[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#796281: marked as done (jessie-pu: package pcre3/2:8.35-3.3+deb8u1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #796281,
regarding jessie-pu: package pcre3/2:8.35-3.3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
796281: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796281
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This update fixes four minor security issues which don't warrant
a DSA. These have been tested in a production setup and were
working fine there.

Debdiff below.

Cheers,
        Moritz

diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog	2014-12-06 19:58:27.000000000 +0100
+++ pcre3-8.35/debian/changelog	2015-08-16 13:38:23.000000000 +0200
@@ -1,3 +1,9 @@
+pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium
+
+  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Sun, 16 Aug 2015 11:37:39 +0000
+
 pcre3 (2:8.35-3.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
--- pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch	1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch	2015-08-16 13:36:47.000000000 +0200
@@ -0,0 +1,492 @@
+https://security-tracker.debian.org/tracker/CVE-2015-5073
+https://security-tracker.debian.org/tracker/CVE-2015-3210
+https://security-tracker.debian.org/tracker/CVE-2015-2326
+https://security-tracker.debian.org/tracker/CVE-2015-2325
+
+--- pcre3-8.35.orig/pcre_compile.c
++++ pcre3-8.35/pcre_compile.c
+@@ -549,6 +549,7 @@ static const char error_texts[] =
+   "group name must start with a non-digit\0"
+   /* 85 */
+   "parentheses are too deeply nested (stack check)\0"
++  "digits missing in \\x{} or \\o{}\0"
+   ;
+ 
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -3936,14 +3937,14 @@ Arguments:
+   adjust     the amount by which the group is to be moved
+   utf        TRUE in UTF-8 / UTF-16 / UTF-32 mode
+   cd         contains pointers to tables etc.
+-  save_hwm   the hwm forward reference pointer at the start of the group
++  save_hwm_offset   the hwm forward reference offset at the start of the group
+ 
+ Returns:     nothing
+ */
+ 
+ static void
+ adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd,
+-  pcre_uchar *save_hwm)
++  size_t save_hwm_offset)
+ {
+ pcre_uchar *ptr = group;
+ 
+@@ -3955,7 +3956,8 @@ while ((ptr = (pcre_uchar *)find_recurse
+   /* See if this recursion is on the forward reference list. If so, adjust the
+   reference. */
+ 
+-  for (hc = save_hwm; hc < cd->hwm; hc += LINK_SIZE)
++  for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
++       hc += LINK_SIZE)
+     {
+     offset = (int)GET(hc, 0);
+     if (cd->start_code + offset == ptr + 1)
+@@ -4400,7 +4402,7 @@ const pcre_uchar *tempptr;
+ const pcre_uchar *nestptr = NULL;
+ pcre_uchar *previous = NULL;
+ pcre_uchar *previous_callout = NULL;
+-pcre_uchar *save_hwm = NULL;
++size_t save_hwm_offset = 0;
+ pcre_uint8 classbits[32];
+ 
+ /* We can fish out the UTF-8 setting once and for all into a BOOL, but we
+@@ -5912,7 +5914,7 @@ for (;; ptr++)
+         if (repeat_max <= 1)    /* Covers 0, 1, and unlimited */
+           {
+           *code = OP_END;
+-          adjust_recurse(previous, 1, utf, cd, save_hwm);
++          adjust_recurse(previous, 1, utf, cd, save_hwm_offset);
+           memmove(previous + 1, previous, IN_UCHARS(len));
+           code++;
+           if (repeat_max == 0)
+@@ -5936,7 +5938,7 @@ for (;; ptr++)
+           {
+           int offset;
+           *code = OP_END;
+-          adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm);
++          adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm_offset);
+           memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
+           code += 2 + LINK_SIZE;
+           *previous++ = OP_BRAZERO + repeat_type;
+@@ -5999,26 +6001,25 @@ for (;; ptr++)
+             for (i = 1; i < repeat_min; i++)
+               {
+               pcre_uchar *hc;
+-              pcre_uchar *this_hwm = cd->hwm;
++              size_t this_hwm_offset = cd->hwm - cd->start_workspace;
+               memcpy(code, previous, IN_UCHARS(len));
+ 
+               while (cd->hwm > cd->start_workspace + cd->workspace_size -
+-                     WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm))
++                     WORK_SIZE_SAFETY_MARGIN -
++                     (this_hwm_offset - save_hwm_offset))
+                 {
+-                int save_offset = save_hwm - cd->start_workspace;
+-                int this_offset = this_hwm - cd->start_workspace;
+                 *errorcodeptr = expand_workspace(cd);
+                 if (*errorcodeptr != 0) goto FAILED;
+-                save_hwm = (pcre_uchar *)cd->start_workspace + save_offset;
+-                this_hwm = (pcre_uchar *)cd->start_workspace + this_offset;
+                 }
+ 
+-              for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
++              for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
++                   hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
++                   hc += LINK_SIZE)
+                 {
+                 PUT(cd->hwm, 0, GET(hc, 0) + len);
+                 cd->hwm += LINK_SIZE;
+                 }
+-              save_hwm = this_hwm;
++              save_hwm_offset = this_hwm_offset;
+               code += len;
+               }
+             }
+@@ -6063,7 +6064,7 @@ for (;; ptr++)
+         else for (i = repeat_max - 1; i >= 0; i--)
+           {
+           pcre_uchar *hc;
+-          pcre_uchar *this_hwm = cd->hwm;
++          size_t this_hwm_offset = cd->hwm - cd->start_workspace;
+ 
+           *code++ = OP_BRAZERO + repeat_type;
+ 
+@@ -6085,22 +6086,21 @@ for (;; ptr++)
+           copying them. */
+ 
+           while (cd->hwm > cd->start_workspace + cd->workspace_size -
+-                 WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm))
++                 WORK_SIZE_SAFETY_MARGIN -
++                 (this_hwm_offset - save_hwm_offset))
+             {
+-            int save_offset = save_hwm - cd->start_workspace;
+-            int this_offset = this_hwm - cd->start_workspace;
+             *errorcodeptr = expand_workspace(cd);
+             if (*errorcodeptr != 0) goto FAILED;
+-            save_hwm = (pcre_uchar *)cd->start_workspace + save_offset;
+-            this_hwm = (pcre_uchar *)cd->start_workspace + this_offset;
+             }
+ 
+-          for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
++          for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
++               hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
++               hc += LINK_SIZE)
+             {
+             PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
+             cd->hwm += LINK_SIZE;
+             }
+-          save_hwm = this_hwm;
++          save_hwm_offset = this_hwm_offset;
+           code += len;
+           }
+ 
+@@ -6196,7 +6196,7 @@ for (;; ptr++)
+               {
+               int nlen = (int)(code - bracode);
+               *code = OP_END;
+-              adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm);
++              adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+               memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen));
+               code += 1 + LINK_SIZE;
+               nlen += 1 + LINK_SIZE;
+@@ -6330,7 +6330,7 @@ for (;; ptr++)
+         else
+           {
+           *code = OP_END;
+-          adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm);
++          adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+           memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
+           code += 1 + LINK_SIZE;
+           len += 1 + LINK_SIZE;
+@@ -6379,7 +6379,7 @@ for (;; ptr++)
+ 
+         default:
+         *code = OP_END;
+-        adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm);
++        adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+         memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
+         code += 1 + LINK_SIZE;
+         len += 1 + LINK_SIZE;
+@@ -6411,7 +6411,7 @@ for (;; ptr++)
+     newoptions = options;
+     skipbytes = 0;
+     bravalue = OP_CBRA;
+-    save_hwm = cd->hwm;
++    save_hwm_offset = cd->hwm - cd->start_workspace;
+     reset_bracount = FALSE;
+ 
+     /* First deal with various "verbs" that can be introduced by '*'. */
+@@ -7086,14 +7086,26 @@ for (;; ptr++)
+           number. If the name is not found, set the value to 0 for a forward
+           reference. */
+ 
++          recno = 0;
+           ng = cd->named_groups;
+           for (i = 0; i < cd->names_found; i++, ng++)
+             {
+             if (namelen == ng->length &&
+                 STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+-              break;
++              {
++              open_capitem *oc;
++              recno = ng->number;
++              if (is_recurse) break;
++              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++                {
++                if (oc->number == recno)
++                  {
++                  oc->flag = TRUE;
++                  break;
++                  }
++                }
++              }
+             }
+-          recno = (i < cd->names_found)? ng->number : 0;
+ 
+           /* Count named back references. */
+ 
+@@ -7704,7 +7716,7 @@ for (;; ptr++)
+         const pcre_uchar *p;
+         pcre_uint32 cf;
+ 
+-        save_hwm = cd->hwm;   /* Normally this is set when '(' is read */
++        save_hwm_offset = cd->hwm - cd->start_workspace;   /* Normally this is set when '(' is read */
+         terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
+           CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
+ 
+@@ -8031,6 +8043,7 @@ int length;
+ unsigned int orig_bracount;
+ unsigned int max_bracount;
+ branch_chain bc;
++size_t save_hwm_offset;
+ 
+ /* If set, call the external function that checks for stack availability. */
+ 
+@@ -8048,6 +8061,8 @@ bc.current_branch = code;
+ firstchar = reqchar = 0;
+ firstcharflags = reqcharflags = REQ_UNSET;
+ 
++save_hwm_offset = cd->hwm - cd->start_workspace;
++
+ /* Accumulate the length for use in the pre-compile phase. Start with the
+ length of the BRA and KET and any extra bytes that are required at the
+ beginning. We accumulate in a local variable to save frequent testing of
+@@ -8241,12 +8256,16 @@ for (;;)
+ 
+     /* If it was a capturing subpattern, check to see if it contained any
+     recursive back references. If so, we must wrap it in atomic brackets.
+-    In any event, remove the block from the chain. */
++    Because we are moving code along, we must ensure that any pending recursive
++    references are updated. In any event, remove the block from the chain. */
+ 
+     if (capnumber > 0)
+       {
+       if (cd->open_caps->flag)
+         {
++        *code = OP_END;
++        adjust_recurse(start_bracket, 1 + LINK_SIZE,
++          (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
+         memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
+           IN_UCHARS(code - start_bracket));
+         *start_bracket = OP_ONCE;
+@@ -9265,7 +9284,7 @@ OP_RECURSE that are not fixed length get
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+ 
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+   {
+   pcre_uchar *cc = (pcre_uchar *)codestart;
+ 
+--- pcre3-8.35.orig/testdata/testinput11
++++ pcre3-8.35/testdata/testinput11
+@@ -132,4 +132,8 @@ is required for these tests. --/
+ 
+ /abc(d|e)(*THEN)x(123(*THEN)4|567(b|q)(*THEN)xx)/B
+ 
++/(((a\2)|(a*)\g<-1>))*a?/B
++
++/((?+1)(\1))/B
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testinput2
++++ pcre3-8.35/testdata/testinput2
+@@ -4035,6 +4035,8 @@ backtracking verbs. --/
+ 
+ /(?(R&6yh)abc)/
+ 
++/(((a\2)|(a*)\g<-1>))*a?/BZ
++
+ /-- Test the ugly "start or end of word" compatibility syntax --/
+ 
+ /[[:<:]]red[[:>:]]/BZ
+@@ -4062,4 +4064,12 @@ backtracking verbs. --/
+ 
+ /(((((a)))))/Q
+ 
++"((?2){0,1999}())?"
++
++/((?+1)(\1))/BZ
++
++"(?J)(?'d'(?'d'\g{d}))"
++
++/(?=di(?<=(?1))|(?=(.))))/
++
+ /-- End of testinput2 --/
+--- pcre3-8.35.orig/testdata/testoutput11-16
++++ pcre3-8.35/testdata/testoutput11-16
+@@ -709,4 +709,43 @@ Memory allocation (code space): 14
+  62     End
+ ------------------------------------------------------------------
+ 
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++  0  39 Bra
++  2     Brazero
++  3  32 SCBra 1
++  6  27 Once
++  8  12 CBra 2
++ 11   7 CBra 3
++ 14     a
++ 16     \2
++ 18   7 Ket
++ 20  11 Alt
++ 22   5 CBra 4
++ 25     a*
++ 27   5 Ket
++ 29  22 Recurse
++ 31  23 Ket
++ 33  27 Ket
++ 35  32 KetRmax
++ 37     a?+
++ 39  39 Ket
++ 41     End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++  0  20 Bra
++  2  16 Once
++  4  12 CBra 1
++  7   9 Recurse
++  9   5 CBra 2
++ 12     \1
++ 14   5 Ket
++ 16  12 Ket
++ 18  16 Ket
++ 20  20 Ket
++ 22     End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput11-32
++++ pcre3-8.35/testdata/testoutput11-32
+@@ -709,4 +709,43 @@ Memory allocation (code space): 28
+  62     End
+ ------------------------------------------------------------------
+ 
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++  0  39 Bra
++  2     Brazero
++  3  32 SCBra 1
++  6  27 Once
++  8  12 CBra 2
++ 11   7 CBra 3
++ 14     a
++ 16     \2
++ 18   7 Ket
++ 20  11 Alt
++ 22   5 CBra 4
++ 25     a*
++ 27   5 Ket
++ 29  22 Recurse
++ 31  23 Ket
++ 33  27 Ket
++ 35  32 KetRmax
++ 37     a?+
++ 39  39 Ket
++ 41     End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++  0  20 Bra
++  2  16 Once
++  4  12 CBra 1
++  7   9 Recurse
++  9   5 CBra 2
++ 12     \1
++ 14   5 Ket
++ 16  12 Ket
++ 18  16 Ket
++ 20  20 Ket
++ 22     End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput11-8
++++ pcre3-8.35/testdata/testoutput11-8
+@@ -709,4 +709,43 @@ Memory allocation (code space): 10
+  76     End
+ ------------------------------------------------------------------
+ 
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++  0  57 Bra
++  3     Brazero
++  4  48 SCBra 1
++  9  40 Once
++ 12  18 CBra 2
++ 17  10 CBra 3
++ 22     a
++ 24     \2
++ 27  10 Ket
++ 30  16 Alt
++ 33   7 CBra 4
++ 38     a*
++ 40   7 Ket
++ 43  33 Recurse
++ 46  34 Ket
++ 49  40 Ket
++ 52  48 KetRmax
++ 55     a?+
++ 57  57 Ket
++ 60     End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++  0  31 Bra
++  3  25 Once
++  6  19 CBra 1
++ 11  14 Recurse
++ 14   8 CBra 2
++ 19     \1
++ 22   8 Ket
++ 25  19 Ket
++ 28  25 Ket
++ 31  31 Ket
++ 34     End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput2
++++ pcre3-8.35/testdata/testoutput2
+@@ -14093,6 +14093,30 @@ Failed: malformed number or name after (
+ /(?(R&6yh)abc)/
+ Failed: group name must start with a non-digit at offset 5
+ 
++/(((a\2)|(a*)\g<-1>))*a?/BZ
++------------------------------------------------------------------
++        Bra
++        Brazero
++        SCBra 1
++        Once
++        CBra 2
++        CBra 3
++        a
++        \2
++        Ket
++        Alt
++        CBra 4
++        a*
++        Ket
++        Recurse
++        Ket
++        Ket
++        KetRmax
++        a?+
++        Ket
++        End
++------------------------------------------------------------------
++
+ /-- Test the ugly "start or end of word" compatibility syntax --/
+ 
+ /[[:<:]]red[[:>:]]/BZ
+@@ -14149,4 +14173,26 @@ Failed: parentheses are too deeply neste
+ /(((((a)))))/Q
+ ** Missing 0 or 1 after /Q
+ 
++"((?2){0,1999}())?"
++
++/((?+1)(\1))/BZ
++------------------------------------------------------------------
++        Bra
++        Once
++        CBra 1
++        Recurse
++        CBra 2
++        \1
++        Ket
++        Ket
++        Ket
++        Ket
++        End
++------------------------------------------------------------------
++
++"(?J)(?'d'(?'d'\g{d}))"
++
++/(?=di(?<=(?1))|(?=(.))))/
++Failed: unmatched parentheses at offset 23
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series
--- pcre3-8.35/debian/patches/series	2014-12-06 19:58:27.000000000 +0100
+++ pcre3-8.35/debian/patches/series	2015-08-16 13:37:00.000000000 +0200
@@ -6,3 +6,4 @@
 no_jit_ppc64el.patch
 Fix-silly-quantifier-size-check.patch
 cve-2014-8964.patch
+CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch

--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: