Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi SRM, I prepared a (rather huge) pcre3 update addressing several CVEs assigned in the recent months but which do not warrant a DSA. The debdiff is rather big, so I want to check with you if you see any problem in having this update. I still would like to expose more the actual build packages (I have done several tests with given reproducers). I adjusted as well the previous +deb8u1 entry (package sitting in jessie-p-u), which has three more CVEs addressed (partially only assigned later and two having the same fixing commit). The proposed debdiff is attached. Regards, Salvatore -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog --- pcre3-8.35/debian/changelog 2015-08-16 13:38:23.000000000 +0200 +++ pcre3-8.35/debian/changelog 2015-12-29 09:19:29.000000000 +0100 @@ -1,6 +1,59 @@ +pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium + + * Non-maintainer upload. + * Add additional CVE references and bug closer to previous changelog. + CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload. + CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same + commit. + CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same + commit. + Add bug closer to bugs in the BTS retrospectively. + * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch. + CVE-2015-2328: Stack-based buffer overflow in compile_regex(). + * Add 794589-information-disclosure.patch. + CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps" + leading to information disclosure. (Closes: #794589) + * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch. + CVE-2015-8383: Buffer overflow caused by repeated conditional group. + * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch. + CVE-2015-8385: Buffer overflow caused by forward reference by name to + certain group. + * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch. + CVE-2015-8386: Buffer overflow caused by lookbehind assertion. + * Add 0001-Add-integer-overflow-check-to-n-code.patch. + CVE-2015-8387: Integer overflow in subroutine calls. + * Add 0001-Fix-overflow-when-ovector-has-size-1.patch. + CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467) + * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch. + CVE-2015-8389: nfinite recursion in JIT compiler when processing certain + patterns. + * Add 0001-Fix-bug-for-classes-containing-sequences.patch. + CVE-2015-8390: Reading from uninitialized memory when processing certain + patterns. + * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch. + CVE-2015-8391: Some pathological patterns causes pcre_compile() to run + for a very long time. + * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch. + CVE-2015-8392: Buffer overflow caused by certain patterns with + duplicated named groups. + * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch. + CVE-2015-8393: Information leak when running pcgrep -q on crafted + binary. + * Add 0001-Add-missing-integer-overflow-checks.patch. + CVE-2015-8394: Integer overflow caused by missing check for certain + conditions. + * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch. + CVE-2015-8381: Heap Overflow in compile_regex(). + CVE-2015-8395: Buffer overflow caused by certain references. + (Closes: #796762) + + -- Salvatore Bonaccorso <[email protected]> Tue, 29 Dec 2015 09:19:11 +0100 + pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium - * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 + * CVE-2015-2325 CVE-2015-2326 CVE-2015-2327 CVE-2015-3210 + CVE-2015-5073 CVE-2015-8384 CVE-2015-8388 + (Closes: #781795, #783285, #787433, #790000) -- Moritz Muehlenhoff <[email protected]> Sun, 16 Aug 2015 11:37:39 +0000 diff -Nru pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch --- pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,52 @@ +Description: Add integer overflow check to (?n) code. + . + Addresses CVE-2015-8387. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1563 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 8 ++++++++ + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + 4 files changed, 15 insertions(+) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7245,7 +7245,15 @@ for (;; ptr++) + + recno = 0; + while(IS_DIGIT(*ptr)) ++ { ++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */ ++ { ++ while (IS_DIGIT(*ptr)) ptr++; ++ *errorcodeptr = ERR61; ++ goto FAILED; ++ } + recno = recno * 10 + *ptr++ - CHAR_0; ++ } + + if (*ptr != (pcre_uchar)terminator) + { +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4081,4 +4081,6 @@ backtracking verbs. --/ + ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( + \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')" + ++/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14204,4 +14204,7 @@ Failed: unmatched parentheses at offset + ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( + \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')" + ++/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ ++Failed: number is too big at offset 32 ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch --- pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,66 @@ +Description: Add missing integer overflow checks. + . + Addresses CVE-2015-8394. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1589 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.36 + +--- + pcre_compile.c | 11 +++++++++++ + testdata/testinput2 | 4 ++++ + testdata/testoutput2 | 6 ++++++ + 4 files changed, 25 insertions(+) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6651,6 +6651,12 @@ for (;; ptr++) + { + while (IS_DIGIT(*ptr)) + { ++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */ ++ { ++ while (IS_DIGIT(*ptr)) ptr++; ++ *errorcodeptr = ERR61; ++ goto FAILED; ++ } + recno = recno * 10 + (int)(*ptr - CHAR_0); + ptr++; + } +@@ -6781,6 +6787,11 @@ for (;; ptr++) + *errorcodeptr = ERR15; + goto FAILED; + } ++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */ ++ { ++ *errorcodeptr = ERR61; ++ goto FAILED; ++ } + recno = recno * 10 + name[i] - CHAR_0; + } + if (recno == 0) recno = RREF_ANY; +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4092,4 +4092,8 @@ backtracking verbs. --/ + + /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ + ++/((?(R8000000000)))/ ++ ++/(?(8000000000/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14218,4 +14218,10 @@ Failed: missing terminating ] for charac + + /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ + ++/((?(R8000000000)))/ ++Failed: number is too big at offset 16 ++ ++/(?(8000000000/ ++Failed: number is too big at offset 13 ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch --- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,47 @@ +Description: Fix buffer overflow for lookbehind within mutually recursive + subroutines. + . + Addresses CVE-2015-8386. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1560 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-28 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 3 +++ + 4 files changed, 11 insertions(+), 2 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -1782,7 +1782,7 @@ for (;;) + case OP_ASSERTBACK: + case OP_ASSERTBACK_NOT: + do cc += GET(cc, 1); while (*cc == OP_ALT); +- cc += PRIV(OP_lengths)[*cc]; ++ cc += 1 + LINK_SIZE; + break; + + /* Skip over things that don't match chars */ +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4078,4 +4078,7 @@ backtracking verbs. --/ + + /(((?(R)){0,2}) (?''((?'X')((?'R')))))/ + ++".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( ++\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')" ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14201,4 +14201,7 @@ Failed: unmatched parentheses at offset + + /(((?(R)){0,2}) (?''((?'X')((?'R')))))/ + ++".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( ++\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')" ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch --- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,171 @@ +Description: Fix buffer overflow for named references in (?| situations. + . + Addresses CVE-2015-8392. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1585 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 74 ++++++++++++++++++++++++++++++---------------------- + pcre_internal.h | 1 + + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 5 files changed, 54 insertions(+), 31 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6555,6 +6555,7 @@ for (;; ptr++) + /* ------------------------------------------------------------ */ + case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ + reset_bracount = TRUE; ++ cd->dupgroups = TRUE; /* Record (?| encountered */ + /* Fall through */ + + /* ------------------------------------------------------------ */ +@@ -7056,7 +7057,8 @@ for (;; ptr++) + if (lengthptr != NULL) + { + named_group *ng; +- ++ recno = 0; ++ + if (namelen == 0) + { + *errorcodeptr = ERR62; +@@ -7073,32 +7075,6 @@ for (;; ptr++) + goto FAILED; + } + +- /* The name table does not exist in the first pass; instead we must +- scan the list of names encountered so far in order to get the +- number. If the name is not found, set the value to 0 for a forward +- reference. */ +- +- recno = 0; +- ng = cd->named_groups; +- for (i = 0; i < cd->names_found; i++, ng++) +- { +- if (namelen == ng->length && +- STRNCMP_UC_UC(name, ng->name, namelen) == 0) +- { +- open_capitem *oc; +- recno = ng->number; +- if (is_recurse) break; +- for (oc = cd->open_caps; oc != NULL; oc = oc->next) +- { +- if (oc->number == recno) +- { +- oc->flag = TRUE; +- break; +- } +- } +- } +- } +- + /* Count named back references. */ + + if (!is_recurse) cd->namedrefcount++; +@@ -7109,7 +7085,44 @@ for (;; ptr++) + real compile this will be picked up and the reference wrapped with + OP_ONCE to make it atomic, so we must space in case this occurs. */ + +- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; ++ *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* It is even worse than that. The current reference may be to an ++ existing named group with a different number (so apparently not ++ recursive) but which later on is also attached to a group with the ++ current number. This can only happen if $(| has been previous ++ encountered. In that case, we allow yet more memory, just in case. ++ (Again, this is fixed "properly" in PCRE2. */ ++ ++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* Otherwise, check for recursion here. The name table does not exist ++ in the first pass; instead we must scan the list of names encountered ++ so far in order to get the number. If the name is not found, leave ++ the value of recno as 0 for a forward reference. */ ++ ++ else ++ { ++ ng = cd->named_groups; ++ for (i = 0; i < cd->names_found; i++, ng++) ++ { ++ if (namelen == ng->length && ++ STRNCMP_UC_UC(name, ng->name, namelen) == 0) ++ { ++ open_capitem *oc; ++ recno = ng->number; ++ if (is_recurse) break; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; ++ break; ++ } ++ } ++ } ++ } ++ } + } + + /* In the real compile, search the name table. We check the name +@@ -9078,6 +9091,7 @@ cd->names_found = 0; + cd->name_entry_size = 0; + cd->name_table = NULL; + cd->dupnames = FALSE; ++cd->dupgroups = FALSE; + cd->namedrefcount = 0; + cd->start_code = cworkspace; + cd->hwm = cworkspace; +@@ -9111,7 +9125,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERRO + + DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, + (int)(cd->hwm - cworkspace))); +- ++ + if (length > MAX_PATTERN_SIZE) + { + errorcode = ERR20; +--- a/pcre_internal.h ++++ b/pcre_internal.h +@@ -2446,6 +2446,7 @@ typedef struct compile_data { + BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ + BOOL check_lookbehind; /* Lookbehinds need later checking */ + BOOL dupnames; /* Duplicate names exist */ ++ BOOL dupgroups; /* Duplicate groups exist: (?| found */ + int nltype; /* Newline type */ + int nllen; /* Newline string length */ + pcre_uchar nl[4]; /* Newline string when fixed length */ +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4090,4 +4090,6 @@ backtracking verbs. --/ + + "[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" + ++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14216,4 +14216,6 @@ Matched, but too many substrings + "[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" + Failed: missing terminating ] for character class at offset 353 + ++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -231,7 +231,7 @@ Memory allocation (code space): 45 + ------------------------------------------------------------------ + + /(?P<a>a)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 34 ++Memory allocation (code space): 46 + ------------------------------------------------------------------ + 0 30 Bra + 3 7 CBra 1 diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch --- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,53 @@ +Description: Fix buffer overflow for repeated conditional when referencing + a duplicate name. + . + Addresses CVE-2015-8383. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1557 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-28 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 6 ++++++ + testdata/testoutput2 | 6 ++++++ + 4 files changed, 18 insertions(+), 2 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6683,7 +6683,7 @@ for (;; ptr++) + ptr++; + } + namelen = (int)(ptr - name); +- if (lengthptr != NULL) *lengthptr += IMM2_SIZE; ++ if (lengthptr != NULL) skipbytes += IMM2_SIZE; + } + + /* Check the terminator */ +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4072,4 +4072,10 @@ backtracking verbs. --/ + + /(?=di(?<=(?1))|(?=(.))))/ + ++/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J ++ ++/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J ++ ++/(((?(R)){0,2}) (?''((?'X')((?'R')))))/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14195,4 +14195,10 @@ Failed: parentheses are too deeply neste + /(?=di(?<=(?1))|(?=(.))))/ + Failed: unmatched parentheses at offset 23 + ++/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J ++ ++/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J ++ ++/(((?(R)){0,2}) (?''((?'X')((?'R')))))/ ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch --- pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,63 @@ +Description: Fix bug for classes containing \\ sequences. + . + Addresses CVE-2015-8390. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1578 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 14 ++++++++------ + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 4 files changed, 16 insertions(+), 6 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -3824,11 +3824,11 @@ didn't consider this to be a POSIX class + The problem in trying to be exactly like Perl is in the handling of escapes. We + have to be sure that [abc[:x\]pqr] is *not* treated as containing a POSIX + class, but [abc[:x\]pqr:]] is (so that an error can be generated). The code +-below handles the special case of \], but does not try to do any other escape +-processing. This makes it different from Perl for cases such as [:l\ower:] +-where Perl recognizes it as the POSIX class "lower" but PCRE does not recognize +-"l\ower". This is a lesser evil than not diagnosing bad classes when Perl does, +-I think. ++below handles the special cases \\ and \], but does not try to do any other ++escape processing. This makes it different from Perl for cases such as ++[:l\ower:] where Perl recognizes it as the POSIX class "lower" but PCRE does ++not recognize "l\ower". This is a lesser evil than not diagnosing bad classes ++when Perl does, I think. + + A user pointed out that PCRE was rejecting [:a[:digit:]] whereas Perl was not. + It seems that the appearance of a nested POSIX class supersedes an apparent +@@ -3855,7 +3855,9 @@ pcre_uchar terminator; /* Don't + terminator = *(++ptr); /* compiler warns about "non-constant" initializer. */ + for (++ptr; *ptr != CHAR_NULL; ptr++) + { +- if (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) ++ if (*ptr == CHAR_BACKSLASH && ++ (ptr[1] == CHAR_RIGHT_SQUARE_BRACKET || ++ ptr[1] == CHAR_BACKSLASH)) + ptr++; + else if (*ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE; + else +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4086,4 +4086,6 @@ backtracking verbs. --/ + // + \O1 + ++/[[:\\](?'abc')[a:]/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14211,4 +14211,6 @@ Failed: number is too big at offset 32 + \O1 + Matched, but too many substrings + ++/[[:\\](?'abc')[a:]/ ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch --- pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,103 @@ +Description: Fix compile-time loop for recursive reference within a group + with an indefinite repeat. + . + Addresses CVE-2015-2328. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1498 +Bug: https://bugs.exim.org/show_bug.cgi?id=1515 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-28 +Applied-Upstream: 8.36 + +--- + pcre_compile.c | 21 +++++++++------------ + testdata/testinput1 | 6 ++++++ + testdata/testoutput1 | 10 ++++++++++ + 4 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 8276d0f..4bb05b9 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -2374,6 +2374,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + if (c == OP_RECURSE) + { + const pcre_uchar *scode = cd->start_code + GET(code, 1); ++ const pcre_uchar *endgroup = scode; + BOOL empty_branch; + + /* Test for forward reference or uncompleted reference. This is disabled +@@ -2388,24 +2389,20 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + if (GET(scode, 1) == 0) return TRUE; /* Unclosed */ + } + +- /* If we are scanning a completed pattern, there are no forward references +- and all groups are complete. We need to detect whether this is a recursive +- call, as otherwise there will be an infinite loop. If it is a recursion, +- just skip over it. Simple recursions are easily detected. For mutual +- recursions we keep a chain on the stack. */ ++ /* If the reference is to a completed group, we need to detect whether this ++ is a recursive call, as otherwise there will be an infinite loop. If it is ++ a recursion, just skip over it. Simple recursions are easily detected. For ++ mutual recursions we keep a chain on the stack. */ + ++ do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT); ++ if (code >= scode && code <= endgroup) continue; /* Simple recursion */ + else +- { ++ { + recurse_check *r = recurses; +- const pcre_uchar *endgroup = scode; +- +- do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT); +- if (code >= scode && code <= endgroup) continue; /* Simple recursion */ +- + for (r = recurses; r != NULL; r = r->prev) + if (r->group == scode) break; + if (r != NULL) continue; /* Mutual recursion */ +- } ++ } + + /* Completed reference; scan the referenced group, remembering it on the + stack chain to detect mutual recursions. */ +diff --git a/testdata/testinput1 b/testdata/testinput1 +index 6fd62ba..123e3d3 100644 +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -4937,6 +4937,12 @@ however, we need the complication for Perl. ---/ + + /((?(R1)a+|(?1)b))/ + aaaabcde ++ ++/((?(R)a|(?1)))*/ ++ aaa ++ ++/((?(R)a|(?1)))+/ ++ aaa + + /a(*:any + name)/K +diff --git a/testdata/testoutput1 b/testdata/testoutput1 +index eeddf0f..5e71900 100644 +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -8234,6 +8234,16 @@ MK: M + aaaabcde + 0: aaaab + 1: aaaab ++ ++/((?(R)a|(?1)))*/ ++ aaa ++ 0: aaa ++ 1: a ++ ++/((?(R)a|(?1)))+/ ++ aaa ++ 0: aaa ++ 1: a + + /a(*:any + name)/K +-- +2.1.4 + diff -Nru pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch --- pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,96 @@ +Description: Fix infinite recursion in the JIT compiler when certain + patterns when certain patterns are analysed. + . + Addresses CVE-2015-8389. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1577 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_jit_compile.c | 15 +++++++++++---- + testdata/testinput12 | 2 ++ + testdata/testoutput12 | 2 ++ + 4 files changed, 18 insertions(+), 4 deletions(-) + +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -3183,7 +3183,7 @@ bytes[len] = byte; + bytes[0] = len; + } + +-static int scan_prefix(compiler_common *common, pcre_uchar *cc, pcre_uint32 *chars, pcre_uint8 *bytes, int max_chars) ++static int scan_prefix(compiler_common *common, pcre_uchar *cc, pcre_uint32 *chars, pcre_uint8 *bytes, int max_chars, pcre_uint32 *rec_count) + { + /* Recursive function, which scans prefix literals. */ + BOOL last, any, caseless; +@@ -3201,9 +3201,14 @@ pcre_uchar othercase[1]; + repeat = 1; + while (TRUE) + { ++ if (*rec_count == 0) ++ return 0; ++ rec_count--; ++ + last = TRUE; + any = FALSE; + caseless = FALSE; ++ + switch (*cc) + { + case OP_CHARI: +@@ -3265,7 +3270,7 @@ while (TRUE) + #ifdef SUPPORT_UTF + if (common->utf && HAS_EXTRALEN(*cc)) len += GET_EXTRALEN(*cc); + #endif +- max_chars = scan_prefix(common, cc + len, chars, bytes, max_chars); ++ max_chars = scan_prefix(common, cc + len, chars, bytes, max_chars, rec_count); + if (max_chars == 0) + return consumed; + last = FALSE; +@@ -3288,7 +3293,7 @@ while (TRUE) + alternative = cc + GET(cc, 1); + while (*alternative == OP_ALT) + { +- max_chars = scan_prefix(common, alternative + 1 + LINK_SIZE, chars, bytes, max_chars); ++ max_chars = scan_prefix(common, alternative + 1 + LINK_SIZE, chars, bytes, max_chars, rec_count); + if (max_chars == 0) + return consumed; + alternative += GET(alternative, 1); +@@ -3530,6 +3535,7 @@ int i, max, from; + int range_right = -1, range_len = 3 - 1; + sljit_ub *update_table = NULL; + BOOL in_range; ++pcre_uint32 rec_count; + + /* This is even TRUE, if both are NULL. */ + SLJIT_ASSERT(common->read_only_data_ptr == common->read_only_data); +@@ -3541,7 +3547,8 @@ for (i = 0; i < MAX_N_CHARS; i++) + bytes[i * MAX_N_BYTES] = 0; + } + +-max = scan_prefix(common, common->start, chars, bytes, MAX_N_CHARS); ++rec_count = 10000; ++max = scan_prefix(common, common->start, chars, bytes, MAX_N_CHARS, &rec_count); + + if (max <= 1) + return FALSE; +--- a/testdata/testinput12 ++++ b/testdata/testinput12 +@@ -87,4 +87,6 @@ and a couple of things that are differen + /^12345678abcd/mS++ + 12345678abcd + ++/(?:|a|){100}x/S++ ++ + /-- End of testinput12 --/ +--- a/testdata/testoutput12 ++++ b/testdata/testoutput12 +@@ -176,4 +176,6 @@ No match, mark = m (JIT) + 12345678abcd + 0: 12345678abcd (JIT) + ++/(?:|a|){100}x/S++ ++ + /-- End of testinput12 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch --- pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,55 @@ +Description: Fix named forward reference to duplicate group number + overflow bug. + . + Addresses CVE-2015-8385. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1559 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-28 +Applied-Upstream: 3.38 + +--- + pcre_compile.c | 26 +++++++++++++++++--------- + testdata/testinput1 | 3 +++ + testdata/testoutput1 | 5 +++++ + 4 files changed, 30 insertions(+), 9 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7107,6 +7107,14 @@ for (;; ptr++) + /* Count named back references. */ + + if (!is_recurse) cd->namedrefcount++; ++ ++ /* If this is a forward reference and we are within a (?|...) group, ++ the reference may end up as the number of a group which we are ++ currently inside, that is, it could be a recursive reference. In the ++ real compile this will be picked up and the reference wrapped with ++ OP_ONCE to make it atomic, so we must space in case this occurs. */ ++ ++ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; + } + + /* In the real compile, search the name table. We check the name +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -5672,4 +5672,7 @@ AbcdCBefgBhiBqz + /(a\Kb)*/+ + ababc + ++"(?|(\k'Pm')|(?'Pm'))" ++ abcd ++ + /-- End of testinput1 --/ +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -9323,4 +9323,9 @@ No match + 0+ c + 1: ab + ++"(?|(\k'Pm')|(?'Pm'))" ++ abcd ++ 0: ++ 1: ++ + /-- End of testinput1 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch --- pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,50 @@ +Description: Fix overflow when ovector has size 1. + . + Addresses CVE-2015-8380. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1565 +Bug: https://bugs.exim.org/show_bug.cgi?id=1637 +Bug-Debian: https://bugs.debian.org/806467 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_exec.c | 3 ++- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 4 ++++ + 4 files changed, 12 insertions(+), 1 deletion(-) + +--- a/pcre_exec.c ++++ b/pcre_exec.c +@@ -6705,7 +6705,8 @@ if (md->offset_vector != NULL) + register int *iend = iptr - re->top_bracket; + if (iend < md->offset_vector + 2) iend = md->offset_vector + 2; + while (--iptr >= iend) *iptr = -1; +- md->offset_vector[0] = md->offset_vector[1] = -1; ++ if (offsetcount > 0) md->offset_vector[0] = -1; ++ if (offsetcount > 1) md->offset_vector[1] = -1; + } + + /* Set up the first character to match, if available. The first_char value is +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4083,4 +4083,7 @@ backtracking verbs. --/ + + /(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ + ++// ++\O1 ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14207,4 +14207,8 @@ Failed: unmatched parentheses at offset + /(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ + Failed: number is too big at offset 32 + ++// ++\O1 ++Matched, but too many substrings ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch --- pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,61 @@ +Description: Fix "run for ever" bug for deeply nested [: sequences. + . + Addresses CVE-2015-8391. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1579 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 17 +++++------------ + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + 4 files changed, 13 insertions(+), 12 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -3859,19 +3859,12 @@ for (++ptr; *ptr != CHAR_NULL; ptr++) + (ptr[1] == CHAR_RIGHT_SQUARE_BRACKET || + ptr[1] == CHAR_BACKSLASH)) + ptr++; +- else if (*ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE; +- else ++ else if ((*ptr == CHAR_LEFT_SQUARE_BRACKET && ptr[1] == terminator) || ++ *ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE; ++ else if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) + { +- if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) +- { +- *endptr = ptr; +- return TRUE; +- } +- if (*ptr == CHAR_LEFT_SQUARE_BRACKET && +- (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT || +- ptr[1] == CHAR_EQUALS_SIGN) && +- check_posix_syntax(ptr, endptr)) +- return FALSE; ++ *endptr = ptr; ++ return TRUE; + } + } + return FALSE; +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4088,4 +4088,6 @@ backtracking verbs. --/ + + /[[:\\](?'abc')[a:]/ + ++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14213,4 +14213,7 @@ Matched, but too many substrings + + /[[:\\](?'abc')[a:]/ + ++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" ++Failed: missing terminating ] for character class at offset 353 ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch --- pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,60 @@ +Description: Hack in yet other patch for a bug in size computation that is + fixed "properly" in PCRE2. + . + Addresses CVE-2015-8395 and CVE-2015-8381. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1594 +Bug-Debian: https://bugs.debian.org/796762 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + pcre_compile.c | 5 ++--- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 4 files changed, 13 insertions(+), 5 deletions(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7105,7 +7105,7 @@ for (;; ptr++) + encountered. In that case, we allow yet more memory, just in case. + (Again, this is fixed "properly" in PCRE2. */ + +- if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; ++ if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE; + + /* Otherwise, check for recursion here. The name table does not exist + in the first pass; instead we must scan the list of names encountered +@@ -9306,7 +9306,7 @@ if (errorcode == 0 && re->top_backref > + /* Unless disabled, check whether single character iterators can be + auto-possessified. The function overwrites the appropriate opcode values. */ + +-if ((options & PCRE_NO_AUTO_POSSESS) == 0) ++if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0) + auto_possessify((pcre_uchar *)codestart, utf, cd); + + /* If there were any lookbehind assertions that contained OP_RECURSE +@@ -9530,4 +9530,3 @@ return (pcre32 *)re; + } + + /* End of pcre_compile.c */ +- +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4096,4 +4096,6 @@ backtracking verbs. --/ + + /(?(8000000000/ + ++/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14224,4 +14224,6 @@ Failed: number is too big at offset 16 + /(?(8000000000/ + Failed: number is too big at offset 13 + ++/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch --- pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,79 @@ +Description: Make pcregrep -q override -l and -c for compatibility with other greps. + . + Addresses CVE-2015-8393. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1586 +Forwarded: not-needed +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-12-29 +Applied-Upstream: 8.38 + +--- + RunGrepTest | 8 ++++++++ + pcregrep.c | 12 ++++++------ + testdata/grepoutput | 4 ++++ + 4 files changed, 21 insertions(+), 6 deletions(-) + +--- a/RunGrepTest ++++ b/RunGrepTest +@@ -507,6 +507,14 @@ echo "---------------------------- Test + echo "RC=$?" >>testtrygrep + + ++echo "---------------------------- Test 108 ------------------------------" >>testtrygrep ++(cd $srcdir; $valgrind $pcregrep -lq PATTERN ./testdata/grepinput ./testdata/grepinputx) >>testtrygrep ++echo "RC=$?" >>testtrygrep ++ ++echo "---------------------------- Test 109 -----------------------------" >>testtrygrep ++(cd $srcdir; $valgrind $pcregrep -cq lazy ./testdata/grepinput*) >>testtrygrep ++echo "RC=$?" >>testtrygrep ++ + # Now compare the results. + + $cf $srcdir/testdata/grepoutput testtrygrep +--- a/pcregrep.c ++++ b/pcregrep.c +@@ -1688,9 +1688,13 @@ while (ptr < endptr) + + if (filenames == FN_NOMATCH_ONLY) return 1; + ++ /* If all we want is a yes/no answer, stop now. */ ++ ++ if (quiet) return 0; ++ + /* Just count if just counting is wanted. */ + +- if (count_only) count++; ++ else if (count_only) count++; + + /* When handling a binary file and binary-files==binary, the "binary" + variable will be set true (it's false in all other cases). In this +@@ -1711,10 +1715,6 @@ while (ptr < endptr) + return 0; + } + +- /* Likewise, if all we want is a yes/no answer. */ +- +- else if (quiet) return 0; +- + /* The --only-matching option prints just the substring that matched, + and/or one or more captured portions of it, as long as these strings are + not empty. The --file-offsets and --line-offsets options output offsets for +@@ -2053,7 +2053,7 @@ if (filenames == FN_NOMATCH_ONLY) + + /* Print the match count if wanted */ + +-if (count_only) ++if (count_only && !quiet) + { + if (count > 0 || !omit_zero_count) + { +--- a/testdata/grepoutput ++++ b/testdata/grepoutput +@@ -743,3 +743,7 @@ RC=0 + ---------------------------- Test 106 ----------------------------- + a + RC=0 ++---------------------------- Test 108 ------------------------------ ++RC=0 ++---------------------------- Test 109 ----------------------------- ++RC=0 diff -Nru pcre3-8.35/debian/patches/794589-information-disclosure.patch pcre3-8.35/debian/patches/794589-information-disclosure.patch --- pcre3-8.35/debian/patches/794589-information-disclosure.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/794589-information-disclosure.patch 2015-12-29 09:19:29.000000000 +0100 @@ -0,0 +1,30 @@ +Description: CVE-2015-8382: pcre_exec does not fill offsets for certain regexps +Origin: upstream, http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 +Bug: https://bugs.exim.org/show_bug.cgi?id=1537 +Bug-Debian: https://bugs.debian.org/794589 +Forwarded: not-needed +Last-Update: 2015-09-10 +Applied-Upstream: 8.37 + +--- a/pcre_exec.c ++++ b/pcre_exec.c +@@ -1467,7 +1467,18 @@ for (;;) + md->offset_vector[offset] = + md->offset_vector[md->offset_end - number]; + md->offset_vector[offset+1] = (int)(eptr - md->start_subject); +- if (offset_top <= offset) offset_top = offset + 2; ++ ++ /* If this group is at or above the current highwater mark, ensure that ++ any groups between the current high water mark and this group are marked ++ unset and then update the high water mark. */ ++ ++ if (offset >= offset_top) ++ { ++ register int *iptr = md->offset_vector + offset_top; ++ register int *iend = md->offset_vector + offset; ++ while (iptr < iend) *iptr++ = -1; ++ offset_top = offset + 2; ++ } + } + ecode += 1 + IMM2_SIZE; + break; diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series --- pcre3-8.35/debian/patches/series 2015-08-16 13:37:00.000000000 +0200 +++ pcre3-8.35/debian/patches/series 2015-12-29 09:19:29.000000000 +0100 @@ -7,3 +7,17 @@ Fix-silly-quantifier-size-check.patch cve-2014-8964.patch CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch +0001-Fix-compile-time-loop-for-recursive-reference-within.patch +794589-information-disclosure.patch +0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch +0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch +0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch +0001-Add-integer-overflow-check-to-n-code.patch +0001-Fix-overflow-when-ovector-has-size-1.patch +0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch +0001-Fix-bug-for-classes-containing-sequences.patch +0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch +0001-Fix-buffer-overflow-for-named-references-in-situatio.patch +0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch +0001-Add-missing-integer-overflow-checks.patch +0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
