diff options
author | Ismo Puustinen <ismo.puustinen@intel.com> | 2016-05-04 16:06:46 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 23:21:43 +0100 |
commit | 249cc163e7a16f307e8b94a7b449cd3e93cc6b15 (patch) | |
tree | 6d799d8a5d520471bb2ad5ca573da8434fff3dca | |
parent | 82fe0e8c98244794531f0e24ceb93953fe68dda5 (diff) | |
download | openembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.tar.gz openembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.tar.bz2 openembedded-core-249cc163e7a16f307e8b94a7b449cd3e93cc6b15.zip |
libpcre: Fix CVE-2016-3191
Fix workspace overflow for (*ACCEPT) with deeply nested parentheses.
The patch is from libpcre version control at
http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog
part removed. Original author is Philip Hazel.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 386534f968f4da376ba7778b5d436bad4ce8355b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch | 174 | ||||
-rw-r--r-- | meta/recipes-support/libpcre/libpcre_8.38.bb | 1 |
2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch b/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch new file mode 100644 index 0000000000..ba8cbfdbef --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre/CVE-2016-3191.patch @@ -0,0 +1,174 @@ +From 568fcc16a0a335250aee06a104fc5df98d2a8779 Mon Sep 17 00:00:00 2001 +From: Ismo Puustinen <ismo.puustinen@intel.com> +Date: Wed, 4 May 2016 15:43:22 +0300 +Subject: [PATCH] Fix workspace overflow for (*ACCEPT) with deeply nested + parentheses. + +The patch is from libpcre version control at +http://vcs.pcre.org/pcre?view=revision&revision=1631 with the ChangeLog +part removed. Original author is Philip Hazel. + +Upstream-Status: Accepted [8.39] +CVE: CVE-2016-3191 + +Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> +--- + pcre_compile.c | 23 +++++++++++++++++++---- + pcre_internal.h | 4 ++-- + pcreposix.c | 5 +++-- + testdata/testinput11 | 2 ++ + testdata/testoutput11-16 | 3 +++ + testdata/testoutput11-32 | 3 +++ + testdata/testoutput11-8 | 3 +++ + 7 files changed, 35 insertions(+), 8 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 4d3b313..1bc2b7f 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6,7 +6,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2014 University of Cambridge ++ Copyright (c) 1997-2016 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -560,6 +560,7 @@ static const char error_texts[] = + /* 85 */ + "parentheses are too deeply nested (stack check)\0" + "digits missing in \\x{} or \\o{}\0" ++ "regular expression is too complicated\0" + ; + + /* Table to identify digits and hex digits. This is used when compiling +@@ -4591,7 +4592,8 @@ for (;; ptr++) + if (code > cd->start_workspace + cd->workspace_size - + WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */ + { +- *errorcodeptr = ERR52; ++ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)? ++ ERR52 : ERR87; + goto FAILED; + } + +@@ -6604,8 +6606,21 @@ for (;; ptr++) + cd->had_accept = TRUE; + for (oc = cd->open_caps; oc != NULL; oc = oc->next) + { +- *code++ = OP_CLOSE; +- PUT2INC(code, 0, oc->number); ++ if (lengthptr != NULL) ++ { ++#ifdef COMPILE_PCRE8 ++ *lengthptr += 1 + IMM2_SIZE; ++#elif defined COMPILE_PCRE16 ++ *lengthptr += 2 + IMM2_SIZE; ++#elif defined COMPILE_PCRE32 ++ *lengthptr += 4 + IMM2_SIZE; ++#endif ++ } ++ else ++ { ++ *code++ = OP_CLOSE; ++ PUT2INC(code, 0, oc->number); ++ } + } + setverb = *code++ = + (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; +diff --git a/pcre_internal.h b/pcre_internal.h +index f7a5ee7..dbfe80e 100644 +--- a/pcre_internal.h ++++ b/pcre_internal.h +@@ -7,7 +7,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2014 University of Cambridge ++ Copyright (c) 1997-2016 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -2289,7 +2289,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4, ERR5, ERR6, ERR7, ERR8, ERR9, + ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59, + ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, + ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79, +- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT }; ++ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT }; + + /* JIT compiling modes. The function list is indexed by them. */ + +diff --git a/pcreposix.c b/pcreposix.c +index f024423..5736c65 100644 +--- a/pcreposix.c ++++ b/pcreposix.c +@@ -6,7 +6,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2014 University of Cambridge ++ Copyright (c) 1997-2016 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -173,7 +173,8 @@ static const int eint[] = { + REG_BADPAT, /* group name must start with a non-digit */ + /* 85 */ + REG_BADPAT, /* parentheses too deeply nested (stack check) */ +- REG_BADPAT /* missing digits in \x{} or \o{} */ ++ REG_BADPAT, /* missing digits in \x{} or \o{} */ ++ REG_BADPAT /* pattern too complicated */ + }; + + /* Table of texts corresponding to POSIX error codes */ +diff --git a/testdata/testinput11 b/testdata/testinput11 +index ac9d228..6f0989a 100644 +--- a/testdata/testinput11 ++++ b/testdata/testinput11 +@@ -138,4 +138,6 @@ is required for these tests. --/ + + /.((?2)(?R)\1)()/B + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index 9a0a12d..6e8ff4c 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -765,4 +765,7 @@ Memory allocation (code space): 14 + 25 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: regular expression is too complicated at offset 490 ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 57e5da0..710646b 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -765,4 +765,7 @@ Memory allocation (code space): 28 + 25 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: missing ) at offset 509 ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 +index 748548a..173fc33 100644 +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -765,4 +765,7 @@ Memory allocation (code space): 10 + 38 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: missing ) at offset 509 ++ + /-- End of testinput11 --/ +-- +2.5.5 + diff --git a/meta/recipes-support/libpcre/libpcre_8.38.bb b/meta/recipes-support/libpcre/libpcre_8.38.bb index c5676073e8..f258fe9b74 100644 --- a/meta/recipes-support/libpcre/libpcre_8.38.bb +++ b/meta/recipes-support/libpcre/libpcre_8.38.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=7e4937814aee14758c1c95b59c80c44d" SRC_URI = "${SOURCEFORGE_MIRROR}/project/pcre/pcre/${PV}/pcre-${PV}.tar.bz2 \ file://pcre-cross.patch \ file://fix-pcre-name-collision.patch \ + file://CVE-2016-3191.patch \ file://run-ptest \ file://Makefile \ " |