Your message dated Thu, 30 Mar 2017 19:42:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#859133: unblock: pcre3/2:8.39-3
has caused the Debian Bug report #859133,
regarding unblock: pcre3/2:8.39-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859133
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
(Know this is somewhere in a thread already, but wanted to make an
explicit unblock request, Cyril Brulebois X-Debbugs-CC'ed):
Please unblock package pcre3
The upload fixes CVE-2017-7186: invalid Unicode property lookup may
cause denial of service (Closes: #858238)
unblock pcre3/2:8.39-3
Thanks to the whole team for your hard work on the release!
Regards,
Salvatore
diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog 2017-02-17 15:56:09.000000000 +0100
+++ pcre3-8.39/debian/changelog 2017-03-21 23:03:19.000000000 +0100
@@ -1,3 +1,10 @@
+pcre3 (2:8.39-3) unstable; urgency=high
+
+ * CVE-2017-7186: invalid Unicode property lookup may cause denial of
+ service (Closes: #858238)
+
+ -- Matthew Vernon <[email protected]> Tue, 21 Mar 2017 22:03:19 +0000
+
pcre3 (2:8.39-2.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series 2017-02-17 15:56:09.000000000 +0100
+++ pcre3-8.39/debian/patches/series 2017-03-21 23:04:04.000000000 +0100
@@ -6,3 +6,4 @@
no_jit_x32_powerpcspe.patch
Disable_JIT_on_sparc64.patch
CVE-2017-6004.patch
+upstream-fix-for-cve-2017-7186-upstream-
diff -Nru pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-
pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-
--- pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-
1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-
2017-03-21 23:04:04.000000000 +0100
@@ -0,0 +1,59 @@
+Description: Upstream fix for CVE-2017-7186 (Upstream rev 1688)
+ Fix Unicode property crash for 32-bit characters greater than 0x10ffff.
+Author: Matthew Vernon <[email protected]>
+X-Dgit-Generated: 2:8.39-3 c4c2c7c4f74d53b263af2471d8e11db88096bd13
+
+---
+
+--- pcre3-8.39.orig/pcre_internal.h
++++ pcre3-8.39/pcre_internal.h
+@@ -2772,6 +2772,9 @@ extern const pcre_uint8 PRIV(ucd_stage1
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@ extern const int PRIV(ucp_typera
+ /* UCD access macros */
+
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+ PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+ UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) :
REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
+
+ #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch) GET_UCD(ch)->script
+--- pcre3-8.39.orig/pcre_ucd.c
++++ pcre3-8.39/pcre_ucd.c
+@@ -38,6 +38,20 @@ const pcre_uint16 PRIV(ucd_stage2)[] = {
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++ ucp_Common, /* script */
++ ucp_Cn, /* type unassigned */
++ ucp_gbOther, /* grapheme break property */
++ 0, /* case set */
++ 0, /* other case */
++ }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):
--- End Message ---
--- Begin Message ---
Niels Thykier:
> Control: tags -1 confirmed
>
> Salvatore Bonaccorso:
>> Package: release.debian.org
>> Severity: normal
>> User: [email protected]
>> Usertags: unblock
>>
>> Hi
>>
>> (Know this is somewhere in a thread already, but wanted to make an
>> explicit unblock request, Cyril Brulebois X-Debbugs-CC'ed):
>>
>> Please unblock package pcre3
>>
>> The upload fixes CVE-2017-7186: invalid Unicode property lookup may
>> cause denial of service (Closes: #858238)
>>
>> unblock pcre3/2:8.39-3
>>
>> Thanks to the whole team for your hard work on the release!
>>
>> Regards,
>> Salvatore
>>
>
> Ack from here - CC'ing KiBi for a d-i ack.
>
> Thanks,
> ~Niels
>
>
Silly me, already acked in <[email protected]>.
Unblocked, thanks.
~Niels
--- End Message ---
