diff --git a/SOURCES/pcre-8.32-Fix-buffer-overflow-for-forward-reference-within-bac.patch b/SOURCES/pcre-8.32-Fix-buffer-overflow-for-forward-reference-within-bac.patch new file mode 100644 index 0000000..2ea98c8 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-buffer-overflow-for-forward-reference-within-bac.patch @@ -0,0 +1,68 @@ +From 644e923aee63090fd4f68169940327d9eebedc33 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 23 Jun 2015 16:34:53 +0000 +Subject: [PATCH] Fix buffer overflow for forward reference within backward + assertion with excess closing parenthesis. Bugzilla 1651. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is upstream commit ported to 8.32: + +commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 +Author: ph10 +Date: Tue Jun 23 16:34:53 2015 +0000 + + Fix buffer overflow for forward reference within backward assertion with excess + closing parenthesis. Bugzilla 1651. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +It fixes CVE-2015-5073. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index d570447..aa7f4d6 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -8275,7 +8275,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The + exceptional ones forgo this. We scan the pattern to check that they are fixed + length, and set their lengths. */ + +-if (cd->check_lookbehind) ++if (errorcode == 0 && cd->check_lookbehind) + { + pcre_uchar *cc = (pcre_uchar *)codestart; + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index fc6fe2f..2f460dc 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3827,4 +3827,6 @@ settings of the anchored and startline bits. --/ + + /^(?:(?(1)x|)+)+$()/BZ + ++/(?=di(?<=(?1))|(?=(.))))/ ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 63b39c2..3c09fdf 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -12540,4 +12540,7 @@ No match + End + ------------------------------------------------------------------ + ++/(?=di(?<=(?1))|(?=(.))))/ ++Failed: unmatched parentheses at offset 23 ++ + /-- End of testinput2 --/ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch b/SOURCES/pcre-8.32-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch new file mode 100644 index 0000000..b5450c8 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch @@ -0,0 +1,66 @@ +From eb1ab619f3f36539e53e6a481a0aa168afa10596 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 19 May 2015 16:02:06 +0000 +Subject: [PATCH] Fix buffer overflow for lookbehind within mutually recursive + subroutines. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 8.32: + +commit 9f2cf82ed9380bb4a726250833d6a0d295be8747 +Author: ph10 +Date: Tue May 19 16:02:06 2015 +0000 + + Fix buffer overflow for lookbehind within mutually recursive subroutines. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1560 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 3 +++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 0215861..7d203eb 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -1811,7 +1811,7 @@ for (;;) + case OP_ASSERTBACK: + case OP_ASSERTBACK_NOT: + do cc += GET(cc, 1); while (*cc == OP_ALT); +- cc += PRIV(OP_lengths)[*cc]; ++ cc += 1 + LINK_SIZE; + break; + + /* Skip over things that don't match chars */ +diff --git a/testdata/testinput2 b/testdata/testinput2 +index bb11212..1b83cf2 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3822,4 +3822,7 @@ settings of the anchored and startline bits. --/ + + /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ + ++".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( ++\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(? +Date: Wed, 5 Aug 2015 15:38:32 +0000 +Subject: [PATCH 3/3] Fix buffer overflow for named references in (?| + situations. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported for 8.32: + +commit 7af8e8717def179fd7b69e173abd347c1a3547cb +Author: ph10 +Date: Wed Aug 5 15:38:32 2015 +0000 + + Fix buffer overflow for named references in (?| situations. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1585 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +This increases allocation size because of missing "Refactor the code +for creating the name/number table" patch. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 47 +++++++++++++++++++++++++++++------------------ + pcre_internal.h | 1 + + testdata/testinput2 | 2 ++ + testdata/testoutput11-16 | 2 +- + testdata/testoutput11-32 | 2 +- + testdata/testoutput11-8 | 2 +- + testdata/testoutput2 | 2 ++ + 7 files changed, 37 insertions(+), 21 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 6777542..0215861 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -5796,6 +5796,7 @@ for (;; ptr++) + /* ------------------------------------------------------------ */ + case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ + reset_bracount = TRUE; ++ cd->dupgroups = TRUE; /* Record (?| encountered */ + /* Fall through */ + + /* ------------------------------------------------------------ */ +@@ -6262,6 +6263,7 @@ for (;; ptr++) + if (lengthptr != NULL) + { + const pcre_uchar *temp; ++ recno = 0; + + if (namelen == 0) + { +@@ -6279,22 +6281,6 @@ for (;; ptr++) + goto FAILED; + } + +- /* The name table does not exist in the first pass, so we cannot +- do a simple search as in the code below. Instead, we have to scan the +- pattern to find the number. It is important that we scan it only as +- far as we have got because the syntax of named subpatterns has not +- been checked for the rest of the pattern, and find_parens() assumes +- correct syntax. In any case, it's a waste of resources to scan +- further. We stop the scan at the current point by temporarily +- adjusting the value of cd->endpattern. */ +- +- temp = cd->end_pattern; +- cd->end_pattern = ptr; +- recno = find_parens(cd, name, namelen, +- (options & PCRE_EXTENDED) != 0, utf); +- cd->end_pattern = temp; +- if (recno < 0) recno = 0; /* Forward ref; set dummy number */ +- + /* We have to allow for a named reference to a duplicated name (this + cannot be determined until the second pass). This needs an extra + 16-bit data item. */ +@@ -6307,7 +6293,31 @@ for (;; ptr++) + real compile this will be picked up and the reference wrapped with + OP_ONCE to make it atomic, so we must space in case this occurs. */ + +- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; ++ *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* It is even worse than that. The current reference may be to an ++ existing named group with a different number (so apparently not ++ recursive) but which later on is also attached to a group with the ++ current number. This can only happen if $(| has been previous ++ encountered. In that case, we allow yet more memory, just in case. ++ (Again, this is fixed "properly" in PCRE2. */ ++ ++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* Otherwise, check for recursion here. The name table does not exist ++ in the first pass; instead we must scan the list of names encountered ++ so far in order to get the number. If the name is not found, leave ++ the value of recno as 0 for a forward reference. */ ++ ++ else ++ { ++ temp = cd->end_pattern; ++ cd->end_pattern = ptr; ++ recno = find_parens(cd, name, namelen, ++ (options & PCRE_EXTENDED) != 0, utf); ++ cd->end_pattern = temp; ++ if (recno < 0) recno = 0; /* Forward ref; set dummy number */ ++ } + } + + /* In the real compile, seek the name in the table. We check the name +@@ -8087,6 +8097,7 @@ cd->bracount = cd->final_bracount = 0; + cd->names_found = 0; + cd->name_entry_size = 0; + cd->name_table = NULL; ++cd->dupgroups = FALSE; + cd->start_code = cworkspace; + cd->hwm = cworkspace; + cd->start_workspace = cworkspace; +@@ -8116,7 +8127,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERROR_RETURN; + + DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, + (int)(cd->hwm - cworkspace))); +- ++ + if (length > MAX_PATTERN_SIZE) + { + errorcode = ERR20; +diff --git a/pcre_internal.h b/pcre_internal.h +index f3cb001..536b3d8 100644 +--- a/pcre_internal.h ++++ b/pcre_internal.h +@@ -2410,6 +2410,7 @@ typedef struct compile_data { + BOOL had_accept; /* (*ACCEPT) encountered */ + BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ + BOOL check_lookbehind; /* Lookbehinds need later checking */ ++ BOOL dupgroups; /* Duplicate groups exist: (?| found */ + int nltype; /* Newline type */ + int nllen; /* Newline string length */ + pcre_uchar nl[4]; /* Newline string when fixed length */ +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 53c4718..bb11212 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3820,4 +3820,6 @@ settings of the anchored and startline bits. --/ + + /(?(?J)(?1(111111)11|)1|1|)(?()1)/ + ++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index 4115877..3cb3049 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -232,7 +232,7 @@ Memory allocation (code space): 73 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 61 ++Memory allocation (code space): 77 + ------------------------------------------------------------------ + 0 24 Bra + 2 5 CBra 1 +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 3f66acd..10dee82 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -232,7 +232,7 @@ Memory allocation (code space): 155 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 125 ++Memory allocation (code space): 157 + ------------------------------------------------------------------ + 0 24 Bra + 2 5 CBra 1 +diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 +index 27e2c65..a1bd60a 100644 +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -232,7 +232,7 @@ Memory allocation (code space): 45 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 38 ++Memory allocation (code space): 50 + ------------------------------------------------------------------ + 0 30 Bra + 3 7 CBra 1 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index b0b46d7..2dd2381 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -12517,4 +12517,6 @@ No match + + /(?(?J)(?1(111111)11|)1|1|)(?()1)/ + ++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ ++ + /-- End of testinput2 --/ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-checking-whether-a-group-could-match-an-empty-st.patch b/SOURCES/pcre-8.32-Fix-checking-whether-a-group-could-match-an-empty-st.patch new file mode 100644 index 0000000..2d89008 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-checking-whether-a-group-could-match-an-empty-st.patch @@ -0,0 +1,239 @@ +From e3406ec06426fb9a7342541127d4c591d2446b6b Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Fri, 5 Jul 2013 10:38:37 +0000 +Subject: [PATCH 1/2] Fix checking whether a group could match an empty string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In UTF mode, the code for checking whether a group could match an empty +string (which is used for indefinitely repeated groups to allow for +breaking an infinite loop) was broken when the group contained a repeated +negated single-character class with a character that occupied more than one +data item and had a minimum repetition of zero (for example, [^\x{100}]* in +UTF-8 mode). The effect was undefined: the group might or might not be +deemed as matching an empty string, or the program might have crashed. + +Based on: + +commit 74d96caf6251eff2f6c6a3e879268ce2d2a6c9be +Author: ph10 +Date: Fri Jul 5 10:38:37 2013 +0000 + + Implement PCRE_INFO_MATCH_EMPTY and fix 2 bugs concerned with scanning for + empty string matching. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1348 2f5784b3-3f2a-0410-8824- +cb99058d5e15 + +Ported to 8.32. Needed for CVE-2015-2328 (bug #1285399). + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 81 insertions(+), 18 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 0de3747..ce72527 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -2353,15 +2353,23 @@ Arguments: + endcode points to where to stop + utf TRUE if in UTF-8 / UTF-16 / UTF-32 mode + cd contains pointers to tables etc. ++ recurses chain of recurse_check to catch mutual recursion + + Returns: TRUE if what is matched could be empty + */ + ++typedef struct recurse_check { ++ struct recurse_check *prev; ++ const pcre_uchar *group; ++} recurse_check; ++ + static BOOL + could_be_empty_branch(const pcre_uchar *code, const pcre_uchar *endcode, +- BOOL utf, compile_data *cd) ++ BOOL utf, compile_data *cd, recurse_check *recurses) + { + register pcre_uchar c; ++recurse_check this_recurse; ++ + for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + code < endcode; + code = first_significant_code(code + PRIV(OP_lengths)[c], TRUE)) +@@ -2369,7 +2377,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + const pcre_uchar *ccode; + + c = *code; +- ++ + /* Skip over forward assertions; the other assertions are skipped by + first_significant_code() with a TRUE final argument. */ + +@@ -2389,25 +2397,50 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + + if (c == OP_RECURSE) + { +- const pcre_uchar *scode; ++ const pcre_uchar *scode = cd->start_code + GET(code, 1); + BOOL empty_branch; + +- /* Test for forward reference */ ++ /* Test for forward reference or uncompleted reference. This is disabled ++ when called to scan a completed pattern by setting cd->start_workspace to ++ NULL. */ + +- for (scode = cd->start_workspace; scode < cd->hwm; scode += LINK_SIZE) +- if ((int)GET(scode, 0) == (int)(code + 1 - cd->start_code)) return TRUE; ++ if (cd->start_workspace != NULL) ++ { ++ const pcre_uchar *tcode; ++ for (tcode = cd->start_workspace; tcode < cd->hwm; tcode += LINK_SIZE) ++ if ((int)GET(tcode, 0) == (int)(code + 1 - cd->start_code)) return TRUE; ++ if (GET(scode, 1) == 0) return TRUE; /* Unclosed */ ++ } ++ ++ /* If we are scanning a completed pattern, there are no forward references ++ and all groups are complete. We need to detect whether this is a recursive ++ call, as otherwise there will be an infinite loop. If it is a recursion, ++ just skip over it. Simple recursions are easily detected. For mutual ++ recursions we keep a chain on the stack. */ ++ ++ else ++ { ++ recurse_check *r = recurses; ++ const pcre_uchar *endgroup = scode; ++ ++ do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT); ++ if (code >= scode && code <= endgroup) continue; /* Simple recursion */ ++ ++ for (r = recurses; r != NULL; r = r->prev) ++ if (r->group == scode) break; ++ if (r != NULL) continue; /* Mutual recursion */ ++ } + +- /* Not a forward reference, test for completed backward reference */ ++ /* Completed reference; scan the referenced group, remembering it on the ++ stack chain to detect mutual recursions. */ + + empty_branch = FALSE; +- scode = cd->start_code + GET(code, 1); +- if (GET(scode, 1) == 0) return TRUE; /* Unclosed */ +- +- /* Completed backwards reference */ +- ++ this_recurse.prev = recurses; ++ this_recurse.group = scode; ++ + do + { +- if (could_be_empty_branch(scode, endcode, utf, cd)) ++ if (could_be_empty_branch(scode, endcode, utf, cd, &this_recurse)) + { + empty_branch = TRUE; + break; +@@ -2463,7 +2496,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + empty_branch = FALSE; + do + { +- if (!empty_branch && could_be_empty_branch(code, endcode, utf, cd)) ++ if (!empty_branch && could_be_empty_branch(code, endcode, utf, cd, NULL)) + empty_branch = TRUE; + code += GET(code, 1); + } +@@ -2582,30 +2615,58 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + return TRUE; + + /* In UTF-8 mode, STAR, MINSTAR, POSSTAR, QUERY, MINQUERY, POSQUERY, UPTO, +- MINUPTO, and POSUPTO may be followed by a multibyte character */ ++ MINUPTO, and POSUPTO and their caseless and negative versions may be ++ followed by a multibyte character. */ + + #if defined SUPPORT_UTF && !defined COMPILE_PCRE32 + case OP_STAR: + case OP_STARI: ++ case OP_NOTSTAR: ++ case OP_NOTSTARI: ++ + case OP_MINSTAR: + case OP_MINSTARI: ++ case OP_NOTMINSTAR: ++ case OP_NOTMINSTARI: ++ + case OP_POSSTAR: + case OP_POSSTARI: ++ case OP_NOTPOSSTAR: ++ case OP_NOTPOSSTARI: ++ + case OP_QUERY: + case OP_QUERYI: ++ case OP_NOTQUERY: ++ case OP_NOTQUERYI: ++ + case OP_MINQUERY: + case OP_MINQUERYI: ++ case OP_NOTMINQUERY: ++ case OP_NOTMINQUERYI: ++ + case OP_POSQUERY: + case OP_POSQUERYI: ++ case OP_NOTPOSQUERY: ++ case OP_NOTPOSQUERYI: ++ + if (utf && HAS_EXTRALEN(code[1])) code += GET_EXTRALEN(code[1]); + break; + + case OP_UPTO: + case OP_UPTOI: ++ case OP_NOTUPTO: ++ case OP_NOTUPTOI: ++ + case OP_MINUPTO: + case OP_MINUPTOI: ++ case OP_NOTMINUPTO: ++ case OP_NOTMINUPTOI: ++ + case OP_POSUPTO: + case OP_POSUPTOI: ++ case OP_NOTPOSUPTO: ++ case OP_NOTPOSUPTOI: ++ + if (utf && HAS_EXTRALEN(code[1 + IMM2_SIZE])) code += GET_EXTRALEN(code[1 + IMM2_SIZE]); + break; + #endif +@@ -2662,7 +2723,7 @@ could_be_empty(const pcre_uchar *code, const pcre_uchar *endcode, + { + while (bcptr != NULL && bcptr->current_branch >= code) + { +- if (!could_be_empty_branch(bcptr->current_branch, endcode, utf, cd)) ++ if (!could_be_empty_branch(bcptr->current_branch, endcode, utf, cd, NULL)) + return FALSE; + bcptr = bcptr->outer; + } +@@ -5416,7 +5477,7 @@ for (;; ptr++) + pcre_uchar *scode = bracode; + do + { +- if (could_be_empty_branch(scode, ketcode, utf, cd)) ++ if (could_be_empty_branch(scode, ketcode, utf, cd, NULL)) + { + *bracode += OP_SBRA - OP_BRA; + break; +@@ -8172,10 +8233,12 @@ if (cd->hwm > cd->start_workspace) + } + } + +-/* If the workspace had to be expanded, free the new memory. */ ++/* If the workspace had to be expanded, free the new memory. Set the pointer to ++NULL to indicate that forward references have been filled in. */ + + if (cd->workspace_size > COMPILE_WORK_SIZE) + (PUBL(free))((void *)cd->start_workspace); ++cd->start_workspace = NULL; + + /* Give an error if there's back reference to a non-existent capturing + subpattern. */ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-compile-time-loop-for-recursive-reference-within.patch b/SOURCES/pcre-8.32-Fix-compile-time-loop-for-recursive-reference-within.patch new file mode 100644 index 0000000..2a6a25f --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-compile-time-loop-for-recursive-reference-within.patch @@ -0,0 +1,101 @@ +From 58c834052f0985406919de157297e0c340c5b2ed Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Fri, 8 Aug 2014 15:22:51 +0000 +Subject: [PATCH 2/2] Fix compile-time loop for recursive reference within a + group with an indefinite repeat. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1498 2f5784b3-3f2a-0410-8824-cb99058d5e15 +Signed-off-by: Petr Písař + +Petr Pisar: Ported to 8.32. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 17 +++++++---------- + testdata/testinput1 | 6 ++++++ + testdata/testoutput1 | 10 ++++++++++ + 3 files changed, 23 insertions(+), 10 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index ce72527..86cd0c8 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -2398,6 +2398,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + if (c == OP_RECURSE) + { + const pcre_uchar *scode = cd->start_code + GET(code, 1); ++ const pcre_uchar *endgroup = scode; + BOOL empty_branch; + + /* Test for forward reference or uncompleted reference. This is disabled +@@ -2412,20 +2413,16 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + if (GET(scode, 1) == 0) return TRUE; /* Unclosed */ + } + +- /* If we are scanning a completed pattern, there are no forward references +- and all groups are complete. We need to detect whether this is a recursive +- call, as otherwise there will be an infinite loop. If it is a recursion, +- just skip over it. Simple recursions are easily detected. For mutual +- recursions we keep a chain on the stack. */ ++ /* If the reference is to a completed group, we need to detect whether this ++ is a recursive call, as otherwise there will be an infinite loop. If it is ++ a recursion, just skip over it. Simple recursions are easily detected. For ++ mutual recursions we keep a chain on the stack. */ + ++ do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT); ++ if (code >= scode && code <= endgroup) continue; /* Simple recursion */ + else + { + recurse_check *r = recurses; +- const pcre_uchar *endgroup = scode; +- +- do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT); +- if (code >= scode && code <= endgroup) continue; /* Simple recursion */ +- + for (r = recurses; r != NULL; r = r->prev) + if (r->group == scode) break; + if (r != NULL) continue; /* Mutual recursion */ +diff --git a/testdata/testinput1 b/testdata/testinput1 +index 3e1061e..c45e1ba 100644 +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -4967,6 +4967,12 @@ however, we need the complication for Perl. ---/ + + /((?(R1)a+|(?1)b))/ + aaaabcde ++ ++/((?(R)a|(?1)))*/ ++ aaa ++ ++/((?(R)a|(?1)))+/ ++ aaa + + /a(*:any + name)/K +diff --git a/testdata/testoutput1 b/testdata/testoutput1 +index 5015448..f0eae49 100644 +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -8271,6 +8271,16 @@ MK: M + aaaabcde + 0: aaaab + 1: aaaab ++ ++/((?(R)a|(?1)))*/ ++ aaa ++ 0: aaa ++ 1: a ++ ++/((?(R)a|(?1)))+/ ++ aaa ++ 0: aaa ++ 1: a + + /a(*:any + name)/K +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-duplicate-names-memory-calculation-error.patch b/SOURCES/pcre-8.32-Fix-duplicate-names-memory-calculation-error.patch new file mode 100644 index 0000000..4fc6240 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-duplicate-names-memory-calculation-error.patch @@ -0,0 +1,125 @@ +From 7a8c5efada4bd9e9b625b041184299d4aff06bd5 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Sun, 8 Feb 2015 16:43:13 +0000 +Subject: [PATCH 1/3] Fix duplicate names memory calculation error. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 8.32: + +commit 46465068f53358d3ae6cca4d9db8d1ed3b9f1928 +Author: ph10 +Date: Sun Feb 8 16:43:13 2015 +0000 + + Fix duplicate names memory calculation error. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1521 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař + +XXX: Complete fix requires: + +commit b9a4e4087ac610792118c6dc7c8e83ab313da1ed +Author: ph10 +Date: Tue Sep 3 10:10:59 2013 +0000 + + Refactor the code for creating the name/number table. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1359 2f5784b3-3f2a-0410-8824- +cb99058d5e15 + +Otherwise the CVE-2015-8385 is fixed by `Fix buffer overflow for named +references in (?| situations' patch. + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 6 ++++++ + testdata/testinput2 | 2 ++ + testdata/testoutput11-16 | 2 +- + testdata/testoutput11-32 | 2 +- + testdata/testoutput11-8 | 2 +- + testdata/testoutput2 | 2 ++ + 6 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 86cd0c8..4506e56 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6294,6 +6294,12 @@ for (;; ptr++) + (options & PCRE_EXTENDED) != 0, utf); + cd->end_pattern = temp; + if (recno < 0) recno = 0; /* Forward ref; set dummy number */ ++ ++ /* We have to allow for a named reference to a duplicated name (this ++ cannot be determined until the second pass). This needs an extra ++ 16-bit data item. */ ++ ++ *lengthptr += IMM2_SIZE; + } + + /* In the real compile, seek the name in the table. We check the name +diff --git a/testdata/testinput2 b/testdata/testinput2 +index e6d0e87..53c4718 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3818,4 +3818,6 @@ settings of the anchored and startline bits. --/ + + /(((a\2)|(a*)\g<-1>))*a?/BZ + ++/(?(?J)(?1(111111)11|)1|1|)(?()1)/ ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index de64e37..4115877 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -232,7 +232,7 @@ Memory allocation (code space): 73 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 57 ++Memory allocation (code space): 61 + ------------------------------------------------------------------ + 0 24 Bra + 2 5 CBra 1 +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 0d32e2f..3f66acd 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -232,7 +232,7 @@ Memory allocation (code space): 155 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 117 ++Memory allocation (code space): 125 + ------------------------------------------------------------------ + 0 24 Bra + 2 5 CBra 1 +diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 +index 9447fb6..27e2c65 100644 +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -232,7 +232,7 @@ Memory allocation (code space): 45 + ------------------------------------------------------------------ + + /(?Pa)...(?P=a)bbb(?P>a)d/BM +-Memory allocation (code space): 34 ++Memory allocation (code space): 38 + ------------------------------------------------------------------ + 0 30 Bra + 3 7 CBra 1 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 2a2b577..b0b46d7 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -12515,4 +12515,6 @@ No match + End + ------------------------------------------------------------------ + ++/(?(?J)(?1(111111)11|)1|1|)(?()1)/ ++ + /-- End of testinput2 --/ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-group-empty-match-bug.patch b/SOURCES/pcre-8.32-Fix-group-empty-match-bug.patch new file mode 100644 index 0000000..3f8cdd6 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-group-empty-match-bug.patch @@ -0,0 +1,79 @@ +From 17a94e8c64fac96d8c95403f80b7ed61e8c8ff77 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 9 Jun 2015 17:45:25 +0000 +Subject: [PATCH] Fix group empty match bug. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 8.32: + +commit 382ca2bb4ffd423aceab05c4b1c1885cd3a48958 +Author: ph10 +Date: Tue Jun 9 17:45:25 2015 +0000 + + Fix group empty match bug. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1566 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 2 +- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 7d203eb..d570447 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -2477,7 +2477,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE); + if (c == OP_BRA || c == OP_BRAPOS || + c == OP_CBRA || c == OP_CBRAPOS || + c == OP_ONCE || c == OP_ONCE_NC || +- c == OP_COND) ++ c == OP_COND || c == OP_SCOND) + { + BOOL empty_branch; + if (GET(code, 1) == 0) return TRUE; /* Hit unclosed bracket */ +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 1b83cf2..fc6fe2f 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3825,4 +3825,6 @@ settings of the anchored and startline bits. --/ + ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))(( + \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(? +Date: Sat, 16 May 2015 11:05:40 +0000 +Subject: [PATCH 2/3] Fix named forward reference to duplicate group number + overflow bug. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Port to 8.32: + +commit 2fa78aa4e42bcebf2d616c4ee89c012f29dc3447 +Author: ph10 +Date: Sat May 16 11:05:40 2015 +0000 + + Fix named forward reference to duplicate group number overflow bug. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1559 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 8 ++++++++ + testdata/testinput1 | 3 +++ + testdata/testoutput1 | 5 +++++ + 3 files changed, 16 insertions(+) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 4506e56..6777542 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -6300,6 +6300,14 @@ for (;; ptr++) + 16-bit data item. */ + + *lengthptr += IMM2_SIZE; ++ ++ /* If this is a forward reference and we are within a (?|...) group, ++ the reference may end up as the number of a group which we are ++ currently inside, that is, it could be a recursive reference. In the ++ real compile this will be picked up and the reference wrapped with ++ OP_ONCE to make it atomic, so we must space in case this occurs. */ ++ ++ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; + } + + /* In the real compile, seek the name in the table. We check the name +diff --git a/testdata/testinput1 b/testdata/testinput1 +index c45e1ba..9f513f6 100644 +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -5327,4 +5327,7 @@ name were given. ---/ + /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ + 1234abcd + ++"(?|(\k'Pm')|(?'Pm'))" ++ abcd ++ + /-- End of testinput1 --/ +diff --git a/testdata/testoutput1 b/testdata/testoutput1 +index f0eae49..0fbff41 100644 +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -8834,4 +8834,9 @@ No match + 4: + 5: + ++"(?|(\k'Pm')|(?'Pm'))" ++ abcd ++ 0: ++ 1: ++ + /-- End of testinput1 --/ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch b/SOURCES/pcre-8.32-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch new file mode 100644 index 0000000..82a5bff --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch @@ -0,0 +1,80 @@ +From 9febe70a64d1669ec0151e51149af1e66bc04b5f Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 21 Jul 2015 13:47:22 +0000 +Subject: [PATCH] Fix "run for ever" bug for deeply nested [: sequences. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 8.32: + +commit 485a930d11bfd1ba8c292fe14976f0a3e12c2b93 +Author: ph10 +Date: Tue Jul 21 13:47:22 2015 +0000 + + Fix "run for ever" bug for deeply nested [: sequences. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1579 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 17 +++++------------ + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + 3 files changed, 10 insertions(+), 12 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index aa7f4d6..8eb4b0f 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -2780,19 +2780,12 @@ for (++ptr; *ptr != CHAR_NULL; ptr++) + { + if (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) + ptr++; +- else if (*ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE; +- else ++ else if ((*ptr == CHAR_LEFT_SQUARE_BRACKET && ptr[1] == terminator) || ++ *ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE; ++ else if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) + { +- if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET) +- { +- *endptr = ptr; +- return TRUE; +- } +- if (*ptr == CHAR_LEFT_SQUARE_BRACKET && +- (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT || +- ptr[1] == CHAR_EQUALS_SIGN) && +- check_posix_syntax(ptr, endptr)) +- return FALSE; ++ *endptr = ptr; ++ return TRUE; + } + } + return FALSE; +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 2f460dc..61535de 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -3829,4 +3829,6 @@ settings of the anchored and startline bits. --/ + + /(?=di(?<=(?1))|(?=(.))))/ + ++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" ++ + /-- End of testinput2 --/ +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 3c09fdf..ab1b2ca 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -12543,4 +12543,7 @@ No match + /(?=di(?<=(?1))|(?=(.))))/ + Failed: unmatched parentheses at offset 23 + ++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~" ++Failed: missing terminating ] for character class at offset 353 ++ + /-- End of testinput2 --/ +-- +2.5.5 + diff --git a/SOURCES/pcre-8.32-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch b/SOURCES/pcre-8.32-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch new file mode 100644 index 0000000..4ac57a7 --- /dev/null +++ b/SOURCES/pcre-8.32-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch @@ -0,0 +1,153 @@ +From 01611089a2be24b740e67d5fac8d7b44b2330302 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Wed, 10 Feb 2016 19:13:17 +0000 +Subject: [PATCH] Fix workspace overflow for (*ACCEPT) with deeply nested + parentheses. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 8.32: + +commit 943a5105b9fe2842851003f692c7077a6cdbeefe +Author: ph10 +Date: Wed Feb 10 19:13:17 2016 +0000 + + Fix workspace overflow for (*ACCEPT) with deeply nested parentheses. + + git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1631 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Signed-off-by: Petr Písař +--- + pcre_compile.c | 21 ++++++++++++++++++--- + pcre_internal.h | 2 +- + pcreposix.c | 3 ++- + testdata/testinput11 | 2 ++ + testdata/testoutput11-16 | 3 +++ + testdata/testoutput11-32 | 3 +++ + testdata/testoutput11-8 | 3 +++ + 7 files changed, 32 insertions(+), 5 deletions(-) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 8eb4b0f..746dc70 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -508,6 +508,7 @@ static const char error_texts[] = + "name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN)\0" + "character value in \\u.... sequence is too large\0" + "invalid UTF-32 string\0" ++ "regular expression is too complicated\0" + ; + + /* Table to identify digits and hex digits. This is used when compiling +@@ -3881,7 +3882,8 @@ for (;; ptr++) + if (code > cd->start_workspace + cd->workspace_size - + WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */ + { +- *errorcodeptr = ERR52; ++ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)? ++ ERR52 : ERR87; + goto FAILED; + } + +@@ -5701,8 +5703,21 @@ for (;; ptr++) + cd->had_accept = TRUE; + for (oc = cd->open_caps; oc != NULL; oc = oc->next) + { +- *code++ = OP_CLOSE; +- PUT2INC(code, 0, oc->number); ++ if (lengthptr != NULL) ++ { ++#ifdef COMPILE_PCRE8 ++ *lengthptr += 1 + IMM2_SIZE; ++#elif defined COMPILE_PCRE16 ++ *lengthptr += 2 + IMM2_SIZE; ++#elif defined COMPILE_PCRE32 ++ *lengthptr += 4 + IMM2_SIZE; ++#endif ++ } ++ else ++ { ++ *code++ = OP_CLOSE; ++ PUT2INC(code, 0, oc->number); ++ } + } + setverb = *code++ = + (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; +diff --git a/pcre_internal.h b/pcre_internal.h +index 536b3d8..157de08 100644 +--- a/pcre_internal.h ++++ b/pcre_internal.h +@@ -2270,7 +2270,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4, ERR5, ERR6, ERR7, ERR8, ERR9, + ERR40, ERR41, ERR42, ERR43, ERR44, ERR45, ERR46, ERR47, ERR48, ERR49, + ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59, + ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, +- ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERRCOUNT }; ++ ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR87, ERRCOUNT }; + + /* JIT compiling modes. The function list is indexed by them. */ + enum { JIT_COMPILE, JIT_PARTIAL_SOFT_COMPILE, JIT_PARTIAL_HARD_COMPILE, +diff --git a/pcreposix.c b/pcreposix.c +index 15195c0..700676c 100644 +--- a/pcreposix.c ++++ b/pcreposix.c +@@ -162,7 +162,8 @@ static const int eint[] = { + /* 75 */ + REG_BADPAT, /* overlong MARK name */ + REG_BADPAT, /* character value in \u.... sequence is too large */ +- REG_BADPAT /* invalid UTF-32 string (should not occur) */ ++ REG_BADPAT, /* invalid UTF-32 string (should not occur) */ ++ REG_BADPAT /* pattern too complicated */ + }; + + /* Table of texts corresponding to POSIX error codes */ +diff --git a/testdata/testinput11 b/testdata/testinput11 +index 7e8e542..014c722 100644 +--- a/testdata/testinput11 ++++ b/testdata/testinput11 +@@ -134,4 +134,6 @@ is required for these tests. --/ + + /(((a\2)|(a*)\g<-1>))*a?/B + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index 3cb3049..6ae9e2f 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -734,4 +734,7 @@ Memory allocation (code space): 14 + 41 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: regular expression is too complicated at offset 490 ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 10dee82..124e3d1 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -734,4 +734,7 @@ Memory allocation (code space): 28 + 41 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: missing ) at offset 509 ++ + /-- End of testinput11 --/ +diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 +index a1bd60a..36f6e64 100644 +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -734,4 +734,7 @@ Memory allocation (code space): 10 + 60 End + ------------------------------------------------------------------ + ++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ ++Failed: missing ) at offset 509 ++ + /-- End of testinput11 --/ +-- +2.5.5 + diff --git a/SPECS/pcre.spec b/SPECS/pcre.spec index f0f59b4..4f7d15f 100644 --- a/SPECS/pcre.spec +++ b/SPECS/pcre.spec @@ -2,7 +2,7 @@ #%%global rcversion RC1 Name: pcre Version: 8.32 -Release: %{?rcversion:0.}15%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}15%{?rcversion:.%rcversion}%{?dist}.1 %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library Group: System Environment/Libraries @@ -47,6 +47,41 @@ Patch12: pcre-8.32-Fix-compiler-crash-misbehaviour-for-zero-repeated-gr.patch Patch13: pcre-8.32-Fix-bug-when-there-are-unset-groups-prior-to-ACCEPT-.patch # Fix static linking, bug #1217111, in upstream after 8.37-RC1 Patch14: pcre-8.37-RC1-Fix-static-linking-issue-with-pkg-config.patch +# Fix checking whether a group could match an empty string, bug #1330508, +# in upstream after 8.33, needed for +# Fix-compile-time-loop-for-recursive-reference-within.patch +Patch15: pcre-8.32-Fix-checking-whether-a-group-could-match-an-empty-st.patch +# Fix CVE-2015-2328 (infinite recursion compiling pattern with recursive +# reference in a group with indefinite repeat), bug #1330508, +# upstream bug #1515, in upstream after 8.35 +Patch16: pcre-8.32-Fix-compile-time-loop-for-recursive-reference-within.patch +# Fix duplicate names memory calculation error, bug #1330508, +# in upstream after 8.37, +# needed for Fix-buffer-overflow-for-named-references-in-situatio.patch +Patch17: pcre-8.32-Fix-duplicate-names-memory-calculation-error.patch +# Fix named forward reference to duplicate group number overflow bug, +# bug #1330508, in upstream after 8.37, +# needed for Fix-buffer-overflow-for-named-references-in-situatio.patch +Patch18: pcre-8.32-Fix-named-forward-reference-to-duplicate-group-numbe.patch +# Fix CVE-2015-8385 (buffer overflow caused by named forward reference to +# duplicate group number), bug #1330508, in upstream after 8.37 +Patch19: pcre-8.32-Fix-buffer-overflow-for-named-references-in-situatio.patch +# Fix CVE-2015-8386 (buffer overflow caused by lookbehind assertion), +# bug #1330508, in upstream after 8.37 +Patch20: pcre-8.32-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch +# Fix CVE-2015-3217 (stack overflow caused by mishandled group empty match), +# bug #1330508, in upstream after 8.37 +Patch21: pcre-8.32-Fix-group-empty-match-bug.patch +# Fix CVE-2015-5073 and CVE-2015-8388 (buffer overflow for forward reference +# within backward assertion with excess closing parenthesis), bug #1330508, +# in upstream after 8.37 +Patch22: pcre-8.32-Fix-buffer-overflow-for-forward-reference-within-bac.patch +# Fix CVE-2015-8391 (inefficient posix character class syntax check), +# bug #1330508, in upstream after 8.37 +Patch23: pcre-8.32-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch +# Fix CVE-2016-3191 (workspace overflow for (*ACCEPT) with deeply nested +# parentheses), bug #1330508, in upstream after 8.38 +Patch24: pcre-8.32-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch BuildRequires: readline-devel # New libtool to get rid of rpath BuildRequires: autoconf, automake, libtool @@ -101,6 +136,16 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch12 -p1 -b .compiler_crash_zero_group %patch13 -p1 -b .reset_groups %patch14 -p1 -b .static_linking +%patch15 -p1 -b .group_match_empty +%patch16 -p1 -b .compiler_loop_recursive_reference +%patch17 -p1 -b .duplicate_names_memory_calculation +%patch18 -p1 -b .forward_reference_to_duplicate_group_number +%patch19 -p1 -b .named_references_in_pqp +%patch20 -p1 -b .lookbehind_within_mutally_recusive_subroutines +%patch21 -p1 -b .group_empty_match +%patch22 -p1 -b .CVE-2015-5073 +%patch23 -p1 -b .deeply_nested_bracket_colon +%patch24 -p1 -b .accept_with_nested_parentheses # Because of rpath patch libtoolize --copy --force && autoreconf -vif # One contributor's name is non-UTF-8 @@ -170,6 +215,22 @@ make check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Wed Apr 27 2016 Petr Pisar - 8.32-15.1 +- Fix CVE-2015-2328 (infinite recursion compiling pattern with recursive + reference in a group with indefinite repeat) (bug #1330508) +- Fix CVE-2015-8385 (buffer overflow caused by named forward reference to + duplicate group number) (bug #1330508) +- Fix CVE-2015-8386 (buffer overflow caused by lookbehind assertion) + (bug #1330508) +- Fix CVE-2015-3217 (stack overflow caused by mishandled group empty match) + (bug #1330508) +- Fix CVE-2015-5073 and CVE-2015-8388 (buffer overflow for forward reference + within backward assertion with excess closing parenthesis) (bug #1330508) +- Fix CVE-2015-8391 (inefficient posix character class syntax check) + (bug #1330508) +- Fix CVE-2016-3191 (workspace overflow for (*ACCEPT) with deeply nested + parentheses) (bug #1330508) + * Wed Apr 29 2015 Petr Pisar - 8.32-15 - Fix compiling expression where start-anchored character with more than one other case follows circumflex in multiline UTF mode (bug #1110621)