--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package pcre3/2:8.35-3.3+deb8u1
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Fri, 21 Aug 2015 01:35:55 +0200
- Message-id: <20150820233555.7690.21888.reportbug@pisco.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This update fixes four minor security issues which don't warrant
a DSA. These have been tested in a production setup and were
working fine there.
Debdiff below.
Cheers,
Moritz
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog 2014-12-06 19:58:27.000000000 +0100
+++ pcre3-8.35/debian/changelog 2015-08-16 13:38:23.000000000 +0200
@@ -1,3 +1,9 @@
+pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium
+
+ * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
+
+ -- Moritz Muehlenhoff <jmm@debian.org> Sun, 16 Aug 2015 11:37:39 +0000
+
pcre3 (2:8.35-3.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
--- pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch 2015-08-16 13:36:47.000000000 +0200
@@ -0,0 +1,492 @@
+https://security-tracker.debian.org/tracker/CVE-2015-5073
+https://security-tracker.debian.org/tracker/CVE-2015-3210
+https://security-tracker.debian.org/tracker/CVE-2015-2326
+https://security-tracker.debian.org/tracker/CVE-2015-2325
+
+--- pcre3-8.35.orig/pcre_compile.c
++++ pcre3-8.35/pcre_compile.c
+@@ -549,6 +549,7 @@ static const char error_texts[] =
+ "group name must start with a non-digit\0"
+ /* 85 */
+ "parentheses are too deeply nested (stack check)\0"
++ "digits missing in \\x{} or \\o{}\0"
+ ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -3936,14 +3937,14 @@ Arguments:
+ adjust the amount by which the group is to be moved
+ utf TRUE in UTF-8 / UTF-16 / UTF-32 mode
+ cd contains pointers to tables etc.
+- save_hwm the hwm forward reference pointer at the start of the group
++ save_hwm_offset the hwm forward reference offset at the start of the group
+
+ Returns: nothing
+ */
+
+ static void
+ adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd,
+- pcre_uchar *save_hwm)
++ size_t save_hwm_offset)
+ {
+ pcre_uchar *ptr = group;
+
+@@ -3955,7 +3956,8 @@ while ((ptr = (pcre_uchar *)find_recurse
+ /* See if this recursion is on the forward reference list. If so, adjust the
+ reference. */
+
+- for (hc = save_hwm; hc < cd->hwm; hc += LINK_SIZE)
++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
++ hc += LINK_SIZE)
+ {
+ offset = (int)GET(hc, 0);
+ if (cd->start_code + offset == ptr + 1)
+@@ -4400,7 +4402,7 @@ const pcre_uchar *tempptr;
+ const pcre_uchar *nestptr = NULL;
+ pcre_uchar *previous = NULL;
+ pcre_uchar *previous_callout = NULL;
+-pcre_uchar *save_hwm = NULL;
++size_t save_hwm_offset = 0;
+ pcre_uint8 classbits[32];
+
+ /* We can fish out the UTF-8 setting once and for all into a BOOL, but we
+@@ -5912,7 +5914,7 @@ for (;; ptr++)
+ if (repeat_max <= 1) /* Covers 0, 1, and unlimited */
+ {
+ *code = OP_END;
+- adjust_recurse(previous, 1, utf, cd, save_hwm);
++ adjust_recurse(previous, 1, utf, cd, save_hwm_offset);
+ memmove(previous + 1, previous, IN_UCHARS(len));
+ code++;
+ if (repeat_max == 0)
+@@ -5936,7 +5938,7 @@ for (;; ptr++)
+ {
+ int offset;
+ *code = OP_END;
+- adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm);
++ adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm_offset);
+ memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
+ code += 2 + LINK_SIZE;
+ *previous++ = OP_BRAZERO + repeat_type;
+@@ -5999,26 +6001,25 @@ for (;; ptr++)
+ for (i = 1; i < repeat_min; i++)
+ {
+ pcre_uchar *hc;
+- pcre_uchar *this_hwm = cd->hwm;
++ size_t this_hwm_offset = cd->hwm - cd->start_workspace;
+ memcpy(code, previous, IN_UCHARS(len));
+
+ while (cd->hwm > cd->start_workspace + cd->workspace_size -
+- WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm))
++ WORK_SIZE_SAFETY_MARGIN -
++ (this_hwm_offset - save_hwm_offset))
+ {
+- int save_offset = save_hwm - cd->start_workspace;
+- int this_offset = this_hwm - cd->start_workspace;
+ *errorcodeptr = expand_workspace(cd);
+ if (*errorcodeptr != 0) goto FAILED;
+- save_hwm = (pcre_uchar *)cd->start_workspace + save_offset;
+- this_hwm = (pcre_uchar *)cd->start_workspace + this_offset;
+ }
+
+- for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
++ hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
++ hc += LINK_SIZE)
+ {
+ PUT(cd->hwm, 0, GET(hc, 0) + len);
+ cd->hwm += LINK_SIZE;
+ }
+- save_hwm = this_hwm;
++ save_hwm_offset = this_hwm_offset;
+ code += len;
+ }
+ }
+@@ -6063,7 +6064,7 @@ for (;; ptr++)
+ else for (i = repeat_max - 1; i >= 0; i--)
+ {
+ pcre_uchar *hc;
+- pcre_uchar *this_hwm = cd->hwm;
++ size_t this_hwm_offset = cd->hwm - cd->start_workspace;
+
+ *code++ = OP_BRAZERO + repeat_type;
+
+@@ -6085,22 +6086,21 @@ for (;; ptr++)
+ copying them. */
+
+ while (cd->hwm > cd->start_workspace + cd->workspace_size -
+- WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm))
++ WORK_SIZE_SAFETY_MARGIN -
++ (this_hwm_offset - save_hwm_offset))
+ {
+- int save_offset = save_hwm - cd->start_workspace;
+- int this_offset = this_hwm - cd->start_workspace;
+ *errorcodeptr = expand_workspace(cd);
+ if (*errorcodeptr != 0) goto FAILED;
+- save_hwm = (pcre_uchar *)cd->start_workspace + save_offset;
+- this_hwm = (pcre_uchar *)cd->start_workspace + this_offset;
+ }
+
+- for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
++ hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
++ hc += LINK_SIZE)
+ {
+ PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
+ cd->hwm += LINK_SIZE;
+ }
+- save_hwm = this_hwm;
++ save_hwm_offset = this_hwm_offset;
+ code += len;
+ }
+
+@@ -6196,7 +6196,7 @@ for (;; ptr++)
+ {
+ int nlen = (int)(code - bracode);
+ *code = OP_END;
+- adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm);
++ adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+ memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen));
+ code += 1 + LINK_SIZE;
+ nlen += 1 + LINK_SIZE;
+@@ -6330,7 +6330,7 @@ for (;; ptr++)
+ else
+ {
+ *code = OP_END;
+- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm);
++ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+ memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
+ code += 1 + LINK_SIZE;
+ len += 1 + LINK_SIZE;
+@@ -6379,7 +6379,7 @@ for (;; ptr++)
+
+ default:
+ *code = OP_END;
+- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm);
++ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
+ memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
+ code += 1 + LINK_SIZE;
+ len += 1 + LINK_SIZE;
+@@ -6411,7 +6411,7 @@ for (;; ptr++)
+ newoptions = options;
+ skipbytes = 0;
+ bravalue = OP_CBRA;
+- save_hwm = cd->hwm;
++ save_hwm_offset = cd->hwm - cd->start_workspace;
+ reset_bracount = FALSE;
+
+ /* First deal with various "verbs" that can be introduced by '*'. */
+@@ -7086,14 +7086,26 @@ for (;; ptr++)
+ number. If the name is not found, set the value to 0 for a forward
+ reference. */
+
++ recno = 0;
+ ng = cd->named_groups;
+ for (i = 0; i < cd->names_found; i++, ng++)
+ {
+ if (namelen == ng->length &&
+ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+- break;
++ {
++ open_capitem *oc;
++ recno = ng->number;
++ if (is_recurse) break;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
++ break;
++ }
++ }
++ }
+ }
+- recno = (i < cd->names_found)? ng->number : 0;
+
+ /* Count named back references. */
+
+@@ -7704,7 +7716,7 @@ for (;; ptr++)
+ const pcre_uchar *p;
+ pcre_uint32 cf;
+
+- save_hwm = cd->hwm; /* Normally this is set when '(' is read */
++ save_hwm_offset = cd->hwm - cd->start_workspace; /* Normally this is set when '(' is read */
+ terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
+ CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
+
+@@ -8031,6 +8043,7 @@ int length;
+ unsigned int orig_bracount;
+ unsigned int max_bracount;
+ branch_chain bc;
++size_t save_hwm_offset;
+
+ /* If set, call the external function that checks for stack availability. */
+
+@@ -8048,6 +8061,8 @@ bc.current_branch = code;
+ firstchar = reqchar = 0;
+ firstcharflags = reqcharflags = REQ_UNSET;
+
++save_hwm_offset = cd->hwm - cd->start_workspace;
++
+ /* Accumulate the length for use in the pre-compile phase. Start with the
+ length of the BRA and KET and any extra bytes that are required at the
+ beginning. We accumulate in a local variable to save frequent testing of
+@@ -8241,12 +8256,16 @@ for (;;)
+
+ /* If it was a capturing subpattern, check to see if it contained any
+ recursive back references. If so, we must wrap it in atomic brackets.
+- In any event, remove the block from the chain. */
++ Because we are moving code along, we must ensure that any pending recursive
++ references are updated. In any event, remove the block from the chain. */
+
+ if (capnumber > 0)
+ {
+ if (cd->open_caps->flag)
+ {
++ *code = OP_END;
++ adjust_recurse(start_bracket, 1 + LINK_SIZE,
++ (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
+ memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
+ IN_UCHARS(code - start_bracket));
+ *start_bracket = OP_ONCE;
+@@ -9265,7 +9284,7 @@ OP_RECURSE that are not fixed length get
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+ {
+ pcre_uchar *cc = (pcre_uchar *)codestart;
+
+--- pcre3-8.35.orig/testdata/testinput11
++++ pcre3-8.35/testdata/testinput11
+@@ -132,4 +132,8 @@ is required for these tests. --/
+
+ /abc(d|e)(*THEN)x(123(*THEN)4|567(b|q)(*THEN)xx)/B
+
++/(((a\2)|(a*)\g<-1>))*a?/B
++
++/((?+1)(\1))/B
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testinput2
++++ pcre3-8.35/testdata/testinput2
+@@ -4035,6 +4035,8 @@ backtracking verbs. --/
+
+ /(?(R&6yh)abc)/
+
++/(((a\2)|(a*)\g<-1>))*a?/BZ
++
+ /-- Test the ugly "start or end of word" compatibility syntax --/
+
+ /[[:<:]]red[[:>:]]/BZ
+@@ -4062,4 +4064,12 @@ backtracking verbs. --/
+
+ /(((((a)))))/Q
+
++"((?2){0,1999}())?"
++
++/((?+1)(\1))/BZ
++
++"(?J)(?'d'(?'d'\g{d}))"
++
++/(?=di(?<=(?1))|(?=(.))))/
++
+ /-- End of testinput2 --/
+--- pcre3-8.35.orig/testdata/testoutput11-16
++++ pcre3-8.35/testdata/testoutput11-16
+@@ -709,4 +709,43 @@ Memory allocation (code space): 14
+ 62 End
+ ------------------------------------------------------------------
+
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++ 0 39 Bra
++ 2 Brazero
++ 3 32 SCBra 1
++ 6 27 Once
++ 8 12 CBra 2
++ 11 7 CBra 3
++ 14 a
++ 16 \2
++ 18 7 Ket
++ 20 11 Alt
++ 22 5 CBra 4
++ 25 a*
++ 27 5 Ket
++ 29 22 Recurse
++ 31 23 Ket
++ 33 27 Ket
++ 35 32 KetRmax
++ 37 a?+
++ 39 39 Ket
++ 41 End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 20 Bra
++ 2 16 Once
++ 4 12 CBra 1
++ 7 9 Recurse
++ 9 5 CBra 2
++ 12 \1
++ 14 5 Ket
++ 16 12 Ket
++ 18 16 Ket
++ 20 20 Ket
++ 22 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput11-32
++++ pcre3-8.35/testdata/testoutput11-32
+@@ -709,4 +709,43 @@ Memory allocation (code space): 28
+ 62 End
+ ------------------------------------------------------------------
+
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++ 0 39 Bra
++ 2 Brazero
++ 3 32 SCBra 1
++ 6 27 Once
++ 8 12 CBra 2
++ 11 7 CBra 3
++ 14 a
++ 16 \2
++ 18 7 Ket
++ 20 11 Alt
++ 22 5 CBra 4
++ 25 a*
++ 27 5 Ket
++ 29 22 Recurse
++ 31 23 Ket
++ 33 27 Ket
++ 35 32 KetRmax
++ 37 a?+
++ 39 39 Ket
++ 41 End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 20 Bra
++ 2 16 Once
++ 4 12 CBra 1
++ 7 9 Recurse
++ 9 5 CBra 2
++ 12 \1
++ 14 5 Ket
++ 16 12 Ket
++ 18 16 Ket
++ 20 20 Ket
++ 22 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput11-8
++++ pcre3-8.35/testdata/testoutput11-8
+@@ -709,4 +709,43 @@ Memory allocation (code space): 10
+ 76 End
+ ------------------------------------------------------------------
+
++/(((a\2)|(a*)\g<-1>))*a?/B
++------------------------------------------------------------------
++ 0 57 Bra
++ 3 Brazero
++ 4 48 SCBra 1
++ 9 40 Once
++ 12 18 CBra 2
++ 17 10 CBra 3
++ 22 a
++ 24 \2
++ 27 10 Ket
++ 30 16 Alt
++ 33 7 CBra 4
++ 38 a*
++ 40 7 Ket
++ 43 33 Recurse
++ 46 34 Ket
++ 49 40 Ket
++ 52 48 KetRmax
++ 55 a?+
++ 57 57 Ket
++ 60 End
++------------------------------------------------------------------
++
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 31 Bra
++ 3 25 Once
++ 6 19 CBra 1
++ 11 14 Recurse
++ 14 8 CBra 2
++ 19 \1
++ 22 8 Ket
++ 25 19 Ket
++ 28 25 Ket
++ 31 31 Ket
++ 34 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- pcre3-8.35.orig/testdata/testoutput2
++++ pcre3-8.35/testdata/testoutput2
+@@ -14093,6 +14093,30 @@ Failed: malformed number or name after (
+ /(?(R&6yh)abc)/
+ Failed: group name must start with a non-digit at offset 5
+
++/(((a\2)|(a*)\g<-1>))*a?/BZ
++------------------------------------------------------------------
++ Bra
++ Brazero
++ SCBra 1
++ Once
++ CBra 2
++ CBra 3
++ a
++ \2
++ Ket
++ Alt
++ CBra 4
++ a*
++ Ket
++ Recurse
++ Ket
++ Ket
++ KetRmax
++ a?+
++ Ket
++ End
++------------------------------------------------------------------
++
+ /-- Test the ugly "start or end of word" compatibility syntax --/
+
+ /[[:<:]]red[[:>:]]/BZ
+@@ -14149,4 +14173,26 @@ Failed: parentheses are too deeply neste
+ /(((((a)))))/Q
+ ** Missing 0 or 1 after /Q
+
++"((?2){0,1999}())?"
++
++/((?+1)(\1))/BZ
++------------------------------------------------------------------
++ Bra
++ Once
++ CBra 1
++ Recurse
++ CBra 2
++ \1
++ Ket
++ Ket
++ Ket
++ Ket
++ End
++------------------------------------------------------------------
++
++"(?J)(?'d'(?'d'\g{d}))"
++
++/(?=di(?<=(?1))|(?=(.))))/
++Failed: unmatched parentheses at offset 23
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series
--- pcre3-8.35/debian/patches/series 2014-12-06 19:58:27.000000000 +0100
+++ pcre3-8.35/debian/patches/series 2015-08-16 13:37:00.000000000 +0200
@@ -6,3 +6,4 @@
no_jit_ppc64el.patch
Fix-silly-quantifier-size-check.patch
cve-2014-8964.patch
+CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
--- End Message ---