summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Yang <liezhi.yang@windriver.com>2017-08-29 17:48:56 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-31 17:41:41 +0100
commit45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (patch)
treec7125eac3a1b7ff7bf9fff8ff0c740793d76f6e3
parentd01694e7336e472aefecf778c1d08e4341a8aa3b (diff)
downloadpoky-45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96.tar.gz
libpcre2: Fix CVE-2017-8786
The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. (From OE-Core rev: dd63a26fedb8a578d34850ede4c27e26b8876e7e) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch93
-rw-r--r--meta/recipes-support/libpcre/libpcre2_10.23.bb1
2 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
new file mode 100644
index 0000000000..eafafc1f69
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
@@ -0,0 +1,93 @@
1libpcre2-10.23: Fix CVE-2017-8786
2
3The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
4service (heap-based buffer overflow) or possibly have unspecified other impact
5via a crafted regular expression.
6
7Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
8CVE: CVE-2017-8786
9
10Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
11
12--- trunk/src/pcre2test.c 2017/03/21 16:18:54 692
13+++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697
14@@ -1017,9 +1017,9 @@
15 if (test_mode == PCRE8_MODE) \
16 r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
17 else if (test_mode == PCRE16_MODE) \
18- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
19+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
20 else \
21- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
22+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
23
24 #define PCRE2_GET_OVECTOR_COUNT(a,b) \
25 if (test_mode == PCRE8_MODE) \
26@@ -1399,6 +1399,9 @@
27
28 /* ----- Common macros for two-mode cases ----- */
29
30+#define BYTEONE (BITONE/8)
31+#define BYTETWO (BITTWO/8)
32+
33 #define CASTFLD(t,a,b) \
34 ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
35 (t)(G(a,BITTWO)->b))
36@@ -1481,9 +1484,9 @@
37
38 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
39 if (test_mode == G(G(PCRE,BITONE),_MODE)) \
40- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
41+ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
42 else \
43- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
44+ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
45
46 #define PCRE2_GET_OVECTOR_COUNT(a,b) \
47 if (test_mode == G(G(PCRE,BITONE),_MODE)) \
48@@ -1904,7 +1907,7 @@
49 #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
50 a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
51 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
52- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
53+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
54 #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
55 #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
56 #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
57@@ -2000,7 +2003,7 @@
58 #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
59 a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
60 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
61- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
62+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
63 #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
64 #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
65 #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
66@@ -2889,7 +2892,7 @@
67 {
68 if (pbuffer32 != NULL) free(pbuffer32);
69 pbuffer32_size = 4*len + 4;
70- if (pbuffer32_size < 256) pbuffer32_size = 256;
71+ if (pbuffer32_size < 512) pbuffer32_size = 512;
72 pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
73 if (pbuffer32 == NULL)
74 {
75@@ -7600,7 +7603,8 @@
76 int errcode;
77 char *endptr;
78
79-/* Ensure the relevant non-8-bit buffer is available. */
80+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at
81+least 128 code units, because it is used for retrieving error messages. */
82
83 #ifdef SUPPORT_PCRE2_16
84 if (test_mode == PCRE16_MODE)
85@@ -7620,7 +7624,7 @@
86 #ifdef SUPPORT_PCRE2_32
87 if (test_mode == PCRE32_MODE)
88 {
89- pbuffer32_size = 256;
90+ pbuffer32_size = 512;
91 pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
92 if (pbuffer32 == NULL)
93 {
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb
index 794d973d71..63f8d51c9e 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.23.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
12 12
13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ 13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
14 file://pcre-cross.patch \ 14 file://pcre-cross.patch \
15 file://libpcre2-CVE-2017-8786.patch \
15" 16"
16 17
17SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649" 18SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"