Bug#855405: pcre3: CVE-2017-6004

Fri, 17 Feb 2017 07:12:42 -0800 

Control: tags -1 + patch

Hi

Attached would be the proposed debdiff for a NMU in case needed (I
will use in any case a delayed queue if I upload).

Let me know if you would appreciate the NMU or prefer to do the upload
on your own if you agree.

Regards,
Salvatore

diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog 2016-08-19 10:04:15.000000000 +0200
+++ pcre3-8.39/debian/changelog 2017-02-17 15:56:09.000000000 +0100
@@ -1,3 +1,11 @@
+pcre3 (2:8.39-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-6004: crafted regular expression may cause denial of service
+    (Closes: #855405)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Fri, 17 Feb 2017 15:56:09 +0100
+
 pcre3 (2:8.39-2) unstable; urgency=low
 
   * Update symbols file to reflect compilation with gcc6 (Closes: #811969)
diff -Nru pcre3-8.39/debian/patches/CVE-2017-6004.patch 
pcre3-8.39/debian/patches/CVE-2017-6004.patch
--- pcre3-8.39/debian/patches/CVE-2017-6004.patch       1970-01-01 
01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/CVE-2017-6004.patch       2017-02-17 
15:56:09.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2017-6004: crafted regular expression may cause denial of 
service
+Origin: upstream, 
https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
+Bug: https://bugs.exim.org/show_bug.cgi?id=2035
+Bug-Debian: https://bugs.debian.org/855405
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2017-02-17
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC
+ 
+     if (*matchingpath == OP_FAIL)
+       stacksize = 0;
+-    if (*matchingpath == OP_RREF)
++    else if (*matchingpath == OP_RREF)
+       {
+       stacksize = GET2(matchingpath, 1);
+       if (common->currententry == NULL)
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series    2016-07-28 17:43:57.000000000 +0200
+++ pcre3-8.39/debian/patches/series    2017-02-17 15:56:09.000000000 +0100
@@ -5,3 +5,4 @@
 soname.patch
 no_jit_x32_powerpcspe.patch
 Disable_JIT_on_sparc64.patch
+CVE-2017-6004.patch

Reply via email to