--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release managers,
Please unblock package pcre3
The uploaded fixes #855405, which maps to the BTS the CVE
CVE-2017-6004 (the severity to grave is disputable, I admit that, but
think would be good to release stretch without that CVE open; it is
"just" that a specially crafted regular expression may cause a denial
of service for an application using pcre3, as it was demostrated in
the upstream bug for php).
It builds on all release architectures:
https://buildd.debian.org/status/package.php?p=pcre3
The changelog reads as:
>pcre3 (2:8.39-2.1) unstable; urgency=high
>
> * Non-maintainer upload.
> * CVE-2017-6004: crafted regular expression may cause denial of service
> (Closes: #855405)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Fri, 17 Feb 2017 15:56:09 +0100
I'm including as requested the debdiff against the version in testing.
The d-i release manager is X-Debbug-CC'ed since that would need an ack
as well from him, afaict.
unblock pcre3/2:8.39-2.1
Btw, thanks for your amazing work!
Regards,
Salvatore
diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog 2016-08-19 10:04:15.000000000 +0200
+++ pcre3-8.39/debian/changelog 2017-02-17 15:56:09.000000000 +0100
@@ -1,3 +1,11 @@
+pcre3 (2:8.39-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2017-6004: crafted regular expression may cause denial of service
+ (Closes: #855405)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 17 Feb 2017 15:56:09 +0100
+
pcre3 (2:8.39-2) unstable; urgency=low
* Update symbols file to reflect compilation with gcc6 (Closes: #811969)
diff -Nru pcre3-8.39/debian/patches/CVE-2017-6004.patch pcre3-8.39/debian/patches/CVE-2017-6004.patch
--- pcre3-8.39/debian/patches/CVE-2017-6004.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/CVE-2017-6004.patch 2017-02-17 15:56:09.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2017-6004: crafted regular expression may cause denial of service
+Origin: upstream, https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
+Bug: https://bugs.exim.org/show_bug.cgi?id=2035
+Bug-Debian: https://bugs.debian.org/855405
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-02-17
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC
+
+ if (*matchingpath == OP_FAIL)
+ stacksize = 0;
+- if (*matchingpath == OP_RREF)
++ else if (*matchingpath == OP_RREF)
+ {
+ stacksize = GET2(matchingpath, 1);
+ if (common->currententry == NULL)
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series 2016-07-28 17:43:57.000000000 +0200
+++ pcre3-8.39/debian/patches/series 2017-02-17 15:56:09.000000000 +0100
@@ -5,3 +5,4 @@
soname.patch
no_jit_x32_powerpcspe.patch
Disable_JIT_on_sparc64.patch
+CVE-2017-6004.patch
--- End Message ---