Fix CVE-2015-3210

2015-07-01 09:25:05 +02:00 · 2015-07-01 09:25:05 +02:00 · 5e196467b7
commit 5e196467b7
parent 7c442da08c
2 changed files with 74 additions and 0 deletions
--- a/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch
+++ b/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch
@ -0,0 +1,68 @@
 From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001
 From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
 Date: Tue, 23 Jun 2015 16:34:53 +0000
 Subject: [PATCH] Fix buffer overflow for forward reference within backward
 assertion with excess closing parenthesis. Bugzilla 1651.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This is upstream commit ported to 8.37:
 commit 764692f9aea9eab50fdba6cb537441d8b34c6c37
 Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
 Date:   Tue Jun 23 16:34:53 2015 +0000
    Fix buffer overflow for forward reference within backward assertion with excess
    closing parenthesis. Bugzilla 1651.
    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15
 It fixes CVE-2015-5073.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 pcre_compile.c       | 2 +-
 testdata/testinput2  | 2 ++
 testdata/testoutput2 | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)
 diff --git a/pcre_compile.c b/pcre_compile.c
 index 6f06912..b66b1f6 100644
 --- a/pcre_compile.c
 +++ b/pcre_compile.c
@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The
 exceptional ones forgo this. We scan the pattern to check that they are fixed
 length, and set their lengths. */
 -if (cd->check_lookbehind)
 +if (errorcode == 0 && cd->check_lookbehind)
   {
   pcre_uchar *cc = (pcre_uchar *)codestart;
 diff --git a/testdata/testinput2 b/testdata/testinput2
 index 83bb471..5cc9ce6 100644
 --- a/testdata/testinput2
 +++ b/testdata/testinput2
@@ -4154,4 +4154,6 @@ backtracking verbs. --/
 "(?J)(?'d'(?'d'\g{d}))"
 +/(?=di(?<=(?1))|(?=(.))))/
 +
 /-- End of testinput2 --/
 diff --git a/testdata/testoutput2 b/testdata/testoutput2
 index 7dff52a..4decb8d 100644
 --- a/testdata/testoutput2
 +++ b/testdata/testoutput2
@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17
 "(?J)(?'d'(?'d'\g{d}))"
 +/(?=di(?<=(?1))|(?=(.))))/
 +Failed: unmatched parentheses at offset 23
 +
 /-- End of testinput2 --/
 -- 
 2.4.3
--- a/pcre.spec
+++ b/pcre.spec
@ -33,6 +33,8 @@ Patch0: pcre-8.21-multilib.patch
 Patch1: pcre-8.32-refused_spelling_terminated.patch
 # Fix CVE-2015-3210, bug #1236659
 Patch2: pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch
 # Fix CVE-2015-5073, bug #1237224
 Patch3: pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch
 BuildRequires: readline-devel
 # New libtool to get rid of rpath
 BuildRequires: autoconf, automake, libtool
@ -75,6 +77,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch0 -p1 -b .multilib
 %patch1 -p1 -b .terminated_typos
 %patch2 -p1 -b .CVE-2015-3210
 %patch3 -p1 -b .CVE-2015-5073
 # Because of rpath patch
 libtoolize --copy --force && autoreconf -vif
 # One contributor's name is non-UTF-8
@ -148,6 +151,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 * Wed Jul 01 2015 Petr Pisar <ppisar@redhat.com> - 8.37-2
 - Fix CVE-2015-3210 (heap overflow when compiling an expression with named
  recursive back reference and the name is duplicated) (bug #1236659)
 - Fix CVE-2015-5073 (heap overflow when compiling an expression with an
  forward reference within backward asserion with excessive closing
  paranthesis) (bug #1237224)
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 8.37-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild