--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi,
I'd like to upload the new erlang/1:19.2.1+dfsg-2 which fixes CVE-2016-10253
(heap overflow in bundled PCRE library).
The diff of the proposed upload is attached.
Will you unblock it after the upload?
unblock erlang/19.2.1+dfsg-2
-- System Information:
Debian Release: 9.0
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog
erlang-19.2.1+dfsg/debian/changelog
--- erlang-19.2.1+dfsg/debian/changelog 2017-01-16 23:02:47.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/changelog 2017-03-22 15:31:29.000000000 +0300
@@ -1,3 +1,12 @@
+erlang (1:19.2.1+dfsg-2) unstable; urgency=high
+
+ * Applied a patch from the PCRE upstream which fixes CVE-2016-10253
+ vulnerability (heap overflow while compiling certain regular expressions).
+ The patch is taken from https://github.com/erlang/otp/pull/1108 and
+ modified to match the original patch by PCRE developers (closes: #858313).
+
+ -- Sergei Golovan <[email protected]> Wed, 22 Mar 2017 15:31:29 +0300
+
erlang (1:19.2.1+dfsg-1) unstable; urgency=medium
* New upstream bugfix release.
diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch
erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch
--- erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch 1970-01-01
03:00:00.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch 2017-03-22
15:31:29.000000000 +0300
@@ -0,0 +1,116 @@
+Author: PCRE upstream
+Description: A fix for CVE-2016-10253 which is the heap overflow during
+ a regular expression compile phase. The offending regexp could be
+ "(?<=((?2))((?1)))".
+ The patch was found at https://github.com/erlang/otp/pull/1108 and
+ the original version from
https://vcs.pcre.org/pcre?view=revision&revision=1542
+ and https://vcs.pcre.org/pcre?view=revision&revision=1560 and
+ https://vcs.pcre.org/pcre?view=revision&revision=1571
+ has been adapted.
+Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
+Bug-Upstream: https://bugs.erlang.org/browse/ERL-208
+
+--- a/erts/emulator/pcre/pcre_compile.c
++++ b/erts/emulator/pcre/pcre_compile.c
+@@ -649,6 +649,14 @@
+ #endif
+
+
++/* Structure for mutual recursion detection. */
++
++typedef struct recurse_check {
++ struct recurse_check *prev;
++ const pcre_uchar *group;
++} recurse_check;
++
++
+
+ /*************************************************
+ * Find an error text *
+@@ -1734,6 +1742,7 @@
+ utf TRUE in UTF-8 / UTF-16 / UTF-32 mode
+ atend TRUE if called when the pattern is complete
+ cd the "compile data" structure
++ recurses chain of recurse_check to catch mutual recursion
+
+ Returns: the fixed length,
+ or -1 if there is no fixed length,
+@@ -1743,10 +1752,11 @@
+ */
+
+ static int
+-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd)
++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
++ recurse_check *recurses)
+ {
+ int length = -1;
+-
++recurse_check this_recurse;
+ register int branchlength = 0;
+ register pcre_uchar *cc = code + 1 + LINK_SIZE;
+
+@@ -1771,7 +1781,8 @@
+ case OP_ONCE:
+ case OP_ONCE_NC:
+ case OP_COND:
+- d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend,
cd);
++ d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend,
cd,
++ recurses);
+ if (d < 0) return d;
+ branchlength += d;
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+@@ -1805,7 +1816,16 @@
+ cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1); /* Start subpattern
*/
+ do ce += GET(ce, 1); while (*ce == OP_ALT); /* End subpattern */
+ if (cc > cs && cc < ce) return -1; /* Recursion */
+- d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd);
++ else /* Check for mutual recursion */
++ {
++ recurse_check *r = recurses;
++ for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
++ if (r != NULL) return -1; /* Mutual recursion */
++ }
++ this_recurse.prev = recurses;
++ this_recurse.group = cs;
++ d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
++
+ if (d < 0) return d;
+ branchlength += d;
+ cc += 1 + LINK_SIZE;
+@@ -1818,7 +1838,7 @@
+ case OP_ASSERTBACK:
+ case OP_ASSERTBACK_NOT:
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+- cc += PRIV(OP_lengths)[*cc];
++ cc += 1 + LINK_SIZE;
+ break;
+
+ /* Skip over things that don't match chars */
+@@ -7255,7 +7275,7 @@
+ int fixed_length;
+ *code = OP_END;
+ fixed_length = find_fixedlength(last_branch, (options & PCRE_UTF8) !=
0,
+- FALSE, cd);
++ FALSE, cd, NULL);
+ DPRINTF(("fixed length = %d\n", fixed_length));
+ if (fixed_length == -3)
+ {
+@@ -8249,7 +8269,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+ {
+ pcre_uchar *cc = (pcre_uchar *)codestart;
+
+@@ -8269,7 +8289,7 @@
+ int end_op = *be;
+ *be = OP_END;
+ fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0,
TRUE,
+- cd);
++ cd, NULL);
+ *be = end_op;
+ DPRINTF(("fixed length = %d\n", fixed_length));
+ if (fixed_length < 0)
diff -Nru erlang-19.2.1+dfsg/debian/patches/series
erlang-19.2.1+dfsg/debian/patches/series
--- erlang-19.2.1+dfsg/debian/patches/series 2016-12-15 00:12:13.000000000
+0300
+++ erlang-19.2.1+dfsg/debian/patches/series 2017-03-22 15:31:29.000000000
+0300
@@ -10,3 +10,4 @@
wx3.0-constants.patch
beamload.patch
x32.patch
+cve-2016-10253.patch
--- End Message ---
