summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmo Puustinen <ismo.puustinen@intel.com>2016-05-04 16:06:46 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 23:21:43 +0100
commit249cc163e7a16f307e8b94a7b449cd3e93cc6b15 (patch)
tree6d799d8a5d520471bb2ad5ca573da8434fff3dca
parent82fe0e8c98244794531f0e24ceb93953fe68dda5 (diff)
downloadopenembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.tar.gz
openembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.tar.bz2
openembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.zip
libpcre: Fix CVE-2016-3191
Fix workspace overflow for (*ACCEPT) with deeply nested parentheses. The patch is from libpcre version control at http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog part removed. Original author is Philip Hazel. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 386534f968f4da376ba7778b5d436bad4ce8355b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch174
-rw-r--r--meta/recipes-support/libpcre/libpcre_8.38.bb1
2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch b/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch
new file mode 100644
index 0000000000..ba8cbfdbef
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch
@@ -0,0 +1,174 @@
+From 568fcc16a0a335250aee06a104fc5df98d2a8779 Mon Sep 17 00:00:00 2001
+From: Ismo Puustinen <ismo.puustinen@intel.com>
+Date: Wed, 4 May 2016 15:43:22 +0300
+Subject: [PATCH] Fix workspace overflow for (*ACCEPT) with deeply nested
+ parentheses.
+
+The patch is from libpcre version control at
+http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog
+part removed. Original author is Philip Hazel.
+
+Upstream-Status: Accepted [8.39]
+CVE: CVE-2016-3191
+
+Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
+---
+ pcre_compile.c | 23 +++++++++++++++++++----
+ pcre_internal.h | 4 ++--
+ pcreposix.c | 5 +++--
+ testdata/testinput11 | 2 ++
+ testdata/testoutput11-16 | 3 +++
+ testdata/testoutput11-32 | 3 +++
+ testdata/testoutput11-8 | 3 +++
+ 7 files changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 4d3b313..1bc2b7f 100644
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+ Written by Philip Hazel
+- Copyright (c) 1997-2014 University of Cambridge
++ Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -560,6 +560,7 @@ static const char error_texts[] =
+ /* 85 */
+ "parentheses are too deeply nested (stack check)\0"
+ "digits missing in \\x{} or \\o{}\0"
++ "regular expression is too complicated\0"
+ ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -4591,7 +4592,8 @@ for (;; ptr++)
+ if (code > cd->start_workspace + cd->workspace_size -
+ WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */
+ {
+- *errorcodeptr = ERR52;
++ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
++ ERR52 : ERR87;
+ goto FAILED;
+ }
+
+@@ -6604,8 +6606,21 @@ for (;; ptr++)
+ cd->had_accept = TRUE;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+ {
+- *code++ = OP_CLOSE;
+- PUT2INC(code, 0, oc->number);
++ if (lengthptr != NULL)
++ {
++#ifdef COMPILE_PCRE8
++ *lengthptr += 1 + IMM2_SIZE;
++#elif defined COMPILE_PCRE16
++ *lengthptr += 2 + IMM2_SIZE;
++#elif defined COMPILE_PCRE32
++ *lengthptr += 4 + IMM2_SIZE;
++#endif
++ }
++ else
++ {
++ *code++ = OP_CLOSE;
++ PUT2INC(code, 0, oc->number);
++ }
+ }
+ setverb = *code++ =
+ (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
+diff --git a/pcre_internal.h b/pcre_internal.h
+index f7a5ee7..dbfe80e 100644
+--- a/pcre_internal.h
++++ b/pcre_internal.h
+@@ -7,7 +7,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+ Written by Philip Hazel
+- Copyright (c) 1997-2014 University of Cambridge
++ Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -2289,7 +2289,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4, ERR5, ERR6, ERR7, ERR8, ERR9,
+ ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+ ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+ ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
++ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
+
+ /* JIT compiling modes. The function list is indexed by them. */
+
+diff --git a/pcreposix.c b/pcreposix.c
+index f024423..5736c65 100644
+--- a/pcreposix.c
++++ b/pcreposix.c
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+ Written by Philip Hazel
+- Copyright (c) 1997-2014 University of Cambridge
++ Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -173,7 +173,8 @@ static const int eint[] = {
+ REG_BADPAT, /* group name must start with a non-digit */
+ /* 85 */
+ REG_BADPAT, /* parentheses too deeply nested (stack check) */
+- REG_BADPAT /* missing digits in \x{} or \o{} */
++ REG_BADPAT, /* missing digits in \x{} or \o{} */
++ REG_BADPAT /* pattern too complicated */
+ };
+
+ /* Table of texts corresponding to POSIX error codes */
+diff --git a/testdata/testinput11 b/testdata/testinput11
+index ac9d228..6f0989a 100644
+--- a/testdata/testinput11
++++ b/testdata/testinput11
+@@ -138,4 +138,6 @@ is required for these tests. --/
+
+ /.((?2)(?R)\1)()/B
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++
+ /-- End of testinput11 --/
+diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16
+index 9a0a12d..6e8ff4c 100644
+--- a/testdata/testoutput11-16
++++ b/testdata/testoutput11-16
+@@ -765,4 +765,7 @@ Memory allocation (code space): 14
+ 25 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: regular expression is too complicated at offset 490
++
+ /-- End of testinput11 --/
+diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32
+index 57e5da0..710646b 100644
+--- a/testdata/testoutput11-32
++++ b/testdata/testoutput11-32
+@@ -765,4 +765,7 @@ Memory allocation (code space): 28
+ 25 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: missing ) at offset 509
++
+ /-- End of testinput11 --/
+diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8
+index 748548a..173fc33 100644
+--- a/testdata/testoutput11-8
++++ b/testdata/testoutput11-8
+@@ -765,4 +765,7 @@ Memory allocation (code space): 10
+ 38 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: missing ) at offset 509
++
+ /-- End of testinput11 --/
+--
+2.5.5
+
diff --git a/meta/recipes-support/libpcre/libpcre_8.38.bb b/meta/recipes-support/libpcre/libpcre_8.38.bb
index c5676073e8..f258fe9b74 100644
--- a/meta/recipes-support/libpcre/libpcre_8.38.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.38.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=7e4937814aee14758c1c95b59c80c44d"
SRC_URI = "${SOURCEFORGE_MIRROR}/project/pcre/pcre/${PV}/pcre-${PV}.tar.bz2 \
file://pcre-cross.patch \
file://fix-pcre-name-collision.patch \
+ file://CVE-2016-3191.patch \
file://run-ptest \
file://Makefile \
"