diff --git a/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch b/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch new file mode 100644 index 0000000..c97849f --- /dev/null +++ b/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch @@ -0,0 +1,87 @@ +From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Fri, 15 May 2015 17:17:03 +0000 +Subject: [PATCH] Fix buffer overflow for named recursive back reference when + the name is duplicated. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit ported to pcre-8.37: + +commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 +Author: ph10 +Date: Fri May 15 17:17:03 2015 +0000 + + Fix buffer overflow for named recursive back reference when the name is + duplicated. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +This fixes CVE-2015-3210. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 16 ++++++++++++++-- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 0efad26..6f06912 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7173,14 +7173,26 @@ for (;; ptr++) + number. If the name is not found, set the value to 0 for a forward + reference. */ + ++ recno = 0; + ng = cd->named_groups; + for (i = 0; i < cd->names_found; i++, ng++) + { + if (namelen == ng->length && + STRNCMP_UC_UC(name, ng->name, namelen) == 0) +- break; ++ { ++ open_capitem *oc; ++ recno = ng->number; ++ if (is_recurse) break; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; ++ break; ++ } ++ } ++ } + } +- recno = (i < cd->names_found)? ng->number : 0; + + /* Count named back references. */ + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 58fe53b..83bb471 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4152,4 +4152,6 @@ backtracking verbs. --/ + + /((?2){73}(?2))((?1))/ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index b718df0..7dff52a 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 + + /((?2){73}(?2))((?1))/ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ +-- +2.4.3 + diff --git a/pcre.spec b/pcre.spec index e3120f7..80f784c 100644 --- a/pcre.spec +++ b/pcre.spec @@ -2,7 +2,7 @@ #%%global rcversion RC1 Name: pcre Version: 8.37 -Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}.1 +Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library Group: System Environment/Libraries @@ -31,6 +31,8 @@ Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/%{name}/%{?rcversion:Te Patch0: pcre-8.21-multilib.patch # Refused by upstream, bug #675477 Patch1: pcre-8.32-refused_spelling_terminated.patch +# Fix CVE-2015-3210, bug #1236659 +Patch2: pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch BuildRequires: readline-devel # New libtool to get rid of rpath BuildRequires: autoconf, automake, libtool @@ -72,6 +74,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. # Get rid of rpath %patch0 -p1 -b .multilib %patch1 -p1 -b .terminated_typos +%patch2 -p1 -b .CVE-2015-3210 # Because of rpath patch libtoolize --copy --force && autoreconf -vif # One contributor's name is non-UTF-8 @@ -142,6 +145,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Wed Jul 01 2015 Petr Pisar - 8.37-2 +- Fix CVE-2015-3210 (heap overflow when compiling an expression with named + recursive back reference and the name is duplicated) (bug #1236659) + * Thu Jun 18 2015 Fedora Release Engineering - 8.37-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild