Sevan Janiyan writes:
> net/quagga - CVE-2016-2342
An update has been committed today, but I doubt that OpenBSD users would
be affected.
> devel/pcre - CVE-2016-3191
Blindly copy/pasted from upstream's repo.
Index: Makefile
===
RCS file: /cvs/ports/devel/pcre/Makefile,v
retrieving revision 1.61
diff -u -p -r1.61 Makefile
--- Makefile11 Mar 2016 20:28:24 - 1.61
+++ Makefile22 Mar 2016 19:45:47 -
@@ -3,6 +3,7 @@
COMMENT= perl-compatible regular expression library
DISTNAME= pcre-8.38
+REVISION= 0
SHARED_LIBS += pcre 3.0 # 0.1
SHARED_LIBS += pcre16 0.0 # 0.0
Index: patches/patch-pcre_compile_c
===
RCS file: patches/patch-pcre_compile_c
diff -N patches/patch-pcre_compile_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-pcre_compile_c22 Mar 2016 19:45:47 -
@@ -0,0 +1,59 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+ Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+--- pcre_compile.c.origTue Mar 22 20:27:48 2016
pcre_compile.c Tue Mar 22 20:39:59 2016
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+Written by Philip Hazel
+- Copyright (c) 1997-2014 University of Cambridge
++ Copyright (c) 1997-2016 University of Cambridge
+
+ -
+ Redistribution and use in source and binary forms, with or without
+@@ -560,6 +560,7 @@ static const char error_texts[] =
+ /* 85 */
+ "parentheses are too deeply nested (stack check)\0"
+ "digits missing in \\x{} or \\o{}\0"
++ "regular expression is too complicated\0"
+ ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -4591,7 +4592,8 @@ for (;; ptr++)
+ if (code > cd->start_workspace + cd->workspace_size -
+ WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */
+ {
+- *errorcodeptr = ERR52;
++ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
++ ERR52 : ERR87;
+ goto FAILED;
+ }
+
+@@ -6604,8 +6606,21 @@ for (;; ptr++)
+ cd->had_accept = TRUE;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+ {
+- *code++ = OP_CLOSE;
+- PUT2INC(code, 0, oc->number);
++ if (lengthptr != NULL)
++{
++#ifdef COMPILE_PCRE8
++*lengthptr += 1 + IMM2_SIZE;
++#elif defined COMPILE_PCRE16
++*lengthptr += 2 + IMM2_SIZE;
++#elif defined COMPILE_PCRE32
++*lengthptr += 4 + IMM2_SIZE;
++#endif
++}
++ else
++{
++*code++ = OP_CLOSE;
++PUT2INC(code, 0, oc->number);
++}
+ }
+ setverb = *code++ =
+ (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
Index: patches/patch-pcre_internal_h
===
RCS file: patches/patch-pcre_internal_h
diff -N patches/patch-pcre_internal_h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-pcre_internal_h 22 Mar 2016 19:45:47 -
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+ Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+--- pcre_internal.h.orig Tue Mar 22 20:28:40 2016
pcre_internal.hTue Mar 22 20:30:29 2016
+@@ -7,7 +7,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+Written by Philip Hazel
+- Copyright (c) 1997-2014 University of Cambridge
++ Copyright (c) 1997-2016 University of Cambridge
+
+ -
+ Redistribution and use in source and binary forms, with or without
+@@ -2289,7 +2289,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4, ERR5, ERR6,
+ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
++ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
+
+ /* JIT compiling modes. The function list is indexed by them. */
+
Index: patches/patch-pcreposix_c
===
RCS file: patches/patch-pcreposix_c
diff -N patches/patch-pcreposix_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-pcreposix_c 22 Mar 2016 19:45:47 -
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+ Upstream commit: http://vcs.pcre.org/pcre?view=revision=1631
+
+---