[gentoo-commits] gentoo-x86 commit in dev-libs/libpcre/files: libpcre-8.37-CVE-2015-3210.patch libpcre-8.37-CVE-2015-5073.patch - gentoo-commits

From:	"Mike Frysinger (vapier)" <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in dev-libs/libpcre/files: libpcre-8.37-CVE-2015-3210.patch libpcre-8.37-CVE-2015-5073.patch
Date:	Mon, 06 Jul 2015 16:37:13
Message-Id:	`20150706163706.95924752@oystercatcher.gentoo.org`

1

vapier      15/07/06 16:37:06

2

3

  Added:                libpcre-8.37-CVE-2015-3210.patch

4

                        libpcre-8.37-CVE-2015-5073.patch

5

  Log:

6

  Add backport from upstream for CVE-2015-3210 #551240 by Thomas D.  Add backport from upstream for CVE-2015-5073 #553300 by Agostino Sarubbo.

7

8

  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key D2E96200)

9

10

Revision  Changes    Path

11

1.1                  dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch

12

13

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&view=markup

14

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&content-type=text/plain

15

16

Index: libpcre-8.37-CVE-2015-3210.patch

17

===================================================================

18

https://bugs.exim.org/show_bug.cgi?id=1636

19

https://bugs.gentoo.org/551240

20

https://bugzilla.redhat.com/1236659

21

22

From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001

23

From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>

24

Date: Fri, 15 May 2015 17:17:03 +0000

25

Subject: [PATCH] Fix buffer overflow for named recursive back reference when

26

 the name is duplicated.

27

MIME-Version: 1.0

28

Content-Type: text/plain; charset=UTF-8

29

Content-Transfer-Encoding: 8bit

30

31

Upstream commit ported to pcre-8.37:

32

33

commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19

34

Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>

35

Date:   Fri May 15 17:17:03 2015 +0000

36

37

    Fix buffer overflow for named recursive back reference when the name is

38

    duplicated.

39

40

    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15

41

42

This fixes CVE-2015-3210.

43

44

Signed-off-by: Petr Písař <ppisar@××××××.com>

45

---

46

 pcre_compile.c       | 16 ++++++++++++++--

47

 testdata/testinput2  |  2 ++

48

 testdata/testoutput2 |  2 ++

49

 3 files changed, 18 insertions(+), 2 deletions(-)

50

51

diff --git a/pcre_compile.c b/pcre_compile.c

52

index 0efad26..6f06912 100644

53

--- a/pcre_compile.c

54

+++ b/pcre_compile.c

55

@@ -7173,14 +7173,26 @@ for (;; ptr++)

56

           number. If the name is not found, set the value to 0 for a forward

57

           reference. */

58

59

+          recno = 0;

60

           ng = cd->named_groups;

61

           for (i = 0; i < cd->names_found; i++, ng++)

62

{

63

             if (namelen == ng->length &&

64

                 STRNCMP_UC_UC(name, ng->name, namelen) == 0)

65

-              break;

66

+              {

67

+              open_capitem *oc;

68

+              recno = ng->number;

69

+              if (is_recurse) break;

70

+              for (oc = cd->open_caps; oc != NULL; oc = oc->next)         

71

+                {          

72

+                if (oc->number == recno)                                     

73

+                  {               

74

+                  oc->flag = TRUE;                                      

75

+                  break;

76

+                  }                                                         

77

+                }                          

78

+              }    

79

}

80

-          recno = (i < cd->names_found)? ng->number : 0;

81

82

           /* Count named back references. */

83

84

diff --git a/testdata/testinput2 b/testdata/testinput2

85

index 58fe53b..83bb471 100644

86

--- a/testdata/testinput2

87

+++ b/testdata/testinput2

88

@@ -4152,4 +4152,6 @@ backtracking verbs. --/

89

90

 /((?2){73}(?2))((?1))/

91

92

+"(?J)(?'d'(?'d'\g{d}))"

93

+

94

 /-- End of testinput2 --/

95

diff --git a/testdata/testoutput2 b/testdata/testoutput2

96

index b718df0..7dff52a 100644

97

--- a/testdata/testoutput2

98

+++ b/testdata/testoutput2

99

@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17

100

101

 /((?2){73}(?2))((?1))/

102

103

+"(?J)(?'d'(?'d'\g{d}))"

104

+

105

 /-- End of testinput2 --/

106

--

107

2.4.3

1.1                  dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch

113

114

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&view=markup

115

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&content-type=text/plain

116

117

Index: libpcre-8.37-CVE-2015-5073.patch

118

===================================================================

119

https://bugs.exim.org/show_bug.cgi?id=1651

120

https://bugs.gentoo.org/553300

121

https://bugzilla.redhat.com/1237224

122

123

From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001

124

From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>

125

Date: Tue, 23 Jun 2015 16:34:53 +0000

126

Subject: [PATCH] Fix buffer overflow for forward reference within backward

127

 assertion with excess closing parenthesis. Bugzilla 1651.

128

MIME-Version: 1.0

129

Content-Type: text/plain; charset=UTF-8

130

Content-Transfer-Encoding: 8bit

131

132

This is upstream commit ported to 8.37:

133

134

commit 764692f9aea9eab50fdba6cb537441d8b34c6c37

135

Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>

136

Date:   Tue Jun 23 16:34:53 2015 +0000

137

138

    Fix buffer overflow for forward reference within backward assertion with excess

139

    closing parenthesis. Bugzilla 1651.

140

141

    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15

142

143

It fixes CVE-2015-5073.

144

145

Signed-off-by: Petr Písař <ppisar@××××××.com>

146

---

147

 pcre_compile.c       | 2 +-

148

 testdata/testinput2  | 2 ++

149

 testdata/testoutput2 | 3 +++

150

 3 files changed, 6 insertions(+), 1 deletion(-)

151

152

diff --git a/pcre_compile.c b/pcre_compile.c

153

index 6f06912..b66b1f6 100644

154

--- a/pcre_compile.c

155

+++ b/pcre_compile.c

156

@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The

157

 exceptional ones forgo this. We scan the pattern to check that they are fixed

158

 length, and set their lengths. */

159

160

-if (cd->check_lookbehind)

161

+if (errorcode == 0 && cd->check_lookbehind)

162

{

163

   pcre_uchar *cc = (pcre_uchar *)codestart;

164

165

diff --git a/testdata/testinput2 b/testdata/testinput2

166

index 83bb471..5cc9ce6 100644

167

--- a/testdata/testinput2

168

+++ b/testdata/testinput2

169

@@ -4154,4 +4154,6 @@ backtracking verbs. --/

170

171

 "(?J)(?'d'(?'d'\g{d}))"

172

173

+/(?=di(?<=(?1))|(?=(.))))/

174

+

175

 /-- End of testinput2 --/

176

diff --git a/testdata/testoutput2 b/testdata/testoutput2

177

index 7dff52a..4decb8d 100644

178

--- a/testdata/testoutput2

179

+++ b/testdata/testoutput2

180

@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17

181

182

 "(?J)(?'d'(?'d'\g{d}))"

183

184

+/(?=di(?<=(?1))|(?=(.))))/

185

+Failed: unmatched parentheses at offset 23

186

+

187

 /-- End of testinput2 --/

188

--

189

2.4.3

1	vapier 15/07/06 16:37:06
2
3	Added: libpcre-8.37-CVE-2015-3210.patch
4	libpcre-8.37-CVE-2015-5073.patch
5	Log:
6	Add backport from upstream for CVE-2015-3210 #551240 by Thomas D. Add backport from upstream for CVE-2015-5073 #553300 by Agostino Sarubbo.
7
8	(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
9
10	Revision Changes Path
11	1.1 dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch
12
13	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&view=markup
14	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-3210.patch?rev=1.1&content-type=text/plain
15
16	Index: libpcre-8.37-CVE-2015-3210.patch
17	===================================================================
18	https://bugs.exim.org/show_bug.cgi?id=1636
19	https://bugs.gentoo.org/551240
20	https://bugzilla.redhat.com/1236659
21
22	From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001
23	From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
24	Date: Fri, 15 May 2015 17:17:03 +0000
25	Subject: [PATCH] Fix buffer overflow for named recursive back reference when
26	the name is duplicated.
27	MIME-Version: 1.0
28	Content-Type: text/plain; charset=UTF-8
29	Content-Transfer-Encoding: 8bit
30
31	Upstream commit ported to pcre-8.37:
32
33	commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19
34	Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
35	Date: Fri May 15 17:17:03 2015 +0000
36
37	Fix buffer overflow for named recursive back reference when the name is
38	duplicated.
39
40	git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15
41
42	This fixes CVE-2015-3210.
43
44	Signed-off-by: Petr Písař <ppisar@××××××.com>
45	---
46	pcre_compile.c \| 16 ++++++++++++++--
47	testdata/testinput2 \| 2 ++
48	testdata/testoutput2 \| 2 ++
49	3 files changed, 18 insertions(+), 2 deletions(-)
50
51	diff --git a/pcre_compile.c b/pcre_compile.c
52	index 0efad26..6f06912 100644
53	--- a/pcre_compile.c
54	+++ b/pcre_compile.c
55	@@ -7173,14 +7173,26 @@ for (;; ptr++)
56	number. If the name is not found, set the value to 0 for a forward
57	reference. */
58
59	+ recno = 0;
60	ng = cd->named_groups;
61	for (i = 0; i < cd->names_found; i++, ng++)
62	{
63	if (namelen == ng->length &&
64	STRNCMP_UC_UC(name, ng->name, namelen) == 0)
65	- break;
66	+ {
67	+ open_capitem *oc;
68	+ recno = ng->number;
69	+ if (is_recurse) break;
70	+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
71	+ {
72	+ if (oc->number == recno)
73	+ {
74	+ oc->flag = TRUE;
75	+ break;
76	+ }
77	+ }
78	+ }
79	}
80	- recno = (i < cd->names_found)? ng->number : 0;
81
82	/* Count named back references. */
83
84	diff --git a/testdata/testinput2 b/testdata/testinput2
85	index 58fe53b..83bb471 100644
86	--- a/testdata/testinput2
87	+++ b/testdata/testinput2
88	@@ -4152,4 +4152,6 @@ backtracking verbs. --/
89
90	/((?2){73}(?2))((?1))/
91
92	+"(?J)(?'d'(?'d'\g{d}))"
93	+
94	/-- End of testinput2 --/
95	diff --git a/testdata/testoutput2 b/testdata/testoutput2
96	index b718df0..7dff52a 100644
97	--- a/testdata/testoutput2
98	+++ b/testdata/testoutput2
99	@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
100
101	/((?2){73}(?2))((?1))/
102
103	+"(?J)(?'d'(?'d'\g{d}))"
104	+
105	/-- End of testinput2 --/
106	--
107	2.4.3
108
109
110
111
112	1.1 dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch
113
114	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&view=markup
115	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1&content-type=text/plain
116
117	Index: libpcre-8.37-CVE-2015-5073.patch
118	===================================================================
119	https://bugs.exim.org/show_bug.cgi?id=1651
120	https://bugs.gentoo.org/553300
121	https://bugzilla.redhat.com/1237224
122
123	From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001
124	From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
125	Date: Tue, 23 Jun 2015 16:34:53 +0000
126	Subject: [PATCH] Fix buffer overflow for forward reference within backward
127	assertion with excess closing parenthesis. Bugzilla 1651.
128	MIME-Version: 1.0
129	Content-Type: text/plain; charset=UTF-8
130	Content-Transfer-Encoding: 8bit
131
132	This is upstream commit ported to 8.37:
133
134	commit 764692f9aea9eab50fdba6cb537441d8b34c6c37
135	Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
136	Date: Tue Jun 23 16:34:53 2015 +0000
137
138	Fix buffer overflow for forward reference within backward assertion with excess
139	closing parenthesis. Bugzilla 1651.
140
141	git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15
142
143	It fixes CVE-2015-5073.
144
145	Signed-off-by: Petr Písař <ppisar@××××××.com>
146	---
147	pcre_compile.c \| 2 +-
148	testdata/testinput2 \| 2 ++
149	testdata/testoutput2 \| 3 +++
150	3 files changed, 6 insertions(+), 1 deletion(-)
151
152	diff --git a/pcre_compile.c b/pcre_compile.c
153	index 6f06912..b66b1f6 100644
154	--- a/pcre_compile.c
155	+++ b/pcre_compile.c
156	@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The
157	exceptional ones forgo this. We scan the pattern to check that they are fixed
158	length, and set their lengths. */
159
160	-if (cd->check_lookbehind)
161	+if (errorcode == 0 && cd->check_lookbehind)
162	{
163	pcre_uchar cc = (pcre_uchar )codestart;
164
165	diff --git a/testdata/testinput2 b/testdata/testinput2
166	index 83bb471..5cc9ce6 100644
167	--- a/testdata/testinput2
168	+++ b/testdata/testinput2
169	@@ -4154,4 +4154,6 @@ backtracking verbs. --/
170
171	"(?J)(?'d'(?'d'\g{d}))"
172
173	+/(?=di(?<=(?1))\|(?=(.))))/
174	+
175	/-- End of testinput2 --/
176	diff --git a/testdata/testoutput2 b/testdata/testoutput2
177	index 7dff52a..4decb8d 100644
178	--- a/testdata/testoutput2
179	+++ b/testdata/testoutput2
180	@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17
181
182	"(?J)(?'d'(?'d'\g{d}))"
183
184	+/(?=di(?<=(?1))\|(?=(.))))/
185	+Failed: unmatched parentheses at offset 23
186	+
187	/-- End of testinput2 --/
188	--
189	2.4.3

Gentoo Archives: gentoo-commits