[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858680: marked as done (jessie-pu: package erlang/1:17.3-dfsg-4+deb8u1)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #858680,
regarding jessie-pu: package erlang/1:17.3-dfsg-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858680
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

The #858313 (see [1] for details) affects jessie as well, so I'd like
to propose an updated package to fix it.

The bug is in the bundled with Erlang PCRE library, and causes the whole
Erlang virtual machine crash. It's currently being tracked at [2].

The diff between the current package and the updated one is attached.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
https://security-tracker.debian.org/tracker/CVE-2016-10253

-- System Information:
Debian Release: 9.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru erlang-17.3-dfsg/debian/changelog erlang-17.3-dfsg/debian/changelog
--- erlang-17.3-dfsg/debian/changelog	2015-04-04 17:00:58.000000000 +0300
+++ erlang-17.3-dfsg/debian/changelog	2017-03-22 17:21:52.000000000 +0300
@@ -1,3 +1,12 @@
+erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium
+
+  * Applied a patch from the PCRE upstream which fixes CVE-2016-10253
+    vulnerability (heap overflow while compiling certain regular expressions).
+    The patch is taken from https://github.com/erlang/otp/pull/1108 and
+    modified to match the original patch by PCRE developers (closes: #858313).
+
+ -- Sergei Golovan <sgolovan@debian.org>  Wed, 22 Mar 2017 17:21:52 +0300
+
 erlang (1:17.3-dfsg-4) unstable; urgency=medium
 
   * Added a patch from upstream which fixes TLS POODLE vulnerability in
diff -Nru erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch
--- erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch	1970-01-01 03:00:00.000000000 +0300
+++ erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch	2017-03-22 17:20:04.000000000 +0300
@@ -0,0 +1,116 @@
+Author: PCRE upstream
+Description: A fix for CVE-2016-10253 which is the heap overflow during
+ a regular expression compile phase. The offending regexp could be
+ "(?<=((?2))((?1)))".
+ The patch was found at https://github.com/erlang/otp/pull/1108 and
+ the original version from https://vcs.pcre.org/pcre?view=revision&revision=1542
+ and https://vcs.pcre.org/pcre?view=revision&revision=1560 and
+ https://vcs.pcre.org/pcre?view=revision&revision=1571
+ has been adapted.
+Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
+Bug-Upstream: https://bugs.erlang.org/browse/ERL-208
+
+--- a/erts/emulator/pcre/pcre_compile.c
++++ b/erts/emulator/pcre/pcre_compile.c
+@@ -649,6 +649,14 @@
+ #endif
+ 
+ 
++/* Structure for mutual recursion detection. */
++
++typedef struct recurse_check {
++  struct recurse_check *prev;
++  const pcre_uchar *group;
++} recurse_check;
++
++
+ 
+ /*************************************************
+ *            Find an error text                  *
+@@ -1734,6 +1742,7 @@
+   utf      TRUE in UTF-8 / UTF-16 / UTF-32 mode
+   atend    TRUE if called when the pattern is complete
+   cd       the "compile data" structure
++  recurses    chain of recurse_check to catch mutual recursion
+ 
+ Returns:   the fixed length,
+              or -1 if there is no fixed length,
+@@ -1743,10 +1752,11 @@
+ */
+ 
+ static int
+-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd)
++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
++  recurse_check *recurses)
+ {
+ int length = -1;
+-
++recurse_check this_recurse;
+ register int branchlength = 0;
+ register pcre_uchar *cc = code + 1 + LINK_SIZE;
+ 
+@@ -1771,7 +1781,8 @@
+     case OP_ONCE:
+     case OP_ONCE_NC:
+     case OP_COND:
+-    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd);
++    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd,
++      recurses);
+     if (d < 0) return d;
+     branchlength += d;
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+@@ -1805,7 +1816,16 @@
+     cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1);  /* Start subpattern */
+     do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End subpattern */
+     if (cc > cs && cc < ce) return -1;                    /* Recursion */
+-    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd);
++    else   /* Check for mutual recursion */
++      {
++      recurse_check *r = recurses;
++      for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
++      if (r != NULL) return -1;   /* Mutual recursion */
++      }
++    this_recurse.prev = recurses;
++    this_recurse.group = cs;
++    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
++
+     if (d < 0) return d;
+     branchlength += d;
+     cc += 1 + LINK_SIZE;
+@@ -1818,7 +1838,7 @@
+     case OP_ASSERTBACK:
+     case OP_ASSERTBACK_NOT:
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+-    cc += PRIV(OP_lengths)[*cc];
++    cc += 1 + LINK_SIZE;
+     break;
+ 
+     /* Skip over things that don't match chars */
+@@ -7255,7 +7275,7 @@
+       int fixed_length;
+       *code = OP_END;
+       fixed_length = find_fixedlength(last_branch,  (options & PCRE_UTF8) != 0,
+-        FALSE, cd);
++        FALSE, cd, NULL);
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length == -3)
+         {
+@@ -8249,7 +8269,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+ 
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+   {
+   pcre_uchar *cc = (pcre_uchar *)codestart;
+ 
+@@ -8269,7 +8289,7 @@
+       int end_op = *be;
+       *be = OP_END;
+       fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE,
+-        cd);
++        cd, NULL);
+       *be = end_op;
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length < 0)
diff -Nru erlang-17.3-dfsg/debian/patches/series erlang-17.3-dfsg/debian/patches/series
--- erlang-17.3-dfsg/debian/patches/series	2015-04-04 16:58:41.000000000 +0300
+++ erlang-17.3-dfsg/debian/patches/series	2017-03-22 17:20:27.000000000 +0300
@@ -13,3 +13,4 @@
 sslv3disable.patch
 ssltlspoodle.patch
 beamload.patch
+cve-2016-10253.patch

--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: