From ccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 29 May 2016 14:38:54 -0400 Subject: gnu: pcre2: Fix CVE-2016-3191. * gnu/packages/patches/pcre2-CVE-2016-3191.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pcre.scm (pcre2): Use it. --- gnu/local.mk | 1 + gnu/packages/patches/pcre2-CVE-2016-3191.patch | 179 +++++++++++++++++++++++++ gnu/packages/pcre.scm | 2 + 3 files changed, 182 insertions(+) create mode 100644 gnu/packages/patches/pcre2-CVE-2016-3191.patch diff --git a/gnu/local.mk b/gnu/local.mk index eab390d228..66d7c62b8d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -665,6 +665,7 @@ dist_patch_DATA = \ %D%/packages/patches/patchutils-xfail-gendiff-tests.patch \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/pcre-CVE-2016-3191.patch \ + %D%/packages/patches/pcre2-CVE-2016-3191.patch \ %D%/packages/patches/perl-CVE-2015-8607.patch \ %D%/packages/patches/perl-CVE-2016-2381.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ diff --git a/gnu/packages/patches/pcre2-CVE-2016-3191.patch b/gnu/packages/patches/pcre2-CVE-2016-3191.patch new file mode 100644 index 0000000000..80f9d3d4f1 --- /dev/null +++ b/gnu/packages/patches/pcre2-CVE-2016-3191.patch @@ -0,0 +1,179 @@ +Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of +service (stack-based buffer overflow) via a crafted regular expression). + +See . + +This is svn r489 at , omitting the +changes to 'testdata/testoutput8-16-4', which does not exist in the +source tarball. + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069 +--- + ChangeLog | 4 ++++ + src/pcre2_compile.c | 16 ++++++++++++++-- + testdata/testinput8 | 2 ++ + testdata/testoutput8-16-2 | 3 +++ + testdata/testoutput8-16-3 | 3 +++ + testdata/testoutput8-16-4 | 3 +++ + testdata/testoutput8-32-2 | 3 +++ + testdata/testoutput8-32-3 | 3 +++ + testdata/testoutput8-32-4 | 3 +++ + testdata/testoutput8-8-2 | 3 +++ + testdata/testoutput8-8-3 | 3 +++ + testdata/testoutput8-8-4 | 3 +++ + 12 files changed, 47 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 3ce0207..65e333e 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -58,6 +58,10 @@ some head-scratching the next time this happens. + assertion, caused pcre2test to output a very large number of spaces when the + callout was taken, making the program appearing to loop. + ++12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply ++nested set of parentheses of sufficient size caused an overflow of the ++compiling workspace (which was diagnosed, but of course is not desirable). ++ + + Version 10.21 12-January-2016 + ----------------------------- +diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c +index e33d620..887fbfd 100644 +--- a/src/pcre2_compile.c ++++ b/src/pcre2_compile.c +@@ -5901,10 +5901,22 @@ for (;; ptr++) + goto FAILED; + } + cb->had_accept = TRUE; ++ ++ /* In the first pass, just accumulate the length required; ++ otherwise hitting (*ACCEPT) inside many nested parentheses can ++ cause workspace overflow. */ ++ + for (oc = cb->open_caps; oc != NULL; oc = oc->next) + { +- *code++ = OP_CLOSE; +- PUT2INC(code, 0, oc->number); ++ if (lengthptr != NULL) ++ { ++ *lengthptr += CU2BYTES(1) + IMM2_SIZE; ++ } ++ else ++ { ++ *code++ = OP_CLOSE; ++ PUT2INC(code, 0, oc->number); ++ } + } + setverb = *code++ = + (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; +diff --git a/testdata/testinput8 b/testdata/testinput8 +index ca3b1b9..7e2a1f0 100644 +--- a/testdata/testinput8 ++++ b/testdata/testinput8 +@@ -182,4 +182,6 @@ + + /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++ + # End of testinput8 +diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2 +index 05669bb..a5e8dec 100644 +--- a/testdata/testoutput8-16-2 ++++ b/testdata/testoutput8-16-2 +@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 186 at offset 490: regular expression is too complicated ++ + # End of testinput8 +diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3 +index 31884e1..36133b3 100644 +--- a/testdata/testoutput8-16-3 ++++ b/testdata/testoutput8-16-3 +@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2 +index babd0c7..99c4fad 100644 +--- a/testdata/testoutput8-32-2 ++++ b/testdata/testoutput8-32-2 +@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3 +index babd0c7..99c4fad 100644 +--- a/testdata/testoutput8-32-3 ++++ b/testdata/testoutput8-32-3 +@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4 +index babd0c7..99c4fad 100644 +--- a/testdata/testoutput8-32-4 ++++ b/testdata/testoutput8-32-4 +@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2 +index 6a9aa0a..6dc1f42 100644 +--- a/testdata/testoutput8-8-2 ++++ b/testdata/testoutput8-8-2 +@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3 +index 2fe1168..ae14946 100644 +--- a/testdata/testoutput8-8-3 ++++ b/testdata/testoutput8-8-3 +@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4 +index 91993b2..6c79956 100644 +--- a/testdata/testoutput8-8-4 ++++ b/testdata/testoutput8-8-4 +@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10 + May match empty string + Subject length lower bound = 0 + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: error 114 at offset 509: missing closing parenthesis ++ + # End of testinput8 +-- +2.8.3 + diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm index 24ecf905e0..e954492554 100644 --- a/gnu/packages/pcre.scm +++ b/gnu/packages/pcre.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013 Andreas Enge ;;; Copyright © 2014, 2015 Mark H Weaver ;;; Copyright © 2015 Ricardo Wurmus +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -83,6 +84,7 @@ (define-public pcre2 (uri (string-append "mirror://sourceforge/pcre/pcre2/" version "/pcre2-" version ".tar.bz2")) + (patches (search-patches "pcre2-CVE-2016-3191.patch")) (sha256 (base32 "1q6lrj9b08l1q39vxipb0fi88x6ybvkr6439h8bjb9r8jd81fsn6")))) -- cgit v1.2.3