aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-05-29 14:38:54 -0400
committerLeo Famulari <leo@famulari.name>2016-05-29 23:57:31 -0400
commitccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391 (patch)
tree2a41259f5d3e9292b35ad36b17e1dde3ad3f6b99
parent0d567b553153921488ddf18879768b4125c9613e (diff)
downloadpatches-ccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391.tar
patches-ccda7c8317fcbcdf929d6f8a183d4dbd2f5c1391.tar.gz
gnu: pcre2: Fix CVE-2016-3191.
* gnu/packages/patches/pcre2-CVE-2016-3191.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pcre.scm (pcre2): Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/pcre2-CVE-2016-3191.patch179
-rw-r--r--gnu/packages/pcre.scm2
3 files changed, 182 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index eab390d228..66d7c62b8d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -665,6 +665,7 @@ dist_patch_DATA = \
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/pcre-CVE-2016-3191.patch \
+ %D%/packages/patches/pcre2-CVE-2016-3191.patch \
%D%/packages/patches/perl-CVE-2015-8607.patch \
%D%/packages/patches/perl-CVE-2016-2381.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
diff --git a/gnu/packages/patches/pcre2-CVE-2016-3191.patch b/gnu/packages/patches/pcre2-CVE-2016-3191.patch
new file mode 100644
index 0000000000..80f9d3d4f1
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2016-3191.patch
@@ -0,0 +1,179 @@
+Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of
+service (stack-based buffer overflow) via a crafted regular expression).
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.
+
+This is svn r489 at <svn://vcs.exim.org/pcre2/code>, omitting the
+changes to 'testdata/testoutput8-16-4', which does not exist in the
+source tarball.
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069
+---
+ ChangeLog | 4 ++++
+ src/pcre2_compile.c | 16 ++++++++++++++--
+ testdata/testinput8 | 2 ++
+ testdata/testoutput8-16-2 | 3 +++
+ testdata/testoutput8-16-3 | 3 +++
+ testdata/testoutput8-16-4 | 3 +++
+ testdata/testoutput8-32-2 | 3 +++
+ testdata/testoutput8-32-3 | 3 +++
+ testdata/testoutput8-32-4 | 3 +++
+ testdata/testoutput8-8-2 | 3 +++
+ testdata/testoutput8-8-3 | 3 +++
+ testdata/testoutput8-8-4 | 3 +++
+ 12 files changed, 47 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 3ce0207..65e333e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -58,6 +58,10 @@ some head-scratching the next time this happens.
+ assertion, caused pcre2test to output a very large number of spaces when the
+ callout was taken, making the program appearing to loop.
+
++12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
++nested set of parentheses of sufficient size caused an overflow of the
++compiling workspace (which was diagnosed, but of course is not desirable).
++
+
+ Version 10.21 12-January-2016
+ -----------------------------
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index e33d620..887fbfd 100644
+--- a/src/pcre2_compile.c
++++ b/src/pcre2_compile.c
+@@ -5901,10 +5901,22 @@ for (;; ptr++)
+ goto FAILED;
+ }
+ cb->had_accept = TRUE;
++
++ /* In the first pass, just accumulate the length required;
++ otherwise hitting (*ACCEPT) inside many nested parentheses can
++ cause workspace overflow. */
++
+ for (oc = cb->open_caps; oc != NULL; oc = oc->next)
+ {
+- *code++ = OP_CLOSE;
+- PUT2INC(code, 0, oc->number);
++ if (lengthptr != NULL)
++ {
++ *lengthptr += CU2BYTES(1) + IMM2_SIZE;
++ }
++ else
++ {
++ *code++ = OP_CLOSE;
++ PUT2INC(code, 0, oc->number);
++ }
+ }
+ setverb = *code++ =
+ (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
+diff --git a/testdata/testinput8 b/testdata/testinput8
+index ca3b1b9..7e2a1f0 100644
+--- a/testdata/testinput8
++++ b/testdata/testinput8
+@@ -182,4 +182,6 @@
+
+ /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2
+index 05669bb..a5e8dec 100644
+--- a/testdata/testoutput8-16-2
++++ b/testdata/testoutput8-16-2
+@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 186 at offset 490: regular expression is too complicated
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3
+index 31884e1..36133b3 100644
+--- a/testdata/testoutput8-16-3
++++ b/testdata/testoutput8-16-3
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-2
++++ b/testdata/testoutput8-32-2
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-3
++++ b/testdata/testoutput8-32-3
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4
+index babd0c7..99c4fad 100644
+--- a/testdata/testoutput8-32-4
++++ b/testdata/testoutput8-32-4
+@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2
+index 6a9aa0a..6dc1f42 100644
+--- a/testdata/testoutput8-8-2
++++ b/testdata/testoutput8-8-2
+@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3
+index 2fe1168..ae14946 100644
+--- a/testdata/testoutput8-8-3
++++ b/testdata/testoutput8-8-3
+@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4
+index 91993b2..6c79956 100644
+--- a/testdata/testoutput8-8-4
++++ b/testdata/testoutput8-8-4
+@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10
+ May match empty string
+ Subject length lower bound = 0
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: error 114 at offset 509: missing closing parenthesis
++
+ # End of testinput8
+--
+2.8.3
+
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 24ecf905e0..e954492554 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -83,6 +84,7 @@ POSIX regular expression API.")
(uri (string-append "mirror://sourceforge/pcre/pcre2/"
version "/pcre2-" version ".tar.bz2"))
+ (patches (search-patches "pcre2-CVE-2016-3191.patch"))
(sha256
(base32
"1q6lrj9b08l1q39vxipb0fi88x6ybvkr6439h8bjb9r8jd81fsn6"))))