From 0e2bfdf9b8e6f2711f96686ad405ab272d1a66cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 29 Feb 2016 13:08:55 +0100 Subject: [PATCH] Fix CVE-2016-1283 --- ...icate-name-bugfix-by-overestimating-.patch | 56 +++++++++++++++++++ pcre.spec | 11 +++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 pcre-8.38-Yet-another-duplicate-name-bugfix-by-overestimating-.patch diff --git a/pcre-8.38-Yet-another-duplicate-name-bugfix-by-overestimating-.patch b/pcre-8.38-Yet-another-duplicate-name-bugfix-by-overestimating-.patch new file mode 100644 index 0000000..9dcef4d --- /dev/null +++ b/pcre-8.38-Yet-another-duplicate-name-bugfix-by-overestimating-.patch @@ -0,0 +1,56 @@ +From b7537308b7c758f33c347cb0bec62754c43c271f Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Sat, 27 Feb 2016 17:38:11 +0000 +Subject: [PATCH] Yet another duplicate name bugfix by overestimating the + memory needed (i.e. another hack - PCRE2 has this "properly" fixed). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Petr Písař: Ported to 8.38. + +diff --git a/pcre_compile.c b/pcre_compile.c +index 5019854..4ffea0c 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7311,7 +7311,12 @@ for (;; ptr++) + so far in order to get the number. If the name is not found, leave + the value of recno as 0 for a forward reference. */ + +- else ++ /* This patch (removing "else") fixes a problem when a reference is ++ to multiple identically named nested groups from within the nest. ++ Once again, it is not the "proper" fix, and it results in an ++ over-allocation of memory. */ ++ ++ /* else */ + { + ng = cd->named_groups; + for (i = 0; i < cd->names_found; i++, ng++) +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 086e0f4..c805f5f 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4239,4 +4239,6 @@ backtracking verbs. --/ + 9010 + abcd + ++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index d414a72..800a72f 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14665,4 +14665,6 @@ Start of matched string is beyond its end - displaying from end to start. + 0 ^ 0 + No match + ++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ ++ + /-- End of testinput2 --/ +-- +2.5.0 + diff --git a/pcre.spec b/pcre.spec index c5dcb68..e4c18a8 100644 --- a/pcre.spec +++ b/pcre.spec @@ -2,7 +2,7 @@ #%%global rcversion RC1 Name: pcre Version: 8.38 -Release: %{?rcversion:0.}7%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}8%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library Group: System Environment/Libraries @@ -73,6 +73,10 @@ Patch12: pcre-8.38-Fix-pcretest-bad-behaviour-for-callout-in-lookbehind.patch # Fix workspace overflow for (*ACCEPT) with deeply nested parentheses, # upstream bug #1791, fixed in upstream after 8.38 Patch13: pcre-8.38-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch +# Fix CVE-2016-1283 (heap buffer overflow in handling of nested duplicate named +# groups with a nested back reference), bug #1295386, upstream bug #1767, +# fixed in upstream after 8.38 +Patch14: pcre-8.38-Yet-another-duplicate-name-bugfix-by-overestimating-.patch BuildRequires: readline-devel BuildRequires: autoconf BuildRequires: automake @@ -135,6 +139,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # Because of rpath patch libtoolize --copy --force autoreconf -vif @@ -206,6 +211,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Mon Feb 29 2016 Petr Pisar - 8.38-8 +- Fix CVE-2016-1283 (a heap buffer overflow in handling of nested duplicate + named groups with a nested back reference) (bug #1295386) + * Thu Feb 11 2016 Petr Pisar - 8.38-7 - Fix pcretest for expressions with a callout inside a look-behind assertion (upstream bug #1783)