aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-04-10 15:35:24 +0200
committerLudovic Courtès <ludo@gnu.org>2017-04-10 23:54:46 +0200
commita97f0ee1368499dc40ea30002fcb6e06c7880acb (patch)
tree904c7746bbbf4b98a8588bdb2cc6794f561fb085 /gnu/packages
parent18d0cec29e22cdbc27c486129d1a1425de27f03f (diff)
downloadgnu-guix-a97f0ee1368499dc40ea30002fcb6e06c7880acb.tar
gnu-guix-a97f0ee1368499dc40ea30002fcb6e06c7880acb.tar.gz
gnu: pcre: Patch CVE-2017-7186.
* gnu/packages/patches/pcre-CVE-2017-7186.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pcre.scm (pcre)[replacement]: New field. (pcre/fixed): New variable.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/patches/pcre-CVE-2017-7186.patch56
-rw-r--r--gnu/packages/pcre.scm10
2 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
new file mode 100644
index 0000000000..d23aa10374
--- /dev/null
+++ b/gnu/packages/patches/pcre-CVE-2017-7186.patch
@@ -0,0 +1,56 @@
+Patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
+from <https://vcs.pcre.org/pcre?view=revision&revision=1688>.
+
+--- trunk/pcre_internal.h 2016/05/21 13:34:44 1649
++++ trunk/pcre_internal.h 2017/02/24 17:30:30 1688
+@@ -2772,6 +2772,9 @@
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@
+ /* UCD access macros */
+
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+ PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+ UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
+
+ #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch) GET_UCD(ch)->script
+
+--- trunk/pcre_ucd.c 2014/06/19 07:51:39 1490
++++ trunk/pcre_ucd.c 2017/02/24 17:30:30 1688
+@@ -38,6 +38,20 @@
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++ ucp_Common, /* script */
++ ucp_Cn, /* type unassigned */
++ ucp_gbOther, /* grapheme break property */
++ 0, /* case set */
++ 0, /* other case */
++ }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 9f610e59fd..1946f5229c 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -33,6 +34,7 @@
(package
(name "pcre")
(version "8.40")
+ (replacement pcre/fixed)
(source (origin
(method url-fetch)
(uri (list
@@ -70,6 +72,14 @@ POSIX regular expression API.")
(license license:bsd-3)
(home-page "http://www.pcre.org/")))
+(define pcre/fixed
+ (package
+ (inherit pcre)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source pcre))
+ (patches (search-patches "pcre-CVE-2017-7186.patch"))))))
+
(define-public pcre2
(package
(name "pcre2")