From 04a3b2df73d46c654c6f951a9fb971a5515db543 Mon Sep 17 00:00:00 2001 From: Petr Písař Date: Jul 01 2015 07:42:51 +0000 Subject: Fix CVE-2015-3210 --- diff --git a/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch b/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch new file mode 100644 index 0000000..16fd45c --- /dev/null +++ b/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch @@ -0,0 +1,68 @@ +From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 23 Jun 2015 16:34:53 +0000 +Subject: [PATCH] Fix buffer overflow for forward reference within backward + assertion with excess closing parenthesis. Bugzilla 1651. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is upstream commit ported to 8.37: + +commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 +Author: ph10 +Date: Tue Jun 23 16:34:53 2015 +0000 + + Fix buffer overflow for forward reference within backward assertion with excess + closing parenthesis. Bugzilla 1651. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +It fixes CVE-2015-5073. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 6f06912..b66b1f6 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The + exceptional ones forgo this. We scan the pattern to check that they are fixed + length, and set their lengths. */ + +-if (cd->check_lookbehind) ++if (errorcode == 0 && cd->check_lookbehind) + { + pcre_uchar *cc = (pcre_uchar *)codestart; + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 83bb471..5cc9ce6 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4154,4 +4154,6 @@ backtracking verbs. --/ + + "(?J)(?'d'(?'d'\g{d}))" + ++/(?=di(?<=(?1))|(?=(.))))/ ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 7dff52a..4decb8d 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 + + "(?J)(?'d'(?'d'\g{d}))" + ++/(?=di(?<=(?1))|(?=(.))))/ ++Failed: unmatched parentheses at offset 23 ++ + /-- End of testinput2 --/ +-- +2.4.3 + diff --git a/pcre.spec b/pcre.spec index 5db7261..5d2010a 100644 --- a/pcre.spec +++ b/pcre.spec @@ -69,6 +69,8 @@ Patch18: pcre-8.36-Fix-backtracking-bug-for-C-X-in-UTF-mode.patch Patch19: pcre-8.37-RC1-Fix-static-linking-issue-with-pkg-config.patch # Fix CVE-2015-3210, bug #1236659 Patch20: pcre-8.35-Fix-buffer-overflow-for-named-recursive-back-referen.patch +# Fix CVE-2015-5073, bug #1237224 +Patch21: pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch BuildRequires: readline-devel # New libtool to get rid of rpath BuildRequires: autoconf, automake, libtool @@ -129,6 +131,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch18 -p1 -b .backtracking_cx8 %patch19 -p1 -b .static_linking %patch20 -p1 -b .CVE-2015-3210 +%patch21 -p1 -b .CVE-2015-5073 # Because of rpath patch libtoolize --copy --force && autoreconf -vif # One contributor's name is non-UTF-8 @@ -202,6 +205,9 @@ make %{?_smp_mflags} check * Wed Jul 01 2015 Petr Pisar - 8.35-12 - Fix CVE-2015-3210 (heap overflow when compiling an expression with named recursive back reference and the name is duplicated) (bug #1236659) +- Fix CVE-2015-5073 (heap overflow when compiling an expression with an + forward reference within backward asserion with excessive closing + paranthesis) (bug #1237224) * Thu May 14 2015 Petr Pisar - 8.35-11 - Amend Fix-memory-bug-for-S-V-H-compile patch to allow building with disabled