[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858455: marked as done (Prospective unblock of erlang/1:19.2.1+dfsg-2)



Your message dated Wed, 22 Mar 2017 20:40:28 +0000
with message-id <E1cqn3U-0003lD-A7@respighi.debian.org>
and subject line unblock erlang
has caused the Debian Bug report #858455,
regarding Prospective unblock of erlang/1:19.2.1+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858455: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858455
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I'd like to upload the new erlang/1:19.2.1+dfsg-2 which fixes CVE-2016-10253
(heap overflow in bundled PCRE library).

The diff of the proposed upload is attached.

Will you unblock it after the upload?

unblock erlang/19.2.1+dfsg-2

-- System Information:
Debian Release: 9.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog erlang-19.2.1+dfsg/debian/changelog
--- erlang-19.2.1+dfsg/debian/changelog	2017-01-16 23:02:47.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/changelog	2017-03-22 15:31:29.000000000 +0300
@@ -1,3 +1,12 @@
+erlang (1:19.2.1+dfsg-2) unstable; urgency=high
+
+  * Applied a patch from the PCRE upstream which fixes CVE-2016-10253
+    vulnerability (heap overflow while compiling certain regular expressions).
+    The patch is taken from https://github.com/erlang/otp/pull/1108 and
+    modified to match the original patch by PCRE developers (closes: #858313).
+
+ -- Sergei Golovan <sgolovan@debian.org>  Wed, 22 Mar 2017 15:31:29 +0300
+
 erlang (1:19.2.1+dfsg-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch
--- erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch	1970-01-01 03:00:00.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch	2017-03-22 15:31:29.000000000 +0300
@@ -0,0 +1,116 @@
+Author: PCRE upstream
+Description: A fix for CVE-2016-10253 which is the heap overflow during
+ a regular expression compile phase. The offending regexp could be
+ "(?<=((?2))((?1)))".
+ The patch was found at https://github.com/erlang/otp/pull/1108 and
+ the original version from https://vcs.pcre.org/pcre?view=revision&revision=1542
+ and https://vcs.pcre.org/pcre?view=revision&revision=1560 and
+ https://vcs.pcre.org/pcre?view=revision&revision=1571
+ has been adapted.
+Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
+Bug-Upstream: https://bugs.erlang.org/browse/ERL-208
+
+--- a/erts/emulator/pcre/pcre_compile.c
++++ b/erts/emulator/pcre/pcre_compile.c
+@@ -649,6 +649,14 @@
+ #endif
+ 
+ 
++/* Structure for mutual recursion detection. */
++
++typedef struct recurse_check {
++  struct recurse_check *prev;
++  const pcre_uchar *group;
++} recurse_check;
++
++
+ 
+ /*************************************************
+ *            Find an error text                  *
+@@ -1734,6 +1742,7 @@
+   utf      TRUE in UTF-8 / UTF-16 / UTF-32 mode
+   atend    TRUE if called when the pattern is complete
+   cd       the "compile data" structure
++  recurses    chain of recurse_check to catch mutual recursion
+ 
+ Returns:   the fixed length,
+              or -1 if there is no fixed length,
+@@ -1743,10 +1752,11 @@
+ */
+ 
+ static int
+-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd)
++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
++  recurse_check *recurses)
+ {
+ int length = -1;
+-
++recurse_check this_recurse;
+ register int branchlength = 0;
+ register pcre_uchar *cc = code + 1 + LINK_SIZE;
+ 
+@@ -1771,7 +1781,8 @@
+     case OP_ONCE:
+     case OP_ONCE_NC:
+     case OP_COND:
+-    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd);
++    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd,
++      recurses);
+     if (d < 0) return d;
+     branchlength += d;
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+@@ -1805,7 +1816,16 @@
+     cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1);  /* Start subpattern */
+     do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End subpattern */
+     if (cc > cs && cc < ce) return -1;                    /* Recursion */
+-    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd);
++    else   /* Check for mutual recursion */
++      {
++      recurse_check *r = recurses;
++      for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
++      if (r != NULL) return -1;   /* Mutual recursion */
++      }
++    this_recurse.prev = recurses;
++    this_recurse.group = cs;
++    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
++
+     if (d < 0) return d;
+     branchlength += d;
+     cc += 1 + LINK_SIZE;
+@@ -1818,7 +1838,7 @@
+     case OP_ASSERTBACK:
+     case OP_ASSERTBACK_NOT:
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+-    cc += PRIV(OP_lengths)[*cc];
++    cc += 1 + LINK_SIZE;
+     break;
+ 
+     /* Skip over things that don't match chars */
+@@ -7255,7 +7275,7 @@
+       int fixed_length;
+       *code = OP_END;
+       fixed_length = find_fixedlength(last_branch,  (options & PCRE_UTF8) != 0,
+-        FALSE, cd);
++        FALSE, cd, NULL);
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length == -3)
+         {
+@@ -8249,7 +8269,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+ 
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+   {
+   pcre_uchar *cc = (pcre_uchar *)codestart;
+ 
+@@ -8269,7 +8289,7 @@
+       int end_op = *be;
+       *be = OP_END;
+       fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE,
+-        cd);
++        cd, NULL);
+       *be = end_op;
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length < 0)
diff -Nru erlang-19.2.1+dfsg/debian/patches/series erlang-19.2.1+dfsg/debian/patches/series
--- erlang-19.2.1+dfsg/debian/patches/series	2016-12-15 00:12:13.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/patches/series	2017-03-22 15:31:29.000000000 +0300
@@ -10,3 +10,4 @@
 wx3.0-constants.patch
 beamload.patch
 x32.patch
+cve-2016-10253.patch

--- End Message ---
--- Begin Message ---
Unblocked.

--- End Message ---

Reply to: