Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #858680,
regarding jessie-pu: package erlang/1:17.3-dfsg-4+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi!
The #858313 (see [1] for details) affects jessie as well, so I'd like
to propose an updated package to fix it.
The bug is in the bundled with Erlang PCRE library, and causes the whole
Erlang virtual machine crash. It's currently being tracked at [2].
The diff between the current package and the updated one is attached.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
https://security-tracker.debian.org/tracker/CVE-2016-10253
-- System Information:
Debian Release: 9.0
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru erlang-17.3-dfsg/debian/changelog erlang-17.3-dfsg/debian/changelog
--- erlang-17.3-dfsg/debian/changelog 2015-04-04 17:00:58.000000000 +0300
+++ erlang-17.3-dfsg/debian/changelog 2017-03-22 17:21:52.000000000 +0300
@@ -1,3 +1,12 @@
+erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium
+
+ * Applied a patch from the PCRE upstream which fixes CVE-2016-10253
+ vulnerability (heap overflow while compiling certain regular expressions).
+ The patch is taken from https://github.com/erlang/otp/pull/1108 and
+ modified to match the original patch by PCRE developers (closes: #858313).
+
+ -- Sergei Golovan <[email protected]> Wed, 22 Mar 2017 17:21:52 +0300
+
erlang (1:17.3-dfsg-4) unstable; urgency=medium
* Added a patch from upstream which fixes TLS POODLE vulnerability in
diff -Nru erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch
erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch
--- erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch 1970-01-01
03:00:00.000000000 +0300
+++ erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch 2017-03-22
17:20:04.000000000 +0300
@@ -0,0 +1,116 @@
+Author: PCRE upstream
+Description: A fix for CVE-2016-10253 which is the heap overflow during
+ a regular expression compile phase. The offending regexp could be
+ "(?<=((?2))((?1)))".
+ The patch was found at https://github.com/erlang/otp/pull/1108 and
+ the original version from
https://vcs.pcre.org/pcre?view=revision&revision=1542
+ and https://vcs.pcre.org/pcre?view=revision&revision=1560 and
+ https://vcs.pcre.org/pcre?view=revision&revision=1571
+ has been adapted.
+Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
+Bug-Upstream: https://bugs.erlang.org/browse/ERL-208
+
+--- a/erts/emulator/pcre/pcre_compile.c
++++ b/erts/emulator/pcre/pcre_compile.c
+@@ -649,6 +649,14 @@
+ #endif
+
+
++/* Structure for mutual recursion detection. */
++
++typedef struct recurse_check {
++ struct recurse_check *prev;
++ const pcre_uchar *group;
++} recurse_check;
++
++
+
+ /*************************************************
+ * Find an error text *
+@@ -1734,6 +1742,7 @@
+ utf TRUE in UTF-8 / UTF-16 / UTF-32 mode
+ atend TRUE if called when the pattern is complete
+ cd the "compile data" structure
++ recurses chain of recurse_check to catch mutual recursion
+
+ Returns: the fixed length,
+ or -1 if there is no fixed length,
+@@ -1743,10 +1752,11 @@
+ */
+
+ static int
+-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd)
++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
++ recurse_check *recurses)
+ {
+ int length = -1;
+-
++recurse_check this_recurse;
+ register int branchlength = 0;
+ register pcre_uchar *cc = code + 1 + LINK_SIZE;
+
+@@ -1771,7 +1781,8 @@
+ case OP_ONCE:
+ case OP_ONCE_NC:
+ case OP_COND:
+- d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend,
cd);
++ d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend,
cd,
++ recurses);
+ if (d < 0) return d;
+ branchlength += d;
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+@@ -1805,7 +1816,16 @@
+ cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1); /* Start subpattern
*/
+ do ce += GET(ce, 1); while (*ce == OP_ALT); /* End subpattern */
+ if (cc > cs && cc < ce) return -1; /* Recursion */
+- d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd);
++ else /* Check for mutual recursion */
++ {
++ recurse_check *r = recurses;
++ for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
++ if (r != NULL) return -1; /* Mutual recursion */
++ }
++ this_recurse.prev = recurses;
++ this_recurse.group = cs;
++ d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
++
+ if (d < 0) return d;
+ branchlength += d;
+ cc += 1 + LINK_SIZE;
+@@ -1818,7 +1838,7 @@
+ case OP_ASSERTBACK:
+ case OP_ASSERTBACK_NOT:
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+- cc += PRIV(OP_lengths)[*cc];
++ cc += 1 + LINK_SIZE;
+ break;
+
+ /* Skip over things that don't match chars */
+@@ -7255,7 +7275,7 @@
+ int fixed_length;
+ *code = OP_END;
+ fixed_length = find_fixedlength(last_branch, (options & PCRE_UTF8) !=
0,
+- FALSE, cd);
++ FALSE, cd, NULL);
+ DPRINTF(("fixed length = %d\n", fixed_length));
+ if (fixed_length == -3)
+ {
+@@ -8249,7 +8269,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+ {
+ pcre_uchar *cc = (pcre_uchar *)codestart;
+
+@@ -8269,7 +8289,7 @@
+ int end_op = *be;
+ *be = OP_END;
+ fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0,
TRUE,
+- cd);
++ cd, NULL);
+ *be = end_op;
+ DPRINTF(("fixed length = %d\n", fixed_length));
+ if (fixed_length < 0)
diff -Nru erlang-17.3-dfsg/debian/patches/series
erlang-17.3-dfsg/debian/patches/series
--- erlang-17.3-dfsg/debian/patches/series 2015-04-04 16:58:41.000000000
+0300
+++ erlang-17.3-dfsg/debian/patches/series 2017-03-22 17:20:27.000000000
+0300
@@ -13,3 +13,4 @@
sslv3disable.patch
ssltlspoodle.patch
beamload.patch
+cve-2016-10253.patch
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
