diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/pcre2-CVE-2017-8786.patch | 155 | ||||
-rw-r--r-- | gnu/packages/pcre.scm | 3 |
3 files changed, 158 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index ce7fb68416..dcf9b14cec 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -859,6 +859,7 @@ dist_patch_DATA = \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/pcre-CVE-2017-7186.patch \ %D%/packages/patches/pcre2-CVE-2017-7186.patch \ + %D%/packages/patches/pcre2-CVE-2017-8786.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ diff --git a/gnu/packages/patches/pcre2-CVE-2017-8786.patch b/gnu/packages/patches/pcre2-CVE-2017-8786.patch new file mode 100644 index 0000000000..6071d58f07 --- /dev/null +++ b/gnu/packages/patches/pcre2-CVE-2017-8786.patch @@ -0,0 +1,155 @@ +Fix CVE-2017-8786: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8786 +https://bugs.exim.org/show_bug.cgi?id=2079 +https://blogs.gentoo.org/ago/2017/04/29/libpcre-heap-based-buffer-overflow-write-in-pcre2test-c/ + +Patch copied from upstream source repository: + +https://vcs.pcre.org/pcre2?view=revision&revision=696 +https://vcs.pcre.org/pcre2?view=revision&revision=697 + +--- trunk/doc/pcre2api.3 2017/03/21 16:48:40 695 ++++ trunk/doc/pcre2api.3 2017/03/21 17:46:21 696 +@@ -1,4 +1,4 @@ +-.TH PCRE2API 3 "24 December 2016" "PCRE2 10.23" ++.TH PCRE2API 3 "21 March 2017" "PCRE2 10.30" + .SH NAME + PCRE2 - Perl-compatible regular expressions (revised API) + .sp +@@ -2633,8 +2633,8 @@ + A text message for an error code from any PCRE2 function (compile, match, or + auxiliary) can be obtained by calling \fBpcre2_get_error_message()\fP. The code + is passed as the first argument, with the remaining two arguments specifying a +-code unit buffer and its length, into which the text message is placed. Note +-that the message is returned in code units of the appropriate width for the ++code unit buffer and its length in code units, into which the text message is ++placed. The message is returned in code units of the appropriate width for the + library that is being used. + .P + The returned message is terminated with a trailing zero, and the function +@@ -3321,6 +3321,6 @@ + .rs + .sp + .nf +-Last updated: 23 December 2016 +-Copyright (c) 1997-2016 University of Cambridge. ++Last updated: 21 March 2017 ++Copyright (c) 1997-2017 University of Cambridge. + .fi +--- trunk/src/pcre2_error.c 2017/03/21 16:48:40 695 ++++ trunk/src/pcre2_error.c 2017/03/21 17:46:21 696 +@@ -271,7 +271,7 @@ + Arguments: + enumber error number + buffer where to put the message (zero terminated) +- size size of the buffer ++ size size of the buffer in code units + + Returns: length of message if all is well + negative on error +--- trunk/src/pcre2test.c 2017/03/21 17:46:21 696 ++++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697 +@@ -1017,9 +1017,9 @@ + if (test_mode == PCRE8_MODE) \ + r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \ + else if (test_mode == PCRE16_MODE) \ +- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \ ++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \ + else \ +- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) ++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) + + #define PCRE2_GET_OVECTOR_COUNT(a,b) \ + if (test_mode == PCRE8_MODE) \ +@@ -1399,6 +1399,9 @@ + + /* ----- Common macros for two-mode cases ----- */ + ++#define BYTEONE (BITONE/8) ++#define BYTETWO (BITTWO/8) ++ + #define CASTFLD(t,a,b) \ + ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \ + (t)(G(a,BITTWO)->b)) +@@ -1481,9 +1484,9 @@ + + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ + if (test_mode == G(G(PCRE,BITONE),_MODE)) \ +- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \ ++ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \ + else \ +- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size)) ++ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO)) + + #define PCRE2_GET_OVECTOR_COUNT(a,b) \ + if (test_mode == G(G(PCRE,BITONE),_MODE)) \ +@@ -1904,7 +1907,7 @@ + #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ + a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j) + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ +- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)) ++ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)) + #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16)) + #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16)) + #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b) +@@ -2000,7 +2003,7 @@ + #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ + a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j) + #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ +- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) ++ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) + #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32)) + #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32)) + #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b) +--- trunk/src/pcre2test.c 2017/03/21 16:48:40 695 ++++ trunk/src/pcre2test.c 2017/03/21 17:46:21 696 +@@ -2889,7 +2889,7 @@ + { + if (pbuffer32 != NULL) free(pbuffer32); + pbuffer32_size = 4*len + 4; +- if (pbuffer32_size < 256) pbuffer32_size = 256; ++ if (pbuffer32_size < 512) pbuffer32_size = 512; + pbuffer32 = (uint32_t *)malloc(pbuffer32_size); + if (pbuffer32 == NULL) + { +@@ -7600,7 +7600,8 @@ + int errcode; + char *endptr; + +-/* Ensure the relevant non-8-bit buffer is available. */ ++/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at ++least 128 code units, because it is used for retrieving error messages. */ + + #ifdef SUPPORT_PCRE2_16 + if (test_mode == PCRE16_MODE) +@@ -7620,7 +7621,7 @@ + #ifdef SUPPORT_PCRE2_32 + if (test_mode == PCRE32_MODE) + { +- pbuffer32_size = 256; ++ pbuffer32_size = 512; + pbuffer32 = (uint32_t *)malloc(pbuffer32_size); + if (pbuffer32 == NULL) + { +--- trunk/testdata/testinput2 2017/03/21 16:48:40 695 ++++ trunk/testdata/testinput2 2017/03/21 17:46:21 696 +@@ -5017,4 +5017,6 @@ + + /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended + ++/\g{3/ ++ + # End of testinput2 +--- trunk/testdata/testoutput2 2017/03/21 16:48:40 695 ++++ trunk/testdata/testoutput2 2017/03/21 17:46:21 696 +@@ -15570,6 +15570,9 @@ + + /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended + ++/\g{3/ ++Failed: error 157 at offset 2: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number ++ + # End of testinput2 + Error -63: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm index 1946f5229c..b632b9f488 100644 --- a/gnu/packages/pcre.scm +++ b/gnu/packages/pcre.scm @@ -92,7 +92,8 @@ POSIX regular expression API.") (sha256 (base32 "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz")) - (patches (search-patches "pcre2-CVE-2017-7186.patch")))) + (patches (search-patches "pcre2-CVE-2017-7186.patch" + "pcre2-CVE-2017-8786.patch")))) (build-system gnu-build-system) (inputs `(("bzip2" ,bzip2) ("readline" ,readline) |