Your message dated Sat, 18 Feb 2017 17:18:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#855460: unblock: pcre3/2:8.39-2.1
has caused the Debian Bug report #855460,
regarding unblock: pcre3/2:8.39-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
855460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855460
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi Release managers,
Please unblock package pcre3
The uploaded fixes #855405, which maps to the BTS the CVE
CVE-2017-6004 (the severity to grave is disputable, I admit that, but
think would be good to release stretch without that CVE open; it is
"just" that a specially crafted regular expression may cause a denial
of service for an application using pcre3, as it was demostrated in
the upstream bug for php).
It builds on all release architectures:
https://buildd.debian.org/status/package.php?p=pcre3
The changelog reads as:
>pcre3 (2:8.39-2.1) unstable; urgency=high
>
> * Non-maintainer upload.
> * CVE-2017-6004: crafted regular expression may cause denial of service
> (Closes: #855405)
>
> -- Salvatore Bonaccorso <[email protected]> Fri, 17 Feb 2017 15:56:09 +0100
I'm including as requested the debdiff against the version in testing.
The d-i release manager is X-Debbug-CC'ed since that would need an ack
as well from him, afaict.
unblock pcre3/2:8.39-2.1
Btw, thanks for your amazing work!
Regards,
Salvatore
diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog 2016-08-19 10:04:15.000000000 +0200
+++ pcre3-8.39/debian/changelog 2017-02-17 15:56:09.000000000 +0100
@@ -1,3 +1,11 @@
+pcre3 (2:8.39-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2017-6004: crafted regular expression may cause denial of service
+ (Closes: #855405)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 17 Feb 2017 15:56:09 +0100
+
pcre3 (2:8.39-2) unstable; urgency=low
* Update symbols file to reflect compilation with gcc6 (Closes: #811969)
diff -Nru pcre3-8.39/debian/patches/CVE-2017-6004.patch
pcre3-8.39/debian/patches/CVE-2017-6004.patch
--- pcre3-8.39/debian/patches/CVE-2017-6004.patch 1970-01-01
01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/CVE-2017-6004.patch 2017-02-17
15:56:09.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2017-6004: crafted regular expression may cause denial of
service
+Origin: upstream,
https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
+Bug: https://bugs.exim.org/show_bug.cgi?id=2035
+Bug-Debian: https://bugs.debian.org/855405
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <[email protected]>
+Last-Update: 2017-02-17
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC
+
+ if (*matchingpath == OP_FAIL)
+ stacksize = 0;
+- if (*matchingpath == OP_RREF)
++ else if (*matchingpath == OP_RREF)
+ {
+ stacksize = GET2(matchingpath, 1);
+ if (common->currententry == NULL)
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series 2016-07-28 17:43:57.000000000 +0200
+++ pcre3-8.39/debian/patches/series 2017-02-17 15:56:09.000000000 +0100
@@ -5,3 +5,4 @@
soname.patch
no_jit_x32_powerpcspe.patch
Disable_JIT_on_sparc64.patch
+CVE-2017-6004.patch
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Hi,
>
> Salvatore Bonaccorso <[email protected]> (2017-02-18):
>> Hi Release managers,
>>
>> Please unblock package pcre3
>>
>> [...]
>>
>> I'm including as requested the debdiff against the version in testing.
>>
>> The d-i release manager is X-Debbug-CC'ed since that would need an ack
>> as well from him, afaict.
>>
>> unblock pcre3/2:8.39-2.1
>
> Thanks! No objections from me.
>
>
> KiBi.
>
Unblocked, thanks.
~Niels
--- End Message ---
