diff options
author | Robert Yang <liezhi.yang@windriver.com> | 2017-08-29 17:48:56 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-31 17:41:41 +0100 |
commit | 45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (patch) | |
tree | c7125eac3a1b7ff7bf9fff8ff0c740793d76f6e3 /meta/recipes-support | |
parent | d01694e7336e472aefecf778c1d08e4341a8aa3b (diff) | |
download | poky-45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96.tar.gz |
libpcre2: Fix CVE-2017-8786
The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly have unspecified other impact
via a crafted regular expression.
(From OE-Core rev: dd63a26fedb8a578d34850ede4c27e26b8876e7e)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch | 93 | ||||
-rw-r--r-- | meta/recipes-support/libpcre/libpcre2_10.23.bb | 1 |
2 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch new file mode 100644 index 0000000000..eafafc1f69 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | libpcre2-10.23: Fix CVE-2017-8786 | ||
2 | |||
3 | The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of | ||
4 | service (heap-based buffer overflow) or possibly have unspecified other impact | ||
5 | via a crafted regular expression. | ||
6 | |||
7 | Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch] | ||
8 | CVE: CVE-2017-8786 | ||
9 | |||
10 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
11 | |||
12 | --- trunk/src/pcre2test.c 2017/03/21 16:18:54 692 | ||
13 | +++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697 | ||
14 | @@ -1017,9 +1017,9 @@ | ||
15 | if (test_mode == PCRE8_MODE) \ | ||
16 | r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \ | ||
17 | else if (test_mode == PCRE16_MODE) \ | ||
18 | - r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \ | ||
19 | + r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \ | ||
20 | else \ | ||
21 | - r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) | ||
22 | + r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) | ||
23 | |||
24 | #define PCRE2_GET_OVECTOR_COUNT(a,b) \ | ||
25 | if (test_mode == PCRE8_MODE) \ | ||
26 | @@ -1399,6 +1399,9 @@ | ||
27 | |||
28 | /* ----- Common macros for two-mode cases ----- */ | ||
29 | |||
30 | +#define BYTEONE (BITONE/8) | ||
31 | +#define BYTETWO (BITTWO/8) | ||
32 | + | ||
33 | #define CASTFLD(t,a,b) \ | ||
34 | ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \ | ||
35 | (t)(G(a,BITTWO)->b)) | ||
36 | @@ -1481,9 +1484,9 @@ | ||
37 | |||
38 | #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ | ||
39 | if (test_mode == G(G(PCRE,BITONE),_MODE)) \ | ||
40 | - r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \ | ||
41 | + r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \ | ||
42 | else \ | ||
43 | - r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size)) | ||
44 | + r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO)) | ||
45 | |||
46 | #define PCRE2_GET_OVECTOR_COUNT(a,b) \ | ||
47 | if (test_mode == G(G(PCRE,BITONE),_MODE)) \ | ||
48 | @@ -1904,7 +1907,7 @@ | ||
49 | #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ | ||
50 | a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j) | ||
51 | #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ | ||
52 | - r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)) | ||
53 | + r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)) | ||
54 | #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16)) | ||
55 | #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16)) | ||
56 | #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b) | ||
57 | @@ -2000,7 +2003,7 @@ | ||
58 | #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ | ||
59 | a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j) | ||
60 | #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ | ||
61 | - r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) | ||
62 | + r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) | ||
63 | #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32)) | ||
64 | #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32)) | ||
65 | #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b) | ||
66 | @@ -2889,7 +2892,7 @@ | ||
67 | { | ||
68 | if (pbuffer32 != NULL) free(pbuffer32); | ||
69 | pbuffer32_size = 4*len + 4; | ||
70 | - if (pbuffer32_size < 256) pbuffer32_size = 256; | ||
71 | + if (pbuffer32_size < 512) pbuffer32_size = 512; | ||
72 | pbuffer32 = (uint32_t *)malloc(pbuffer32_size); | ||
73 | if (pbuffer32 == NULL) | ||
74 | { | ||
75 | @@ -7600,7 +7603,8 @@ | ||
76 | int errcode; | ||
77 | char *endptr; | ||
78 | |||
79 | -/* Ensure the relevant non-8-bit buffer is available. */ | ||
80 | +/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at | ||
81 | +least 128 code units, because it is used for retrieving error messages. */ | ||
82 | |||
83 | #ifdef SUPPORT_PCRE2_16 | ||
84 | if (test_mode == PCRE16_MODE) | ||
85 | @@ -7620,7 +7624,7 @@ | ||
86 | #ifdef SUPPORT_PCRE2_32 | ||
87 | if (test_mode == PCRE32_MODE) | ||
88 | { | ||
89 | - pbuffer32_size = 256; | ||
90 | + pbuffer32_size = 512; | ||
91 | pbuffer32 = (uint32_t *)malloc(pbuffer32_size); | ||
92 | if (pbuffer32 == NULL) | ||
93 | { | ||
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb index 794d973d71..63f8d51c9e 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.23.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb | |||
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b" | |||
12 | 12 | ||
13 | SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ | 13 | SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ |
14 | file://pcre-cross.patch \ | 14 | file://pcre-cross.patch \ |
15 | file://libpcre2-CVE-2017-8786.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649" | 18 | SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649" |