 |
98 |
+++ b/testdata/testoutput2 |
99 |
@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 |
100 |
|
101 |
/((?2){73}(?2))((?1))/ |
102 |
|
103 |
+"(?J)(?'d'(?'d'\g{d}))" |
104 |
+ |
105 |
/-- End of testinput2 --/ |
106 |
-- |
107 |
2.4.3 |
108 |
|
109 |
|
110 |
|
111 |
|
112 |
1.1 dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch |
113 |
|
114 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&view=markup |
115 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&content-type=text/plain |
116 |
|
117 |
Index: libpcre-8.37-CVE-2015-5073.patch |
118 |
=================================================================== |
119 |
https://bugs.exim.org/show_bug.cgi?id=1651 |
120 |
https://bugs.gentoo.org/553300 |
121 |
https://bugzilla.redhat.com/1237224 |
122 |
|
123 |
From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 |
124 |
From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
125 |
Date: Tue, 23 Jun 2015 16:34:53 +0000 |
126 |
Subject: [PATCH] Fix buffer overflow for forward reference within backward |
127 |
assertion with excess closing parenthesis. Bugzilla 1651. |
128 |
MIME-Version: 1.0 |
129 |
Content-Type: text/plain; charset=UTF-8 |
130 |
Content-Transfer-Encoding: 8bit |
131 |
|
132 |
This is upstream commit ported to 8.37: |
133 |
|
134 |
commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 |
135 |
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
136 |
Date: Tue Jun 23 16:34:53 2015 +0000 |
137 |
|
138 |
Fix buffer overflow for forward reference within backward assertion with excess |
139 |
closing parenthesis. Bugzilla 1651. |
140 |
|
141 |
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 |
142 |
|
143 |
It fixes CVE-2015-5073. |
144 |
|
145 |
Signed-off-by: Petr Písař <ppisar@××××××.com> |
146 |
--- |
147 |
pcre_compile.c | 2 +- |
148 |
testdata/testinput2 | 2 ++ |
149 |
testdata/testoutput2 | 3 +++ |
150 |
3 files changed, 6 insertions(+), 1 deletion(-) |
151 |
|
152 |
diff --git a/pcre_compile.c b/pcre_compile.c |
153 |
index 6f06912..b66b1f6 100644 |
154 |
--- a/pcre_compile.c |
155 |
+++ b/pcre_compile.c |
156 |
@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The |
157 |
exceptional ones forgo this. We scan the pattern to check that they are fixed |
158 |
length, and set their lengths. */ |
159 |
|
160 |
-if (cd->check_lookbehind) |
161 |
+if (errorcode == 0 && cd->check_lookbehind) |
162 |
{ |
163 |
pcre_uchar *cc = (pcre_uchar *)codestart; |
164 |
|
165 |
diff --git a/testdata/testinput2 b/testdata/testinput2 |
166 |
index 83bb471..5cc9ce6 100644 |
167 |
--- a/testdata/testinput2 |
168 |
+++ b/testdata/testinput2 |
169 |
@@ -4154,4 +4154,6 @@ backtracking verbs. --/ |
170 |
|
171 |
"(?J)(?'d'(?'d'\g{d}))" |
172 |
|
173 |
+/(?=di(?<=(?1))|(?=(.))))/ |
174 |
+ |
175 |
/-- End of testinput2 --/ |
176 |
diff --git a/testdata/testoutput2 b/testdata/testoutput2 |
177 |
index 7dff52a..4decb8d 100644 |
178 |
--- a/testdata/testoutput2 |
179 |
+++ b/testdata/testoutput2 |
180 |
@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 |
181 |
|
182 |
"(?J)(?'d'(?'d'\g{d}))" |
183 |
|
184 |
+/(?=di(?<=(?1))|(?=(.))))/ |
185 |
+Failed: unmatched parentheses at offset 23 |
186 |
+ |
187 |
/-- End of testinput2 --/ |
188 |
-- |
189 |
2.4.3 |