[Midnightbsd-cvs] mports [20011] trunk/devel/pcre: security patches for pcre
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Mon Aug 24 18:23:36 EDT 2015
Revision: 20011
http://svnweb.midnightbsd.org/mports/?rev=20011
Author: laffer1
Date: 2015-08-24 18:23:35 -0400 (Mon, 24 Aug 2015)
Log Message:
-----------
security patches for pcre
Modified Paths:
--------------
trunk/devel/pcre/Makefile
Added Paths:
-----------
trunk/devel/pcre/files/patch-CVE-2015-5073
trunk/devel/pcre/files/patch-r1585-buffer-overflow
trunk/devel/pcre/files/patch-r1594-heap-overflow
Modified: trunk/devel/pcre/Makefile
===================================================================
--- trunk/devel/pcre/Makefile 2015-08-24 12:05:11 UTC (rev 20010)
+++ trunk/devel/pcre/Makefile 2015-08-24 22:23:35 UTC (rev 20011)
@@ -2,7 +2,7 @@
PORTNAME= pcre
PORTVERSION= 8.37
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= devel
MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTVERSION} \
ftp://ftp.csx.cam.ac.uk/pub/software/programming/${PORTNAME}/ \
Added: trunk/devel/pcre/files/patch-CVE-2015-5073
===================================================================
--- trunk/devel/pcre/files/patch-CVE-2015-5073 (rev 0)
+++ trunk/devel/pcre/files/patch-CVE-2015-5073 2015-08-24 22:23:35 UTC (rev 20011)
@@ -0,0 +1,11 @@
+--- pcre_compile.c.orig 2015/06/22 09:38:41 1570
++++ pcre_compile.c 2015/06/23 16:34:53 1571
+@@ -9449,7 +9449,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+ {
+ pcre_uchar *cc = (pcre_uchar *)codestart;
+
Property changes on: trunk/devel/pcre/files/patch-CVE-2015-5073
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/devel/pcre/files/patch-r1585-buffer-overflow
===================================================================
--- trunk/devel/pcre/files/patch-r1585-buffer-overflow (rev 0)
+++ trunk/devel/pcre/files/patch-r1585-buffer-overflow 2015-08-24 22:23:35 UTC (rev 20011)
@@ -0,0 +1,139 @@
+Index: pcre_internal.h
+===================================================================
+--- pcre_internal.h (revision 1584)
++++ pcre_internal.h (revision 1585)
+@@ -2454,6 +2454,7 @@
+ BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */
+ BOOL check_lookbehind; /* Lookbehinds need later checking */
+ BOOL dupnames; /* Duplicate names exist */
++ BOOL dupgroups; /* Duplicate groups exist: (?| found */
+ BOOL iscondassert; /* Next assert is a condition */
+ int nltype; /* Newline type */
+ int nllen; /* Newline string length */
+Index: pcre_compile.c
+===================================================================
+--- pcre_compile.c (revision 1584)
++++ pcre_compile.c (revision 1585)
+@@ -6668,6 +6668,7 @@
+ /* ------------------------------------------------------------ */
+ case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */
+ reset_bracount = TRUE;
++ cd->dupgroups = TRUE; /* Record (?| encountered */
+ /* Fall through */
+
+ /* ------------------------------------------------------------ */
+@@ -7178,7 +7179,8 @@
+ if (lengthptr != NULL)
+ {
+ named_group *ng;
+-
++ recno = 0;
++
+ if (namelen == 0)
+ {
+ *errorcodeptr = ERR62;
+@@ -7195,32 +7197,6 @@
+ goto FAILED;
+ }
+
+- /* The name table does not exist in the first pass; instead we must
+- scan the list of names encountered so far in order to get the
+- number. If the name is not found, set the value to 0 for a forward
+- reference. */
+-
+- recno = 0;
+- ng = cd->named_groups;
+- for (i = 0; i < cd->names_found; i++, ng++)
+- {
+- if (namelen == ng->length &&
+- STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+- {
+- open_capitem *oc;
+- recno = ng->number;
+- if (is_recurse) break;
+- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+- {
+- if (oc->number == recno)
+- {
+- oc->flag = TRUE;
+- break;
+- }
+- }
+- }
+- }
+-
+ /* Count named back references. */
+
+ if (!is_recurse) cd->namedrefcount++;
+@@ -7242,7 +7218,44 @@
+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
+ only mode, we finesse the bug by allowing more memory always. */
+
+- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
++ *lengthptr += 2 + 2*LINK_SIZE;
++
++ /* It is even worse than that. The current reference may be to an
++ existing named group with a different number (so apparently not
++ recursive) but which later on is also attached to a group with the
++ current number. This can only happen if $(| has been previous
++ encountered. In that case, we allow yet more memory, just in case.
++ (Again, this is fixed "properly" in PCRE2. */
++
++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
++
++ /* Otherwise, check for recursion here. The name table does not exist
++ in the first pass; instead we must scan the list of names encountered
++ so far in order to get the number. If the name is not found, leave
++ the value of recno as 0 for a forward reference. */
++
++ else
++ {
++ ng = cd->named_groups;
++ for (i = 0; i < cd->names_found; i++, ng++)
++ {
++ if (namelen == ng->length &&
++ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
++ {
++ open_capitem *oc;
++ recno = ng->number;
++ if (is_recurse) break;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
++ break;
++ }
++ }
++ }
++ }
++ }
+ }
+
+ /* In the real compile, search the name table. We check the name
+@@ -7289,8 +7302,6 @@
+ for (i++; i < cd->names_found; i++)
+ {
+ if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break;
+-
+-
+ count++;
+ cslot += cd->name_entry_size;
+ }
+@@ -9239,6 +9250,7 @@
+ cd->name_entry_size = 0;
+ cd->name_table = NULL;
+ cd->dupnames = FALSE;
++cd->dupgroups = FALSE;
+ cd->namedrefcount = 0;
+ cd->start_code = cworkspace;
+ cd->hwm = cworkspace;
+@@ -9273,7 +9285,7 @@
+
+ DPRINTF(("end pre-compile: length=%d workspace=%d\n", length,
+ (int)(cd->hwm - cworkspace)));
+-
++
+ if (length > MAX_PATTERN_SIZE)
+ {
+ errorcode = ERR20;
Property changes on: trunk/devel/pcre/files/patch-r1585-buffer-overflow
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/devel/pcre/files/patch-r1594-heap-overflow
===================================================================
--- trunk/devel/pcre/files/patch-r1594-heap-overflow (rev 0)
+++ trunk/devel/pcre/files/patch-r1594-heap-overflow 2015-08-24 22:23:35 UTC (rev 20011)
@@ -0,0 +1,20 @@
+--- pcre_compile.c 2015/08/14 09:34:32 1593
++++ pcre_compile.c 2015/08/21 16:08:33 1594
+@@ -7238,7 +7238,7 @@
+ encountered. In that case, we allow yet more memory, just in case.
+ (Again, this is fixed "properly" in PCRE2. */
+
+- if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
++ if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE;
+
+ /* Otherwise, check for recursion here. The name table does not exist
+ in the first pass; instead we must scan the list of names encountered
+@@ -9474,7 +9474,7 @@
+ "const" attribute if the cast (pcre_uchar *)codestart is used directly in the
+ function call. */
+
+-if ((options & PCRE_NO_AUTO_POSSESS) == 0)
++if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0)
+ {
+ pcre_uchar *temp = (pcre_uchar *)codestart;
+ auto_possessify(temp, utf, cd);
Property changes on: trunk/devel/pcre/files/patch-r1594-heap-overflow
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
More information about the Midnightbsd-cvs
mailing list