Bug#855460: marked as done (unblock: pcre3/2:8.39-2.1)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#855460: marked as done (unblock: pcre3/2:8.39-2.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 18 Feb 2017 17:21:11 +0000
Message-id: <[🔎] handler.855460.D855460.14874383486422.ackdone@bugs.debian.org>
References: <febdffb3-52a3-9db5-ac90-2c7a5b3148cb@thykier.net> <[🔎] 148743411749.9285.4298420696022032887.reportbug@eldamar.local>

Your message dated Sat, 18 Feb 2017 17:18:00 +0000
with message-id <febdffb3-52a3-9db5-ac90-2c7a5b3148cb@thykier.net>
and subject line Re: Bug#855460: unblock: pcre3/2:8.39-2.1
has caused the Debian Bug report #855460,
regarding unblock: pcre3/2:8.39-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855460
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pcre3/2:8.39-2.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 18 Feb 2017 17:08:37 +0100
Message-id: <[🔎] 148743411749.9285.4298420696022032887.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release managers,

Please unblock package pcre3

The uploaded fixes #855405, which maps to the BTS the CVE
CVE-2017-6004 (the severity to grave is disputable, I admit that, but
think would be good to release stretch without that CVE open; it is
"just" that a specially crafted regular expression may cause a denial
of service for an application using pcre3, as it was demostrated in
the upstream bug for php).

It builds on all release architectures:

https://buildd.debian.org/status/package.php?p=pcre3

The changelog reads as:

>pcre3 (2:8.39-2.1) unstable; urgency=high
>
>  * Non-maintainer upload.
>  * CVE-2017-6004: crafted regular expression may cause denial of service
>    (Closes: #855405)
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 17 Feb 2017 15:56:09 +0100

I'm including as requested the debdiff against the version in testing.

The d-i release manager is X-Debbug-CC'ed since that would need an ack
as well from him, afaict.

unblock pcre3/2:8.39-2.1

Btw, thanks for your amazing work!

Regards,
Salvatore

diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog	2016-08-19 10:04:15.000000000 +0200
+++ pcre3-8.39/debian/changelog	2017-02-17 15:56:09.000000000 +0100
@@ -1,3 +1,11 @@
+pcre3 (2:8.39-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-6004: crafted regular expression may cause denial of service
+    (Closes: #855405)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 17 Feb 2017 15:56:09 +0100
+
 pcre3 (2:8.39-2) unstable; urgency=low
 
   * Update symbols file to reflect compilation with gcc6 (Closes: #811969)
diff -Nru pcre3-8.39/debian/patches/CVE-2017-6004.patch pcre3-8.39/debian/patches/CVE-2017-6004.patch
--- pcre3-8.39/debian/patches/CVE-2017-6004.patch	1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/CVE-2017-6004.patch	2017-02-17 15:56:09.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2017-6004: crafted regular expression may cause denial of service
+Origin: upstream, https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
+Bug: https://bugs.exim.org/show_bug.cgi?id=2035
+Bug-Debian: https://bugs.debian.org/855405
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-02-17
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC
+ 
+     if (*matchingpath == OP_FAIL)
+       stacksize = 0;
+-    if (*matchingpath == OP_RREF)
++    else if (*matchingpath == OP_RREF)
+       {
+       stacksize = GET2(matchingpath, 1);
+       if (common->currententry == NULL)
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series	2016-07-28 17:43:57.000000000 +0200
+++ pcre3-8.39/debian/patches/series	2017-02-17 15:56:09.000000000 +0100
@@ -5,3 +5,4 @@
 soname.patch
 no_jit_x32_powerpcspe.patch
 Disable_JIT_on_sparc64.patch
+CVE-2017-6004.patch

--- End Message ---

--- Begin Message ---

To: Cyril Brulebois <kibi@debian.org>, 855460-done@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#855460: unblock: pcre3/2:8.39-2.1

From: Niels Thykier <niels@thykier.net>

Date: Sat, 18 Feb 2017 17:18:00 +0000

Message-id: <febdffb3-52a3-9db5-ac90-2c7a5b3148cb@thykier.net>

In-reply-to: <[🔎] 20170218171359.GA3069@mraw.org>

References: <[🔎] 148743411749.9285.4298420696022032887.reportbug@eldamar.local> <[🔎] 20170218171359.GA3069@mraw.org>
Cyril Brulebois:
> Hi,
> 
> Salvatore Bonaccorso <carnil@debian.org> (2017-02-18):
>> Hi Release managers,
>>
>> Please unblock package pcre3
>>
>> [...]
>>
>> I'm including as requested the debdiff against the version in testing.
>>
>> The d-i release manager is X-Debbug-CC'ed since that would need an ack
>> as well from him, afaict.
>>
>> unblock pcre3/2:8.39-2.1
> 
> Thanks! No objections from me.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#855460: unblock: pcre3/2:8.39-2.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#855432: unblock: openssl/1.1.0e-1
Next by Date: Bug#855432: unblock: openssl/1.1.0e-1
Previous by thread: Bug#855460: unblock: pcre3/2:8.39-2.1
Next by thread: Bug#855476: nmu: last rebuilds against openssl1.1
Index(es):
- Date
- Thread