summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/pcre2-CVE-2017-8786.patch155
-rw-r--r--gnu/packages/pcre.scm3
3 files changed, 158 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index ce7fb68416..dcf9b14cec 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -859,6 +859,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcre-CVE-2017-7186.patch			\
   %D%/packages/patches/pcre2-CVE-2017-7186.patch		\
+  %D%/packages/patches/pcre2-CVE-2017-8786.patch		\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/patches/pcre2-CVE-2017-8786.patch b/gnu/packages/patches/pcre2-CVE-2017-8786.patch
new file mode 100644
index 0000000000..6071d58f07
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2017-8786.patch
@@ -0,0 +1,155 @@
+Fix CVE-2017-8786:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8786
+https://bugs.exim.org/show_bug.cgi?id=2079
+https://blogs.gentoo.org/ago/2017/04/29/libpcre-heap-based-buffer-overflow-write-in-pcre2test-c/
+
+Patch copied from upstream source repository:
+
+https://vcs.pcre.org/pcre2?view=revision&revision=696
+https://vcs.pcre.org/pcre2?view=revision&revision=697
+
+--- trunk/doc/pcre2api.3	2017/03/21 16:48:40	695
++++ trunk/doc/pcre2api.3	2017/03/21 17:46:21	696
+@@ -1,4 +1,4 @@
+-.TH PCRE2API 3 "24 December 2016" "PCRE2 10.23"
++.TH PCRE2API 3 "21 March 2017" "PCRE2 10.30"
+ .SH NAME
+ PCRE2 - Perl-compatible regular expressions (revised API)
+ .sp
+@@ -2633,8 +2633,8 @@
+ A text message for an error code from any PCRE2 function (compile, match, or
+ auxiliary) can be obtained by calling \fBpcre2_get_error_message()\fP. The code
+ is passed as the first argument, with the remaining two arguments specifying a
+-code unit buffer and its length, into which the text message is placed. Note
+-that the message is returned in code units of the appropriate width for the
++code unit buffer and its length in code units, into which the text message is
++placed. The message is returned in code units of the appropriate width for the
+ library that is being used.
+ .P
+ The returned message is terminated with a trailing zero, and the function
+@@ -3321,6 +3321,6 @@
+ .rs
+ .sp
+ .nf
+-Last updated: 23 December 2016
+-Copyright (c) 1997-2016 University of Cambridge.
++Last updated: 21 March 2017
++Copyright (c) 1997-2017 University of Cambridge.
+ .fi
+--- trunk/src/pcre2_error.c	2017/03/21 16:48:40	695
++++ trunk/src/pcre2_error.c	2017/03/21 17:46:21	696
+@@ -271,7 +271,7 @@
+ Arguments:
+   enumber       error number
+   buffer        where to put the message (zero terminated)
+-  size          size of the buffer
++  size          size of the buffer in code units
+ 
+ Returns:        length of message if all is well
+                 negative on error
+--- trunk/src/pcre2test.c	2017/03/21 17:46:21	696
++++ trunk/src/pcre2test.c	2017/03/21 18:36:13	697
+@@ -1017,9 +1017,9 @@
+   if (test_mode == PCRE8_MODE) \
+     r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
+   else if (test_mode == PCRE16_MODE) \
+-    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
++    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
+   else \
+-    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ 
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+   if (test_mode == PCRE8_MODE) \
+@@ -1399,6 +1399,9 @@
+ 
+ /* ----- Common macros for two-mode cases ----- */
+ 
++#define BYTEONE (BITONE/8)
++#define BYTETWO (BITTWO/8)
++
+ #define CASTFLD(t,a,b) \
+   ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
+     (t)(G(a,BITTWO)->b))
+@@ -1481,9 +1484,9 @@
+ 
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+-    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
++    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
+   else \
+-    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
++    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
+ 
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+@@ -1904,7 +1907,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+   a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+-  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
++  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
+@@ -2000,7 +2003,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+   a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+-  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
++  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
+--- trunk/src/pcre2test.c	2017/03/21 16:48:40	695
++++ trunk/src/pcre2test.c	2017/03/21 17:46:21	696
+@@ -2889,7 +2889,7 @@
+   {
+   if (pbuffer32 != NULL) free(pbuffer32);
+   pbuffer32_size = 4*len + 4;
+-  if (pbuffer32_size < 256) pbuffer32_size = 256;
++  if (pbuffer32_size < 512) pbuffer32_size = 512;
+   pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+   if (pbuffer32 == NULL)
+     {
+@@ -7600,7 +7600,8 @@
+   int errcode;
+   char *endptr;
+ 
+-/* Ensure the relevant non-8-bit buffer is available. */
++/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at 
++least 128 code units, because it is used for retrieving error messages. */
+ 
+ #ifdef SUPPORT_PCRE2_16
+   if (test_mode == PCRE16_MODE)
+@@ -7620,7 +7621,7 @@
+ #ifdef SUPPORT_PCRE2_32
+   if (test_mode == PCRE32_MODE)
+     {
+-    pbuffer32_size = 256;
++    pbuffer32_size = 512;
+     pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+     if (pbuffer32 == NULL)
+       {
+--- trunk/testdata/testinput2	2017/03/21 16:48:40	695
++++ trunk/testdata/testinput2	2017/03/21 17:46:21	696
+@@ -5017,4 +5017,6 @@
+ 
+ /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended
+ 
++/\g{3/
++
+ # End of testinput2 
+--- trunk/testdata/testoutput2	2017/03/21 16:48:40	695
++++ trunk/testdata/testoutput2	2017/03/21 17:46:21	696
+@@ -15570,6 +15570,9 @@
+ 
+ /(?<!\1((?U)1((?U))))(*F)/never_backslash_c,alt_bsux,anchored,extended
+ 
++/\g{3/
++Failed: error 157 at offset 2: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
++
+ # End of testinput2 
+ Error -63: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 1946f5229c..b632b9f488 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -92,7 +92,8 @@ POSIX regular expression API.")
               (sha256
                (base32
                 "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))
-              (patches (search-patches "pcre2-CVE-2017-7186.patch"))))
+              (patches (search-patches "pcre2-CVE-2017-7186.patch"
+                                       "pcre2-CVE-2017-8786.patch"))))
    (build-system gnu-build-system)
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)