diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/pcre2-CVE-2016-3191.patch | 179 | ||||
-rw-r--r-- | gnu/packages/pcre.scm | 15 |
3 files changed, 11 insertions, 184 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index e3bf241c8e..ee40c1bd30 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -811,7 +811,6 @@ dist_patch_DATA = \ %D%/packages/patches/patchutils-xfail-gendiff-tests.patch \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/pcre-CVE-2016-3191.patch \ - %D%/packages/patches/pcre2-CVE-2016-3191.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ diff --git a/gnu/packages/patches/pcre2-CVE-2016-3191.patch b/gnu/packages/patches/pcre2-CVE-2016-3191.patch deleted file mode 100644 index 80f9d3d4f1..0000000000 --- a/gnu/packages/patches/pcre2-CVE-2016-3191.patch +++ /dev/null @@ -1,179 +0,0 @@ -Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of -service (stack-based buffer overflow) via a crafted regular expression). - -See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>. - -This is svn r489 at <svn://vcs.exim.org/pcre2/code>, omitting the -changes to 'testdata/testoutput8-16-4', which does not exist in the -source tarball. - -git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069 ---- - ChangeLog | 4 ++++ - src/pcre2_compile.c | 16 ++++++++++++++-- - testdata/testinput8 | 2 ++ - testdata/testoutput8-16-2 | 3 +++ - testdata/testoutput8-16-3 | 3 +++ - testdata/testoutput8-16-4 | 3 +++ - testdata/testoutput8-32-2 | 3 +++ - testdata/testoutput8-32-3 | 3 +++ - testdata/testoutput8-32-4 | 3 +++ - testdata/testoutput8-8-2 | 3 +++ - testdata/testoutput8-8-3 | 3 +++ - testdata/testoutput8-8-4 | 3 +++ - 12 files changed, 47 insertions(+), 2 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 3ce0207..65e333e 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -58,6 +58,10 @@ some head-scratching the next time this happens. - assertion, caused pcre2test to output a very large number of spaces when the - callout was taken, making the program appearing to loop. - -+12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply -+nested set of parentheses of sufficient size caused an overflow of the -+compiling workspace (which was diagnosed, but of course is not desirable). -+ - - Version 10.21 12-January-2016 - ----------------------------- -diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c -index e33d620..887fbfd 100644 ---- a/src/pcre2_compile.c -+++ b/src/pcre2_compile.c -@@ -5901,10 +5901,22 @@ for (;; ptr++) - goto FAILED; - } - cb->had_accept = TRUE; -+ -+ /* In the first pass, just accumulate the length required; -+ otherwise hitting (*ACCEPT) inside many nested parentheses can -+ cause workspace overflow. */ -+ - for (oc = cb->open_caps; oc != NULL; oc = oc->next) - { -- *code++ = OP_CLOSE; -- PUT2INC(code, 0, oc->number); -+ if (lengthptr != NULL) -+ { -+ *lengthptr += CU2BYTES(1) + IMM2_SIZE; -+ } -+ else -+ { -+ *code++ = OP_CLOSE; -+ PUT2INC(code, 0, oc->number); -+ } - } - setverb = *code++ = - (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; -diff --git a/testdata/testinput8 b/testdata/testinput8 -index ca3b1b9..7e2a1f0 100644 ---- a/testdata/testinput8 -+++ b/testdata/testinput8 -@@ -182,4 +182,6 @@ - - /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+ - # End of testinput8 -diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2 -index 05669bb..a5e8dec 100644 ---- a/testdata/testoutput8-16-2 -+++ b/testdata/testoutput8-16-2 -@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 186 at offset 490: regular expression is too complicated -+ - # End of testinput8 -diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3 -index 31884e1..36133b3 100644 ---- a/testdata/testoutput8-16-3 -+++ b/testdata/testoutput8-16-3 -@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2 -index babd0c7..99c4fad 100644 ---- a/testdata/testoutput8-32-2 -+++ b/testdata/testoutput8-32-2 -@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3 -index babd0c7..99c4fad 100644 ---- a/testdata/testoutput8-32-3 -+++ b/testdata/testoutput8-32-3 -@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4 -index babd0c7..99c4fad 100644 ---- a/testdata/testoutput8-32-4 -+++ b/testdata/testoutput8-32-4 -@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2 -index 6a9aa0a..6dc1f42 100644 ---- a/testdata/testoutput8-8-2 -+++ b/testdata/testoutput8-8-2 -@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3 -index 2fe1168..ae14946 100644 ---- a/testdata/testoutput8-8-3 -+++ b/testdata/testoutput8-8-3 -@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 -diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4 -index 91993b2..6c79956 100644 ---- a/testdata/testoutput8-8-4 -+++ b/testdata/testoutput8-8-4 -@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10 - May match empty string - Subject length lower bound = 0 - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: error 114 at offset 509: missing closing parenthesis -+ - # End of testinput8 --- -2.8.3 - diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm index fe9157af12..8b92e47a4d 100644 --- a/gnu/packages/pcre.scm +++ b/gnu/packages/pcre.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2016 Leo Famulari <leo@famulari.name> +;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -73,16 +74,15 @@ POSIX regular expression API.") (define-public pcre2 (package (name "pcre2") - (version "10.21") + (version "10.23") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/pcre/pcre2/" version "/pcre2-" version ".tar.bz2")) - (patches (search-patches "pcre2-CVE-2016-3191.patch")) (sha256 (base32 - "1q6lrj9b08l1q39vxipb0fi88x6ybvkr6439h8bjb9r8jd81fsn6")))) + "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz")))) (build-system gnu-build-system) (inputs `(("bzip2" ,bzip2) ("readline" ,readline) @@ -95,7 +95,14 @@ POSIX regular expression API.") "--enable-unicode-properties" "--enable-pcre2-16" "--enable-pcre2-32" - "--enable-jit"))) + "--enable-jit") + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-paths + (lambda _ + (substitute* "RunGrepTest" + (("/bin/echo") (which "echo"))) + #t))))) (synopsis "Perl Compatible Regular Expressions") (description "The PCRE library is a set of functions that implement regular expression |