Bug#809307: jessie-pu: package pcre3/2:8.35-3.3+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRM,
I prepared a (rather huge) pcre3 update addressing several CVEs
assigned in the recent months but which do not warrant a DSA. The
debdiff is rather big, so I want to check with you if you see any
problem in having this update.
I still would like to expose more the actual build packages (I have
done several tests with given reproducers).
I adjusted as well the previous +deb8u1 entry (package sitting in
jessie-p-u), which has three more CVEs addressed (partially only
assigned later and two having the same fixing commit).
The proposed debdiff is attached.
Regards,
Salvatore
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog 2015-08-16 13:38:23.000000000 +0200
+++ pcre3-8.35/debian/changelog 2015-12-29 09:19:29.000000000 +0100
@@ -1,6 +1,59 @@
+pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Add additional CVE references and bug closer to previous changelog.
+ CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload.
+ CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same
+ commit.
+ CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same
+ commit.
+ Add bug closer to bugs in the BTS retrospectively.
+ * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch.
+ CVE-2015-2328: Stack-based buffer overflow in compile_regex().
+ * Add 794589-information-disclosure.patch.
+ CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps"
+ leading to information disclosure. (Closes: #794589)
+ * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch.
+ CVE-2015-8383: Buffer overflow caused by repeated conditional group.
+ * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch.
+ CVE-2015-8385: Buffer overflow caused by forward reference by name to
+ certain group.
+ * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch.
+ CVE-2015-8386: Buffer overflow caused by lookbehind assertion.
+ * Add 0001-Add-integer-overflow-check-to-n-code.patch.
+ CVE-2015-8387: Integer overflow in subroutine calls.
+ * Add 0001-Fix-overflow-when-ovector-has-size-1.patch.
+ CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467)
+ * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch.
+ CVE-2015-8389: nfinite recursion in JIT compiler when processing certain
+ patterns.
+ * Add 0001-Fix-bug-for-classes-containing-sequences.patch.
+ CVE-2015-8390: Reading from uninitialized memory when processing certain
+ patterns.
+ * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch.
+ CVE-2015-8391: Some pathological patterns causes pcre_compile() to run
+ for a very long time.
+ * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch.
+ CVE-2015-8392: Buffer overflow caused by certain patterns with
+ duplicated named groups.
+ * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch.
+ CVE-2015-8393: Information leak when running pcgrep -q on crafted
+ binary.
+ * Add 0001-Add-missing-integer-overflow-checks.patch.
+ CVE-2015-8394: Integer overflow caused by missing check for certain
+ conditions.
+ * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch.
+ CVE-2015-8381: Heap Overflow in compile_regex().
+ CVE-2015-8395: Buffer overflow caused by certain references.
+ (Closes: #796762)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 29 Dec 2015 09:19:11 +0100
+
pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium
- * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
+ * CVE-2015-2325 CVE-2015-2326 CVE-2015-2327 CVE-2015-3210
+ CVE-2015-5073 CVE-2015-8384 CVE-2015-8388
+ (Closes: #781795, #783285, #787433, #790000)
-- Moritz Muehlenhoff <jmm@debian.org> Sun, 16 Aug 2015 11:37:39 +0000
diff -Nru pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch
--- pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Add-integer-overflow-check-to-n-code.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,52 @@
+Description: Add integer overflow check to (?n) code.
+ .
+ Addresses CVE-2015-8387.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1563
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 8 ++++++++
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 3 +++
+ 4 files changed, 15 insertions(+)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7245,7 +7245,15 @@ for (;; ptr++)
+
+ recno = 0;
+ while(IS_DIGIT(*ptr))
++ {
++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
++ {
++ while (IS_DIGIT(*ptr)) ptr++;
++ *errorcodeptr = ERR61;
++ goto FAILED;
++ }
+ recno = recno * 10 + *ptr++ - CHAR_0;
++ }
+
+ if (*ptr != (pcre_uchar)terminator)
+ {
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4081,4 +4081,6 @@ backtracking verbs. --/
+ ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+ \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
++/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14204,4 +14204,7 @@ Failed: unmatched parentheses at offset
+ ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+ \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
++/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
++Failed: number is too big at offset 32
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch
--- pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Add-missing-integer-overflow-checks.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,66 @@
+Description: Add missing integer overflow checks.
+ .
+ Addresses CVE-2015-8394.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1589
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.36
+
+---
+ pcre_compile.c | 11 +++++++++++
+ testdata/testinput2 | 4 ++++
+ testdata/testoutput2 | 6 ++++++
+ 4 files changed, 25 insertions(+)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -6651,6 +6651,12 @@ for (;; ptr++)
+ {
+ while (IS_DIGIT(*ptr))
+ {
++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
++ {
++ while (IS_DIGIT(*ptr)) ptr++;
++ *errorcodeptr = ERR61;
++ goto FAILED;
++ }
+ recno = recno * 10 + (int)(*ptr - CHAR_0);
+ ptr++;
+ }
+@@ -6781,6 +6787,11 @@ for (;; ptr++)
+ *errorcodeptr = ERR15;
+ goto FAILED;
+ }
++ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
++ {
++ *errorcodeptr = ERR61;
++ goto FAILED;
++ }
+ recno = recno * 10 + name[i] - CHAR_0;
+ }
+ if (recno == 0) recno = RREF_ANY;
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4092,4 +4092,8 @@ backtracking verbs. --/
+
+ /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
+
++/((?(R8000000000)))/
++
++/(?(8000000000/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14218,4 +14218,10 @@ Failed: missing terminating ] for charac
+
+ /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
+
++/((?(R8000000000)))/
++Failed: number is too big at offset 16
++
++/(?(8000000000/
++Failed: number is too big at offset 13
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch
--- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Fix buffer overflow for lookbehind within mutually recursive
+ subroutines.
+ .
+ Addresses CVE-2015-8386.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1560
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-28
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 2 +-
+ testdata/testinput2 | 3 +++
+ testdata/testoutput2 | 3 +++
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -1782,7 +1782,7 @@ for (;;)
+ case OP_ASSERTBACK:
+ case OP_ASSERTBACK_NOT:
+ do cc += GET(cc, 1); while (*cc == OP_ALT);
+- cc += PRIV(OP_lengths)[*cc];
++ cc += 1 + LINK_SIZE;
+ break;
+
+ /* Skip over things that don't match chars */
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4078,4 +4078,7 @@ backtracking verbs. --/
+
+ /(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
++".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
++\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14201,4 +14201,7 @@ Failed: unmatched parentheses at offset
+
+ /(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
++".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
++\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch
--- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-named-references-in-situatio.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,171 @@
+Description: Fix buffer overflow for named references in (?| situations.
+ .
+ Addresses CVE-2015-8392.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1585
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 74 ++++++++++++++++++++++++++++++----------------------
+ pcre_internal.h | 1 +
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 2 ++
+ 5 files changed, 54 insertions(+), 31 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -6555,6 +6555,7 @@ for (;; ptr++)
+ /* ------------------------------------------------------------ */
+ case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */
+ reset_bracount = TRUE;
++ cd->dupgroups = TRUE; /* Record (?| encountered */
+ /* Fall through */
+
+ /* ------------------------------------------------------------ */
+@@ -7056,7 +7057,8 @@ for (;; ptr++)
+ if (lengthptr != NULL)
+ {
+ named_group *ng;
+-
++ recno = 0;
++
+ if (namelen == 0)
+ {
+ *errorcodeptr = ERR62;
+@@ -7073,32 +7075,6 @@ for (;; ptr++)
+ goto FAILED;
+ }
+
+- /* The name table does not exist in the first pass; instead we must
+- scan the list of names encountered so far in order to get the
+- number. If the name is not found, set the value to 0 for a forward
+- reference. */
+-
+- recno = 0;
+- ng = cd->named_groups;
+- for (i = 0; i < cd->names_found; i++, ng++)
+- {
+- if (namelen == ng->length &&
+- STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+- {
+- open_capitem *oc;
+- recno = ng->number;
+- if (is_recurse) break;
+- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+- {
+- if (oc->number == recno)
+- {
+- oc->flag = TRUE;
+- break;
+- }
+- }
+- }
+- }
+-
+ /* Count named back references. */
+
+ if (!is_recurse) cd->namedrefcount++;
+@@ -7109,7 +7085,44 @@ for (;; ptr++)
+ real compile this will be picked up and the reference wrapped with
+ OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
++ *lengthptr += 2 + 2*LINK_SIZE;
++
++ /* It is even worse than that. The current reference may be to an
++ existing named group with a different number (so apparently not
++ recursive) but which later on is also attached to a group with the
++ current number. This can only happen if $(| has been previous
++ encountered. In that case, we allow yet more memory, just in case.
++ (Again, this is fixed "properly" in PCRE2. */
++
++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
++
++ /* Otherwise, check for recursion here. The name table does not exist
++ in the first pass; instead we must scan the list of names encountered
++ so far in order to get the number. If the name is not found, leave
++ the value of recno as 0 for a forward reference. */
++
++ else
++ {
++ ng = cd->named_groups;
++ for (i = 0; i < cd->names_found; i++, ng++)
++ {
++ if (namelen == ng->length &&
++ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
++ {
++ open_capitem *oc;
++ recno = ng->number;
++ if (is_recurse) break;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
++ break;
++ }
++ }
++ }
++ }
++ }
+ }
+
+ /* In the real compile, search the name table. We check the name
+@@ -9078,6 +9091,7 @@ cd->names_found = 0;
+ cd->name_entry_size = 0;
+ cd->name_table = NULL;
+ cd->dupnames = FALSE;
++cd->dupgroups = FALSE;
+ cd->namedrefcount = 0;
+ cd->start_code = cworkspace;
+ cd->hwm = cworkspace;
+@@ -9111,7 +9125,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERRO
+
+ DPRINTF(("end pre-compile: length=%d workspace=%d\n", length,
+ (int)(cd->hwm - cworkspace)));
+-
++
+ if (length > MAX_PATTERN_SIZE)
+ {
+ errorcode = ERR20;
+--- a/pcre_internal.h
++++ b/pcre_internal.h
+@@ -2446,6 +2446,7 @@ typedef struct compile_data {
+ BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */
+ BOOL check_lookbehind; /* Lookbehinds need later checking */
+ BOOL dupnames; /* Duplicate names exist */
++ BOOL dupgroups; /* Duplicate groups exist: (?| found */
+ int nltype; /* Newline type */
+ int nllen; /* Newline string length */
+ pcre_uchar nl[4]; /* Newline string when fixed length */
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4090,4 +4090,6 @@ backtracking verbs. --/
+
+ "[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~"
+
++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14216,4 +14216,6 @@ Matched, but too many substrings
+ "[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~"
+ Failed: missing terminating ] for character class at offset 353
+
++/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput11-8
++++ b/testdata/testoutput11-8
+@@ -231,7 +231,7 @@ Memory allocation (code space): 45
+ ------------------------------------------------------------------
+
+ /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
+-Memory allocation (code space): 34
++Memory allocation (code space): 46
+ ------------------------------------------------------------------
+ 0 30 Bra
+ 3 7 CBra 1
diff -Nru pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch
--- pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,53 @@
+Description: Fix buffer overflow for repeated conditional when referencing
+ a duplicate name.
+ .
+ Addresses CVE-2015-8383.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1557
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-28
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 2 +-
+ testdata/testinput2 | 6 ++++++
+ testdata/testoutput2 | 6 ++++++
+ 4 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -6683,7 +6683,7 @@ for (;; ptr++)
+ ptr++;
+ }
+ namelen = (int)(ptr - name);
+- if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
++ if (lengthptr != NULL) skipbytes += IMM2_SIZE;
+ }
+
+ /* Check the terminator */
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4072,4 +4072,10 @@ backtracking verbs. --/
+
+ /(?=di(?<=(?1))|(?=(.))))/
+
++/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
++
++/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
++
++/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14195,4 +14195,10 @@ Failed: parentheses are too deeply neste
+ /(?=di(?<=(?1))|(?=(.))))/
+ Failed: unmatched parentheses at offset 23
+
++/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
++
++/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
++
++/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch
--- pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-bug-for-classes-containing-sequences.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,63 @@
+Description: Fix bug for classes containing \\ sequences.
+ .
+ Addresses CVE-2015-8390.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1578
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 14 ++++++++------
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 2 ++
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -3824,11 +3824,11 @@ didn't consider this to be a POSIX class
+ The problem in trying to be exactly like Perl is in the handling of escapes. We
+ have to be sure that [abc[:x\]pqr] is *not* treated as containing a POSIX
+ class, but [abc[:x\]pqr:]] is (so that an error can be generated). The code
+-below handles the special case of \], but does not try to do any other escape
+-processing. This makes it different from Perl for cases such as [:l\ower:]
+-where Perl recognizes it as the POSIX class "lower" but PCRE does not recognize
+-"l\ower". This is a lesser evil than not diagnosing bad classes when Perl does,
+-I think.
++below handles the special cases \\ and \], but does not try to do any other
++escape processing. This makes it different from Perl for cases such as
++[:l\ower:] where Perl recognizes it as the POSIX class "lower" but PCRE does
++not recognize "l\ower". This is a lesser evil than not diagnosing bad classes
++when Perl does, I think.
+
+ A user pointed out that PCRE was rejecting [:a[:digit:]] whereas Perl was not.
+ It seems that the appearance of a nested POSIX class supersedes an apparent
+@@ -3855,7 +3855,9 @@ pcre_uchar terminator; /* Don't
+ terminator = *(++ptr); /* compiler warns about "non-constant" initializer. */
+ for (++ptr; *ptr != CHAR_NULL; ptr++)
+ {
+- if (*ptr == CHAR_BACKSLASH && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET)
++ if (*ptr == CHAR_BACKSLASH &&
++ (ptr[1] == CHAR_RIGHT_SQUARE_BRACKET ||
++ ptr[1] == CHAR_BACKSLASH))
+ ptr++;
+ else if (*ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE;
+ else
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4086,4 +4086,6 @@ backtracking verbs. --/
+ //
+ \O1
+
++/[[:\\](?'abc')[a:]/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14211,4 +14211,6 @@ Failed: number is too big at offset 32
+ \O1
+ Matched, but too many substrings
+
++/[[:\\](?'abc')[a:]/
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch
--- pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-compile-time-loop-for-recursive-reference-within.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,103 @@
+Description: Fix compile-time loop for recursive reference within a group
+ with an indefinite repeat.
+ .
+ Addresses CVE-2015-2328.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1498
+Bug: https://bugs.exim.org/show_bug.cgi?id=1515
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-28
+Applied-Upstream: 8.36
+
+---
+ pcre_compile.c | 21 +++++++++------------
+ testdata/testinput1 | 6 ++++++
+ testdata/testoutput1 | 10 ++++++++++
+ 4 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 8276d0f..4bb05b9 100644
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -2374,6 +2374,7 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE);
+ if (c == OP_RECURSE)
+ {
+ const pcre_uchar *scode = cd->start_code + GET(code, 1);
++ const pcre_uchar *endgroup = scode;
+ BOOL empty_branch;
+
+ /* Test for forward reference or uncompleted reference. This is disabled
+@@ -2388,24 +2389,20 @@ for (code = first_significant_code(code + PRIV(OP_lengths)[*code], TRUE);
+ if (GET(scode, 1) == 0) return TRUE; /* Unclosed */
+ }
+
+- /* If we are scanning a completed pattern, there are no forward references
+- and all groups are complete. We need to detect whether this is a recursive
+- call, as otherwise there will be an infinite loop. If it is a recursion,
+- just skip over it. Simple recursions are easily detected. For mutual
+- recursions we keep a chain on the stack. */
++ /* If the reference is to a completed group, we need to detect whether this
++ is a recursive call, as otherwise there will be an infinite loop. If it is
++ a recursion, just skip over it. Simple recursions are easily detected. For
++ mutual recursions we keep a chain on the stack. */
+
++ do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT);
++ if (code >= scode && code <= endgroup) continue; /* Simple recursion */
+ else
+- {
++ {
+ recurse_check *r = recurses;
+- const pcre_uchar *endgroup = scode;
+-
+- do endgroup += GET(endgroup, 1); while (*endgroup == OP_ALT);
+- if (code >= scode && code <= endgroup) continue; /* Simple recursion */
+-
+ for (r = recurses; r != NULL; r = r->prev)
+ if (r->group == scode) break;
+ if (r != NULL) continue; /* Mutual recursion */
+- }
++ }
+
+ /* Completed reference; scan the referenced group, remembering it on the
+ stack chain to detect mutual recursions. */
+diff --git a/testdata/testinput1 b/testdata/testinput1
+index 6fd62ba..123e3d3 100644
+--- a/testdata/testinput1
++++ b/testdata/testinput1
+@@ -4937,6 +4937,12 @@ however, we need the complication for Perl. ---/
+
+ /((?(R1)a+|(?1)b))/
+ aaaabcde
++
++/((?(R)a|(?1)))*/
++ aaa
++
++/((?(R)a|(?1)))+/
++ aaa
+
+ /a(*:any
+ name)/K
+diff --git a/testdata/testoutput1 b/testdata/testoutput1
+index eeddf0f..5e71900 100644
+--- a/testdata/testoutput1
++++ b/testdata/testoutput1
+@@ -8234,6 +8234,16 @@ MK: M
+ aaaabcde
+ 0: aaaab
+ 1: aaaab
++
++/((?(R)a|(?1)))*/
++ aaa
++ 0: aaa
++ 1: a
++
++/((?(R)a|(?1)))+/
++ aaa
++ 0: aaa
++ 1: a
+
+ /a(*:any
+ name)/K
+--
+2.1.4
+
diff -Nru pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch
--- pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,96 @@
+Description: Fix infinite recursion in the JIT compiler when certain
+ patterns when certain patterns are analysed.
+ .
+ Addresses CVE-2015-8389.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1577
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_jit_compile.c | 15 +++++++++++----
+ testdata/testinput12 | 2 ++
+ testdata/testoutput12 | 2 ++
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -3183,7 +3183,7 @@ bytes[len] = byte;
+ bytes[0] = len;
+ }
+
+-static int scan_prefix(compiler_common *common, pcre_uchar *cc, pcre_uint32 *chars, pcre_uint8 *bytes, int max_chars)
++static int scan_prefix(compiler_common *common, pcre_uchar *cc, pcre_uint32 *chars, pcre_uint8 *bytes, int max_chars, pcre_uint32 *rec_count)
+ {
+ /* Recursive function, which scans prefix literals. */
+ BOOL last, any, caseless;
+@@ -3201,9 +3201,14 @@ pcre_uchar othercase[1];
+ repeat = 1;
+ while (TRUE)
+ {
++ if (*rec_count == 0)
++ return 0;
++ rec_count--;
++
+ last = TRUE;
+ any = FALSE;
+ caseless = FALSE;
++
+ switch (*cc)
+ {
+ case OP_CHARI:
+@@ -3265,7 +3270,7 @@ while (TRUE)
+ #ifdef SUPPORT_UTF
+ if (common->utf && HAS_EXTRALEN(*cc)) len += GET_EXTRALEN(*cc);
+ #endif
+- max_chars = scan_prefix(common, cc + len, chars, bytes, max_chars);
++ max_chars = scan_prefix(common, cc + len, chars, bytes, max_chars, rec_count);
+ if (max_chars == 0)
+ return consumed;
+ last = FALSE;
+@@ -3288,7 +3293,7 @@ while (TRUE)
+ alternative = cc + GET(cc, 1);
+ while (*alternative == OP_ALT)
+ {
+- max_chars = scan_prefix(common, alternative + 1 + LINK_SIZE, chars, bytes, max_chars);
++ max_chars = scan_prefix(common, alternative + 1 + LINK_SIZE, chars, bytes, max_chars, rec_count);
+ if (max_chars == 0)
+ return consumed;
+ alternative += GET(alternative, 1);
+@@ -3530,6 +3535,7 @@ int i, max, from;
+ int range_right = -1, range_len = 3 - 1;
+ sljit_ub *update_table = NULL;
+ BOOL in_range;
++pcre_uint32 rec_count;
+
+ /* This is even TRUE, if both are NULL. */
+ SLJIT_ASSERT(common->read_only_data_ptr == common->read_only_data);
+@@ -3541,7 +3547,8 @@ for (i = 0; i < MAX_N_CHARS; i++)
+ bytes[i * MAX_N_BYTES] = 0;
+ }
+
+-max = scan_prefix(common, common->start, chars, bytes, MAX_N_CHARS);
++rec_count = 10000;
++max = scan_prefix(common, common->start, chars, bytes, MAX_N_CHARS, &rec_count);
+
+ if (max <= 1)
+ return FALSE;
+--- a/testdata/testinput12
++++ b/testdata/testinput12
+@@ -87,4 +87,6 @@ and a couple of things that are differen
+ /^12345678abcd/mS++
+ 12345678abcd
+
++/(?:|a|){100}x/S++
++
+ /-- End of testinput12 --/
+--- a/testdata/testoutput12
++++ b/testdata/testoutput12
+@@ -176,4 +176,6 @@ No match, mark = m (JIT)
+ 12345678abcd
+ 0: 12345678abcd (JIT)
+
++/(?:|a|){100}x/S++
++
+ /-- End of testinput12 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch
--- pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,55 @@
+Description: Fix named forward reference to duplicate group number
+ overflow bug.
+ .
+ Addresses CVE-2015-8385.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1559
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-28
+Applied-Upstream: 3.38
+
+---
+ pcre_compile.c | 26 +++++++++++++++++---------
+ testdata/testinput1 | 3 +++
+ testdata/testoutput1 | 5 +++++
+ 4 files changed, 30 insertions(+), 9 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7107,6 +7107,14 @@ for (;; ptr++)
+ /* Count named back references. */
+
+ if (!is_recurse) cd->namedrefcount++;
++
++ /* If this is a forward reference and we are within a (?|...) group,
++ the reference may end up as the number of a group which we are
++ currently inside, that is, it could be a recursive reference. In the
++ real compile this will be picked up and the reference wrapped with
++ OP_ONCE to make it atomic, so we must space in case this occurs. */
++
++ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
+ }
+
+ /* In the real compile, search the name table. We check the name
+--- a/testdata/testinput1
++++ b/testdata/testinput1
+@@ -5672,4 +5672,7 @@ AbcdCBefgBhiBqz
+ /(a\Kb)*/+
+ ababc
+
++"(?|(\k'Pm')|(?'Pm'))"
++ abcd
++
+ /-- End of testinput1 --/
+--- a/testdata/testoutput1
++++ b/testdata/testoutput1
+@@ -9323,4 +9323,9 @@ No match
+ 0+ c
+ 1: ab
+
++"(?|(\k'Pm')|(?'Pm'))"
++ abcd
++ 0:
++ 1:
++
+ /-- End of testinput1 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch
--- pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-overflow-when-ovector-has-size-1.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,50 @@
+Description: Fix overflow when ovector has size 1.
+ .
+ Addresses CVE-2015-8380.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1565
+Bug: https://bugs.exim.org/show_bug.cgi?id=1637
+Bug-Debian: https://bugs.debian.org/806467
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_exec.c | 3 ++-
+ testdata/testinput2 | 3 +++
+ testdata/testoutput2 | 4 ++++
+ 4 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/pcre_exec.c
++++ b/pcre_exec.c
+@@ -6705,7 +6705,8 @@ if (md->offset_vector != NULL)
+ register int *iend = iptr - re->top_bracket;
+ if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
+ while (--iptr >= iend) *iptr = -1;
+- md->offset_vector[0] = md->offset_vector[1] = -1;
++ if (offsetcount > 0) md->offset_vector[0] = -1;
++ if (offsetcount > 1) md->offset_vector[1] = -1;
+ }
+
+ /* Set up the first character to match, if available. The first_char value is
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4083,4 +4083,7 @@ backtracking verbs. --/
+
+ /(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
++//
++\O1
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14207,4 +14207,8 @@ Failed: unmatched parentheses at offset
+ /(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+ Failed: number is too big at offset 32
+
++//
++\O1
++Matched, but too many substrings
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch
--- pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,61 @@
+Description: Fix "run for ever" bug for deeply nested [: sequences.
+ .
+ Addresses CVE-2015-8391.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1579
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 17 +++++------------
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 3 +++
+ 4 files changed, 13 insertions(+), 12 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -3859,19 +3859,12 @@ for (++ptr; *ptr != CHAR_NULL; ptr++)
+ (ptr[1] == CHAR_RIGHT_SQUARE_BRACKET ||
+ ptr[1] == CHAR_BACKSLASH))
+ ptr++;
+- else if (*ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE;
+- else
++ else if ((*ptr == CHAR_LEFT_SQUARE_BRACKET && ptr[1] == terminator) ||
++ *ptr == CHAR_RIGHT_SQUARE_BRACKET) return FALSE;
++ else if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET)
+ {
+- if (*ptr == terminator && ptr[1] == CHAR_RIGHT_SQUARE_BRACKET)
+- {
+- *endptr = ptr;
+- return TRUE;
+- }
+- if (*ptr == CHAR_LEFT_SQUARE_BRACKET &&
+- (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT ||
+- ptr[1] == CHAR_EQUALS_SIGN) &&
+- check_posix_syntax(ptr, endptr))
+- return FALSE;
++ *endptr = ptr;
++ return TRUE;
+ }
+ }
+ return FALSE;
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4088,4 +4088,6 @@ backtracking verbs. --/
+
+ /[[:\\](?'abc')[a:]/
+
++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~"
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14213,4 +14213,7 @@ Matched, but too many substrings
+
+ /[[:\\](?'abc')[a:]/
+
++"[[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[:::::::::::::::::[[.\xe8Nq\xffq\xff\xe0\x2|||::Nq\xffq\xff\xe0\x6\x2|||::[[[:[::::::[[[[[::::::::[:[[[:[:::[[[[[[[[[[[[[[:::E[[[:[:[[:[:::[[:::E[[[:[:[[:'[:::::E[[[:[::::::[[[:[[[[[[[::E[[[:[::::::[[[:[[[[[[[[:[[::[::::[[:::::::[[:[[[[[[[:[[::[:[[:[~"
++Failed: missing terminating ] for character class at offset 353
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
--- pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,60 @@
+Description: Hack in yet other patch for a bug in size computation that is
+ fixed "properly" in PCRE2.
+ .
+ Addresses CVE-2015-8395 and CVE-2015-8381.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1594
+Bug-Debian: https://bugs.debian.org/796762
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ pcre_compile.c | 5 ++---
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 2 ++
+ 4 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7105,7 +7105,7 @@ for (;; ptr++)
+ encountered. In that case, we allow yet more memory, just in case.
+ (Again, this is fixed "properly" in PCRE2. */
+
+- if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
++ if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE;
+
+ /* Otherwise, check for recursion here. The name table does not exist
+ in the first pass; instead we must scan the list of names encountered
+@@ -9306,7 +9306,7 @@ if (errorcode == 0 && re->top_backref >
+ /* Unless disabled, check whether single character iterators can be
+ auto-possessified. The function overwrites the appropriate opcode values. */
+
+-if ((options & PCRE_NO_AUTO_POSSESS) == 0)
++if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0)
+ auto_possessify((pcre_uchar *)codestart, utf, cd);
+
+ /* If there were any lookbehind assertions that contained OP_RECURSE
+@@ -9530,4 +9530,3 @@ return (pcre32 *)re;
+ }
+
+ /* End of pcre_compile.c */
+-
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4096,4 +4096,6 @@ backtracking verbs. --/
+
+ /(?(8000000000/
+
++/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14224,4 +14224,6 @@ Failed: number is too big at offset 16
+ /(?(8000000000/
+ Failed: number is too big at offset 13
+
++/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch
--- pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,79 @@
+Description: Make pcregrep -q override -l and -c for compatibility with other greps.
+ .
+ Addresses CVE-2015-8393.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1586
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-12-29
+Applied-Upstream: 8.38
+
+---
+ RunGrepTest | 8 ++++++++
+ pcregrep.c | 12 ++++++------
+ testdata/grepoutput | 4 ++++
+ 4 files changed, 21 insertions(+), 6 deletions(-)
+
+--- a/RunGrepTest
++++ b/RunGrepTest
+@@ -507,6 +507,14 @@ echo "---------------------------- Test
+ echo "RC=$?" >>testtrygrep
+
+
++echo "---------------------------- Test 108 ------------------------------" >>testtrygrep
++(cd $srcdir; $valgrind $pcregrep -lq PATTERN ./testdata/grepinput ./testdata/grepinputx) >>testtrygrep
++echo "RC=$?" >>testtrygrep
++
++echo "---------------------------- Test 109 -----------------------------" >>testtrygrep
++(cd $srcdir; $valgrind $pcregrep -cq lazy ./testdata/grepinput*) >>testtrygrep
++echo "RC=$?" >>testtrygrep
++
+ # Now compare the results.
+
+ $cf $srcdir/testdata/grepoutput testtrygrep
+--- a/pcregrep.c
++++ b/pcregrep.c
+@@ -1688,9 +1688,13 @@ while (ptr < endptr)
+
+ if (filenames == FN_NOMATCH_ONLY) return 1;
+
++ /* If all we want is a yes/no answer, stop now. */
++
++ if (quiet) return 0;
++
+ /* Just count if just counting is wanted. */
+
+- if (count_only) count++;
++ else if (count_only) count++;
+
+ /* When handling a binary file and binary-files==binary, the "binary"
+ variable will be set true (it's false in all other cases). In this
+@@ -1711,10 +1715,6 @@ while (ptr < endptr)
+ return 0;
+ }
+
+- /* Likewise, if all we want is a yes/no answer. */
+-
+- else if (quiet) return 0;
+-
+ /* The --only-matching option prints just the substring that matched,
+ and/or one or more captured portions of it, as long as these strings are
+ not empty. The --file-offsets and --line-offsets options output offsets for
+@@ -2053,7 +2053,7 @@ if (filenames == FN_NOMATCH_ONLY)
+
+ /* Print the match count if wanted */
+
+-if (count_only)
++if (count_only && !quiet)
+ {
+ if (count > 0 || !omit_zero_count)
+ {
+--- a/testdata/grepoutput
++++ b/testdata/grepoutput
+@@ -743,3 +743,7 @@ RC=0
+ ---------------------------- Test 106 -----------------------------
+ a
+ RC=0
++---------------------------- Test 108 ------------------------------
++RC=0
++---------------------------- Test 109 -----------------------------
++RC=0
diff -Nru pcre3-8.35/debian/patches/794589-information-disclosure.patch pcre3-8.35/debian/patches/794589-information-disclosure.patch
--- pcre3-8.35/debian/patches/794589-information-disclosure.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/794589-information-disclosure.patch 2015-12-29 09:19:29.000000000 +0100
@@ -0,0 +1,30 @@
+Description: CVE-2015-8382: pcre_exec does not fill offsets for certain regexps
+Origin: upstream, http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510
+Bug: https://bugs.exim.org/show_bug.cgi?id=1537
+Bug-Debian: https://bugs.debian.org/794589
+Forwarded: not-needed
+Last-Update: 2015-09-10
+Applied-Upstream: 8.37
+
+--- a/pcre_exec.c
++++ b/pcre_exec.c
+@@ -1467,7 +1467,18 @@ for (;;)
+ md->offset_vector[offset] =
+ md->offset_vector[md->offset_end - number];
+ md->offset_vector[offset+1] = (int)(eptr - md->start_subject);
+- if (offset_top <= offset) offset_top = offset + 2;
++
++ /* If this group is at or above the current highwater mark, ensure that
++ any groups between the current high water mark and this group are marked
++ unset and then update the high water mark. */
++
++ if (offset >= offset_top)
++ {
++ register int *iptr = md->offset_vector + offset_top;
++ register int *iend = md->offset_vector + offset;
++ while (iptr < iend) *iptr++ = -1;
++ offset_top = offset + 2;
++ }
+ }
+ ecode += 1 + IMM2_SIZE;
+ break;
diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series
--- pcre3-8.35/debian/patches/series 2015-08-16 13:37:00.000000000 +0200
+++ pcre3-8.35/debian/patches/series 2015-12-29 09:19:29.000000000 +0100
@@ -7,3 +7,17 @@
Fix-silly-quantifier-size-check.patch
cve-2014-8964.patch
CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
+0001-Fix-compile-time-loop-for-recursive-reference-within.patch
+794589-information-disclosure.patch
+0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch
+0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch
+0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch
+0001-Add-integer-overflow-check-to-n-code.patch
+0001-Fix-overflow-when-ovector-has-size-1.patch
+0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch
+0001-Fix-bug-for-classes-containing-sequences.patch
+0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch
+0001-Fix-buffer-overflow-for-named-references-in-situatio.patch
+0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch
+0001-Add-missing-integer-overflow-checks.patch
+0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
Reply to: