On Mon, May 30, 2022 at 2:13 AM Davide Gardenal <[email protected]> wrote: > > Minor bug fixes and security updates.
There is a similar patch in master: https://git.openembedded.org/openembedded-core/commit/?id=a4fed908dbb53f7e03257bf317af534dda6a471c I wasn't going to take it unless requested, since the release notes said: "Mainly a bug-fix release, but also includes an update to Unicode property handling" Would like some feedback from others on whether this is likely to be an issue or not. > Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40). > > CVE: CVE-2022-1587 If this is the case then you should submit a patch for master to correct this. If people agree that the version bump is suitable for LTS I would then take the upgrade patch from master along with your patch to fix the CVE confusion. Thanks for helping with CVEs! Steve > Signed-off-by: Davide Gardenal <[email protected]> > --- > .../libpcre/libpcre2/CVE-2022-1586.patch | 58 ------------------- > .../{libpcre2_10.39.bb => libpcre2_10.40.bb} | 5 +- > 2 files changed, 2 insertions(+), 61 deletions(-) > delete mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch > rename meta/recipes-support/libpcre/{libpcre2_10.39.bb => libpcre2_10.40.bb} > (90%) > > diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch > b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch > deleted file mode 100644 > index 10d88d7b73..0000000000 > --- a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch > +++ /dev/null > @@ -1,58 +0,0 @@ > -From e881ed5028622959cf8859c053501fb1b16387f1 Mon Sep 17 00:00:00 2001 > -From: Hitendra Prajapati <[email protected]> > -Date: Mon, 23 May 2022 13:52:39 +0530 > -Subject: [PATCH] CVE-2022-1586 > - > -Upstream-Status: Backport from > https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a > - > -Signed-off-by: Hitendra Prajapati <[email protected]> > ---- > - ChangeLog | 3 +++ > - src/pcre2_jit_compile.c | 2 +- > - src/pcre2_jit_test.c | 3 +++ > - 3 files changed, 7 insertions(+), 1 deletion(-) > - > -diff --git a/ChangeLog b/ChangeLog > -index d27542d..cd3da65 100644 > ---- a/ChangeLog > -+++ b/ChangeLog > -@@ -63,6 +63,9 @@ Version 10.39 29-October-2021 > - > - Reformat slightly to make it C89 compatible again. > - > -+23. Fixed a unicode properrty matching issue in JIT. The character was not > -+fully read in caseless matching. > -+ > - > - Version 10.38 01-October-2021 > - ----------------------------- > -diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c > -index db2ce65..5baca9b 100644 > ---- a/src/pcre2_jit_compile.c > -+++ b/src/pcre2_jit_compile.c > -@@ -7473,7 +7473,7 @@ while (*cc != XCL_END) > - { > - SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); > - cc++; > -- if (*cc == PT_CLIST) > -+ if (*cc == PT_CLIST && *cc == XCL_PROP) > - { > - other_cases = PRIV(ucd_caseless_sets) + cc[1]; > - while (*other_cases != NOTACHAR) > -diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c > -index 8dee16e..7bb307e 100644 > ---- a/src/pcre2_jit_test.c > -+++ b/src/pcre2_jit_test.c > -@@ -412,6 +412,9 @@ static struct regression_test_case > regression_test_cases[] = { > - { MUP, A, 0, 0 | F_PROPERTY, > "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", > "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" }, > - { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" }, > - { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " }, > -+ { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" }, > -+ { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" > }, > -+ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" }, > - > - /* Possible empty brackets. */ > - { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" }, > --- > -2.35.3 > - > diff --git a/meta/recipes-support/libpcre/libpcre2_10.39.bb > b/meta/recipes-support/libpcre/libpcre2_10.40.bb > similarity index 90% > rename from meta/recipes-support/libpcre/libpcre2_10.39.bb > rename to meta/recipes-support/libpcre/libpcre2_10.40.bb > index 36c51d700a..3843d43b69 100644 > --- a/meta/recipes-support/libpcre/libpcre2_10.39.bb > +++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb > @@ -8,14 +8,13 @@ SUMMARY = "Perl Compatible Regular Expressions version 2" > HOMEPAGE = "http://www.pcre.org"; > SECTION = "devel" > LICENSE = "BSD-3-Clause" > -LIC_FILES_CHKSUM = "file://LICENCE;md5=43cfa999260dd853cd6cb174dc396f3d" > +LIC_FILES_CHKSUM = "file://LICENCE;md5=41bfb977e4933c506588724ce69bf5d2" > > SRC_URI = > "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${PV}/pcre2-${PV}.tar.bz2 > \ > - file://CVE-2022-1586.patch \ > " > UPSTREAM_CHECK_URI = "https://github.com/PhilipHazel/pcre2/releases"; > > -SRC_URI[sha256sum] = > "0f03caf57f81d9ff362ac28cd389c055ec2bf0678d277349a1a4bee00ad6d440" > +SRC_URI[sha256sum] = > "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c159d68" > > CVE_PRODUCT = "pcre2" > > -- > 2.32.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166288): https://lists.openembedded.org/g/openembedded-core/message/166288 Mute This Topic: https://lists.openembedded.org/mt/91429211/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
