From 5aa6c2f1e85ddc3dd0d46e67e9ceec58ee7ef3bd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:52:31 -0500 Subject: [PATCH] import pcre-8.42-6.el8 --- ...2-Fix-subject-buffer-overread-in-JIT.patch | 29 ++++++++++ ...f-the-number-after-C-as-it-is-read-i.patch | 55 +++++++++++++++++++ SPECS/pcre.spec | 20 ++++++- 3 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 SOURCES/pcre-8.42-Fix-subject-buffer-overread-in-JIT.patch create mode 100644 SOURCES/pcre-8.43-Check-the-size-of-the-number-after-C-as-it-is-read-i.patch diff --git a/SOURCES/pcre-8.42-Fix-subject-buffer-overread-in-JIT.patch b/SOURCES/pcre-8.42-Fix-subject-buffer-overread-in-JIT.patch new file mode 100644 index 0000000..1b64902 --- /dev/null +++ b/SOURCES/pcre-8.42-Fix-subject-buffer-overread-in-JIT.patch @@ -0,0 +1,29 @@ +From 1aa76cb33f04fcea3127a0859450e5d18369e5e2 Mon Sep 17 00:00:00 2001 +From: zherczeg +Date: Fri, 21 Sep 2018 07:34:10 +0000 +Subject: [PATCH] Fix subject buffer overread in JIT. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1740 2f5784b3-3f2a-0410-8824-cb99058d5e15 +Petr Písař: Ported to 8.42. +--- + pcre_jit_compile.c | 2 +- + +diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c +index 2bad74b..bc5f9c0 100644 +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -9002,7 +9002,7 @@ if (exact > 1) + #ifdef SUPPORT_UTF + && !common->utf + #endif +- ) ++ && type != OP_ANYNL && type != OP_EXTUNI) + { + OP2(SLJIT_ADD, TMP1, 0, STR_PTR, 0, SLJIT_IMM, IN_UCHARS(exact)); + add_jump(compiler, &backtrack->topbacktracks, CMP(SLJIT_GREATER, TMP1, 0, STR_END, 0)); +-- +2.17.2 + diff --git a/SOURCES/pcre-8.43-Check-the-size-of-the-number-after-C-as-it-is-read-i.patch b/SOURCES/pcre-8.43-Check-the-size-of-the-number-after-C-as-it-is-read-i.patch new file mode 100644 index 0000000..06b7db0 --- /dev/null +++ b/SOURCES/pcre-8.43-Check-the-size-of-the-number-after-C-as-it-is-read-i.patch @@ -0,0 +1,55 @@ +From 3a9026509f9c1745f378595e55e5024361ad152d Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Mon, 10 Feb 2020 17:17:34 +0000 +Subject: [PATCH] Check the size of the number after (?C as it is read, in + order to avoid integer overflow. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1761 2f5784b3-3f2a-0410-8824-cb99058d5e15 +Petr Písař: Ported to 8.43. +--- + pcre_compile.c | 14 ++++++++------ + +diff --git a/pcre_compile.c b/pcre_compile.c +index 079d30a..1e3d6c3 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6,7 +6,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2018 University of Cambridge ++ Copyright (c) 1997-2020 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -7130,17 +7130,19 @@ for (;; ptr++) + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ +-- +2.21.1 + diff --git a/SPECS/pcre.spec b/SPECS/pcre.spec index ded5975..d027bf9 100644 --- a/SPECS/pcre.spec +++ b/SPECS/pcre.spec @@ -2,7 +2,7 @@ #%%global rcversion RC1 Name: pcre Version: 8.42 -Release: %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}6%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library ## Source package only: @@ -48,6 +48,13 @@ Patch5: pcre-8.42-Fix-bad-auto-possessify-for-certain-classes.patch # Fix anchoring in conditionals with only one branch, bug #1619228, # upstream bug #2307, in upstream after 8.42 Patch6: pcre-8.42-Fix-anchoring-bug-in-conditional-subexpression.patch +# Fix a subject buffer overread in JIT when UTF is disabled and \X or \R has +# a greater than 1 fixed quantifier, CVE-2019-20838, bug #1852252, +# in upstream after 8.42 +Patch7: pcre-8.42-Fix-subject-buffer-overread-in-JIT.patch +# Fix an integer overflow when parsing numbers after "(?C", CVE-2020-14155, +# bug #1851552, upstream bug #2463, in upstream after 8.43 +Patch8: pcre-8.43-Check-the-size-of-the-number-after-C-as-it-is-read-i.patch BuildRequires: readline-devel BuildRequires: autoconf BuildRequires: automake @@ -136,6 +143,8 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 # Because of rpath patch libtoolize --copy --force autoreconf -vif @@ -230,6 +239,15 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Wed Jun 02 2021 Lukas Javorsky - 8.42-6 +- Rebuild for BZ#1954441 + +* Wed Apr 14 2021 Petr Pisar - 8.42-5 +- Fix CVE-2019-20838 (a subject buffer overread in JIT when UTF is disabled + and \X or \R has a greater than 1 fixed quantifier) (bug #1852252) +- Fix CVE-2020-14155 (an integer overflow when parsing numbers after "(?C")) + (bug #1851552) + * Mon Sep 03 2018 Petr Pisar - 8.42-4 - Fix anchoring in conditionals with only one branch (bug #1619228)