[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#859133: marked as done (unblock: pcre3/2:8.39-3)

Your message dated Thu, 30 Mar 2017 19:42:00 +0000
with message-id <e38cefd2-99e6-d366-1e2e-8dd86c6e3d53@thykier.net>
and subject line Re: Bug#859133: unblock: pcre3/2:8.39-3
has caused the Debian Bug report #859133,
regarding unblock: pcre3/2:8.39-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859133
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

(Know this is somewhere in a thread already, but wanted to make an
explicit unblock request, Cyril Brulebois X-Debbugs-CC'ed):

Please unblock package pcre3

The upload fixes CVE-2017-7186: invalid Unicode property lookup may
cause denial of service (Closes: #858238)

unblock pcre3/2:8.39-3

Thanks to the whole team for your hard work on the release!

Regards,
Salvatore

diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog
--- pcre3-8.39/debian/changelog	2017-02-17 15:56:09.000000000 +0100
+++ pcre3-8.39/debian/changelog	2017-03-21 23:03:19.000000000 +0100
@@ -1,3 +1,10 @@
+pcre3 (2:8.39-3) unstable; urgency=high
+
+  * CVE-2017-7186: invalid Unicode property lookup may cause denial of
+    service (Closes: #858238)
+
+ -- Matthew Vernon <matthew@debian.org>  Tue, 21 Mar 2017 22:03:19 +0000
+
 pcre3 (2:8.39-2.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series
--- pcre3-8.39/debian/patches/series	2017-02-17 15:56:09.000000000 +0100
+++ pcre3-8.39/debian/patches/series	2017-03-21 23:04:04.000000000 +0100
@@ -6,3 +6,4 @@
 no_jit_x32_powerpcspe.patch
 Disable_JIT_on_sparc64.patch
 CVE-2017-6004.patch
+upstream-fix-for-cve-2017-7186-upstream-
diff -Nru pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream- pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-
--- pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-	1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.39/debian/patches/upstream-fix-for-cve-2017-7186-upstream-	2017-03-21 23:04:04.000000000 +0100
@@ -0,0 +1,59 @@
+Description: Upstream fix for CVE-2017-7186 (Upstream rev 1688)
+ Fix Unicode property crash for 32-bit characters greater than 0x10ffff.
+Author: Matthew Vernon <matthew@debian.org>
+X-Dgit-Generated: 2:8.39-3 c4c2c7c4f74d53b263af2471d8e11db88096bd13
+
+---
+
+--- pcre3-8.39.orig/pcre_internal.h
++++ pcre3-8.39/pcre_internal.h
+@@ -2772,6 +2772,9 @@ extern const pcre_uint8  PRIV(ucd_stage1
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record  PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int         PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@ extern const int         PRIV(ucp_typera
+ /* UCD access macros */
+ 
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++        
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif 
+ 
+ #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
+--- pcre3-8.39.orig/pcre_ucd.c
++++ pcre3-8.39/pcre_ucd.c
+@@ -38,6 +38,20 @@ const pcre_uint16 PRIV(ucd_stage2)[] = {
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+ 
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++  ucp_Common,    /* script */
++  ucp_Cn,        /* type unassigned */
++  ucp_gbOther,   /* grapheme break property */
++  0,             /* case set */
++  0,             /* other case */
++  }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):

--- End Message ---
--- Begin Message --- 
Niels Thykier:
> Control: tags -1 confirmed
> 
> Salvatore Bonaccorso:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Hi
>>
>> (Know this is somewhere in a thread already, but wanted to make an
>> explicit unblock request, Cyril Brulebois X-Debbugs-CC'ed):
>>
>> Please unblock package pcre3
>>
>> The upload fixes CVE-2017-7186: invalid Unicode property lookup may
>> cause denial of service (Closes: #858238)
>>
>> unblock pcre3/2:8.39-3
>>
>> Thanks to the whole team for your hard work on the release!
>>
>> Regards,
>> Salvatore
>>
> 
> Ack from here - CC'ing KiBi for a d-i ack.
> 
> Thanks,
> ~Niels
> 
> 

Silly me, already acked in <[🔎] 20170328215236.GD17320@mraw.org>.

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: