summary refs log tree commit diff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-05-29 14:38:54 -0400
committerLeo Famulari <leo@famulari.name>2016-05-29 23:57:31 -0400
commitccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391 (patch)
tree2a41259f5d3e9292b35ad36b17e1dde3ad3f6b99
parent0d567b553153921488ddf18879768b4125c9613e (diff)
downloadguix-ccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391.tar.gz
gnu: pcre2: Fix CVE-2016-3191.
* gnu/packages/patches/pcre2-CVE-2016-3191.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pcre.scm (pcre2): Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/pcre2-CVE-2016-3191.patch179
-rw-r--r--gnu/packages/pcre.scm2
3 files changed, 182 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index eab390d228..66d7c62b8d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -665,6 +665,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcre-CVE-2016-3191.patch			\
+  %D%/packages/patches/pcre2-CVE-2016-3191.patch		\
   %D%/packages/patches/perl-CVE-2015-8607.patch			\
   %D%/packages/patches/perl-CVE-2016-2381.patch			\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
diff --git a/gnu/packages/patches/pcre2-CVE-2016-3191.patch b/gnu/packages/patches/pcre2-CVE-2016-3191.patch
new file mode 100644
index 0000000000..80f9d3d4f1
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2016-3191.patch
@@ -0,0 +1,179 @@
+Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of
+service (stack-based buffer overflow) via a crafted regular expression).
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.
+
+This is svn r489 at <svn://vcs.exim.org/pcre2/code>, omitting the
+changes to 'testdata/testoutput8-16-4', which does not exist in the
+source tarball.
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069
+---
+ ChangeLog                 |  4 ++++
+ src/pcre2_compile.c       | 16 ++++++++++++++--
+ testdata/testinput8       |  2 ++
+ testdata/testoutput8-16-2 |  3 +++
+ testdata/testoutput8-16-3 |  3 +++
+ testdata/testoutput8-16-4 |  3 +++
+ testdata/testoutput8-32-2 |  3 +++
+ testdata/testoutput8-32-3 |  3 +++
+ testdata/testoutput8-32-4 |  3 +++
+ testdata/testoutput8-8-2  |  3 +++
+ testdata/testoutput8-8-3  |  3 +++
+ testdata/testoutput8-8-4  |  3 +++
+ 12 files changed, 47 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 3ce0207..65e333e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -58,6 +58,10 @@ some head-scratching the next time this happens.
+ assertion, caused pcre2test to output a very large number of spaces when the 
+ callout was taken, making the program appearing to loop.
+ 
++12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply 
++nested set of parentheses of sufficient size caused an overflow of the 
++compiling workspace (which was diagnosed, but of course is not desirable).
++
+ 
+ Version 10.21 12-January-2016
+ -----------------------------
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index e33d620..887fbfd 100644
+--- a/src/pcre2_compile.c
++++ b/src/pcre2_compile.c
+@@ -5901,10 +5901,22 @@ for (;; ptr++)
+               goto FAILED;
+               }
+             cb->had_accept = TRUE;
++            
++            /* In the first pass, just accumulate the length required;
++            otherwise hitting (*ACCEPT) inside many nested parentheses can
++            cause workspace overflow. */
++              
+             for (oc = cb->open_caps; oc != NULL; oc = oc->next)
+               {
+-              *code++ = OP_CLOSE;
+-              PUT2INC(code, 0, oc->number);
++              if (lengthptr != NULL)
++                {
++                *lengthptr += CU2BYTES(1) + IMM2_SIZE; 
++                }
++              else
++                {       
++                *code++ = OP_CLOSE;
++                PUT2INC(code, 0, oc->number);
++                } 
+               }
+             setverb = *code++ =
+               (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
+diff --git a/testdata/testinput8 b/testdata/testinput8
+index ca3b1b9..7e2a1f0 100644
+--- a/testdata/testinput8
++++ b/testdata/testinput8
+@@ -182,4 +182,6 @@
+ 
+ /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2
+index 05669bb..a5e8dec 100644
+--- a/testdata/testoutput8-16-2
++++ b/testdata/testoutput8-16-2
+@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 186 at offset 490: regular expression is too complicated
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3
+index 31884e1..36133b3 100644
+--- a/testdata/testoutput8-16-3
++++ b/testdata/testoutput8-16-3
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-2
++++ b/testdata/testoutput8-32-2
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-3
++++ b/testdata/testoutput8-32-3
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-4
++++ b/testdata/testoutput8-32-4
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2
+index 6a9aa0a..6dc1f42 100644
+--- a/testdata/testoutput8-8-2
++++ b/testdata/testoutput8-8-2
+@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3
+index 2fe1168..ae14946 100644
+--- a/testdata/testoutput8-8-3
++++ b/testdata/testoutput8-8-3
+@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4
+index 91993b2..6c79956 100644
+--- a/testdata/testoutput8-8-4
++++ b/testdata/testoutput8-8-4
+@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+ 
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+-- 
+2.8.3
+
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 24ecf905e0..e954492554 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -83,6 +84,7 @@ POSIX regular expression API.")
               (uri (string-append "mirror://sourceforge/pcre/pcre2/"
                                   version "/pcre2-" version ".tar.bz2"))
 
+              (patches (search-patches "pcre2-CVE-2016-3191.patch"))
               (sha256
                (base32
                 "1q6lrj9b08l1q39vxipb0fi88x6ybvkr6439h8bjb9r8jd81fsn6"))))