pcre CVE-2016-3191 (was: Re: Vulnerable packages in ports 20/03/2016)

2016-03-22 Thread Jeremie Courreges-Anglas 
Sevan Janiyan  writes:

> net/quagga - CVE-2016-2342

An update has been committed today, but I doubt that OpenBSD users would
be affected.

> devel/pcre - CVE-2016-3191

Blindly copy/pasted from upstream's repo.

Index: Makefile
===
RCS file: /cvs/ports/devel/pcre/Makefile,v
retrieving revision 1.61
diff -u -p -r1.61 Makefile
--- Makefile11 Mar 2016 20:28:24 -  1.61
+++ Makefile22 Mar 2016 19:45:47 -
@@ -3,6 +3,7 @@
 COMMENT=   perl-compatible regular expression library
 
 DISTNAME=  pcre-8.38
+REVISION=  0
 
 SHARED_LIBS +=  pcre 3.0  # 0.1
 SHARED_LIBS +=  pcre16   0.0  # 0.0
Index: patches/patch-pcre_compile_c
===
RCS file: patches/patch-pcre_compile_c
diff -N patches/patch-pcre_compile_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-pcre_compile_c22 Mar 2016 19:45:47 -
@@ -0,0 +1,59 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+--- pcre_compile.c.origTue Mar 22 20:27:48 2016
 pcre_compile.c Tue Mar 22 20:39:59 2016
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+ 
+Written by Philip Hazel
+-   Copyright (c) 1997-2014 University of Cambridge
++   Copyright (c) 1997-2016 University of Cambridge
+ 
+ -
+ Redistribution and use in source and binary forms, with or without
+@@ -560,6 +560,7 @@ static const char error_texts[] =
+   /* 85 */
+   "parentheses are too deeply nested (stack check)\0"
+   "digits missing in \\x{} or \\o{}\0"
++  "regular expression is too complicated\0"
+   ;
+ 
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -4591,7 +4592,8 @@ for (;; ptr++)
+ if (code > cd->start_workspace + cd->workspace_size -
+ WORK_SIZE_SAFETY_MARGIN)   /* Check for overrun */
+   {
+-  *errorcodeptr = ERR52;
++  *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
++   ERR52 : ERR87;
+   goto FAILED;
+   }
+ 
+@@ -6604,8 +6606,21 @@ for (;; ptr++)
+ cd->had_accept = TRUE;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+   {
+-  *code++ = OP_CLOSE;
+-  PUT2INC(code, 0, oc->number);
++  if (lengthptr != NULL)
++{
++#ifdef COMPILE_PCRE8
++*lengthptr += 1 + IMM2_SIZE;
++#elif defined COMPILE_PCRE16
++*lengthptr += 2 + IMM2_SIZE;
++#elif defined COMPILE_PCRE32
++*lengthptr += 4 + IMM2_SIZE;
++#endif
++}
++  else
++{
++*code++ = OP_CLOSE;
++PUT2INC(code, 0, oc->number);
++}
+   }
+ setverb = *code++ =
+   (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
Index: patches/patch-pcre_internal_h
===
RCS file: patches/patch-pcre_internal_h
diff -N patches/patch-pcre_internal_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-pcre_internal_h   22 Mar 2016 19:45:47 -
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+--- pcre_internal.h.orig   Tue Mar 22 20:28:40 2016
 pcre_internal.hTue Mar 22 20:30:29 2016
+@@ -7,7 +7,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+ 
+Written by Philip Hazel
+-   Copyright (c) 1997-2014 University of Cambridge
++   Copyright (c) 1997-2016 University of Cambridge
+ 
+ -
+ Redistribution and use in source and binary forms, with or without
+@@ -2289,7 +2289,7 @@ enum { ERR0,  ERR1,  ERR2,  ERR3,  ERR4,  ERR5,  ERR6,
+ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+-   ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
++   ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
+ 
+ /* JIT compiling modes. The function list is indexed by them. */
+ 
Index: patches/patch-pcreposix_c
===
RCS file: patches/patch-pcreposix_c
diff -N patches/patch-pcreposix_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-pcreposix_c   22 Mar 2016 19:45:47 -
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+---

Re: Vulnerable packages in ports 20/03/2016

2016-03-22 Thread Christian Weisgerber 
On 2016-03-22, Sevan / Venture37  wrote:

>> Presumably they use the shared library?
>
> Correct.

Then they don't need a revision bump.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: Vulnerable packages in ports 20/03/2016

2016-03-22 Thread Sevan / Venture37 


> On 21 Mar 2016, at 16:36, Christian Weisgerber  wrote:
> 
> Presumably they use the shared library?

Correct.

Sevan

Re: Vulnerable packages in ports 20/03/2016

2016-03-21 Thread Christian Weisgerber 
On 2016-03-21, Sevan Janiyan  wrote:

> it'll probably bring a revision bump for a plethora of packages
> as they pull in pcre as well.

Presumably they use the shared library?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: Vulnerable packages in ports 20/03/2016

2016-03-21 Thread Sevan Janiyan 


On 21/03/2016 02:46, Michael McConville wrote:
> Looks like PCRE 8.39 isn't being mirrored yet. Should we patch manually?
> That looks like a pretty serious vulnerability:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191

Hi Michael,
Ideally, it'll probably bring a revision bump for a plethora of packages
as they pull in pcre as well.


Sevan

Re: Vulnerable packages in ports 20/03/2016

2016-03-20 Thread Michael McConville 
Sevan Janiyan wrote:
> net/quagga - CVE-2016-2342
> devel/pcre - CVE-2016-3191

Looks like PCRE 8.39 isn't being mirrored yet. Should we patch manually?
That looks like a pretty serious vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191

Vulnerable packages in ports 20/03/2016

2016-03-20 Thread Sevan Janiyan 
net/quagga - CVE-2016-2342
devel/pcre - CVE-2016-3191


Sevan