--- Begin Message ---
- To: Debian BTS <submit@bugs.debian.org>
- Subject: jessie-pu: package tre/0.8.0-4+deb8u1
- From: Santiago Vila <sanvila@unex.es>
- Date: Mon, 28 Nov 2016 00:50:22 +0100 (CET)
- Message-id: <alpine.DEB.2.11.1611280043310.3714@tulipan.isla-invisible.es>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Managers:
Salvatore told me that this does not warrant a DSA. so I've prepared
this upload for jessie-proposed-updates, to be considered for stable.
It fixes CVE-2016-8859.
Debdiff is attached.
Thanks.
diff -Nru tre-0.8.0/debian/changelog tre-0.8.0/debian/changelog
--- tre-0.8.0/debian/changelog 2014-04-30 00:38:40.000000000 +0200
+++ tre-0.8.0/debian/changelog 2016-11-28 00:31:36.000000000 +0100
@@ -1,3 +1,12 @@
+tre (0.8.0-4+deb8u1) jessie; urgency=medium
+
+ * Add debian/patches/03-cve-2016-8859 to fix CVE-2016-8859.
+ Patch borrowed from wheezy LTS. Closes: #842169.
+ * Add locales-all to Build-Depends, required to run the test suite.
+ * Add debian/clean with files generated/modified during the build.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 28 Nov 2016 00:31:36 +0100
+
tre (0.8.0-4) unstable; urgency=medium
* I'm having a déjà vu.
diff -Nru tre-0.8.0/debian/clean tre-0.8.0/debian/clean
--- tre-0.8.0/debian/clean 1970-01-01 01:00:00.000000000 +0100
+++ tre-0.8.0/debian/clean 2016-11-27 23:00:00.000000000 +0100
@@ -0,0 +1,4 @@
+tests/agrep/basic.in
+tests/agrep/delimiters.in
+tests/agrep/exitstatus.in
+tests/agrep/records.in
diff -Nru tre-0.8.0/debian/control tre-0.8.0/debian/control
--- tre-0.8.0/debian/control 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/control 2016-11-27 23:00:00.000000000 +0100
@@ -4,7 +4,7 @@
Maintainer: Santiago Vila <sanvila@debian.org>
Uploaders: Milan Zamazal <pdm@debian.org>
Standards-Version: 3.9.5
-Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9)
+Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9), locales-all
Package: libtre5
Architecture: any
diff -Nru tre-0.8.0/debian/patches/03-cve-2016-8859 tre-0.8.0/debian/patches/03-cve-2016-8859
--- tre-0.8.0/debian/patches/03-cve-2016-8859 1970-01-01 01:00:00.000000000 +0100
+++ tre-0.8.0/debian/patches/03-cve-2016-8859 2016-11-27 23:03:00.000000000 +0100
@@ -0,0 +1,73 @@
+From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Thu, 6 Oct 2016 18:34:58 -0400
+Subject: fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+---
+ src/regex/regexec.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+Note: patch was modified to apply to tre, parts were taken from
+https://github.com/laurikari/tre/issues/37
+
+--- a/lib/tre-match-parallel.c
++++ b/lib/tre-match-parallel.c
+@@ -59,6 +59,7 @@
+ #ifdef HAVE_MALLOC_H
+ #include <malloc.h>
+ #endif /* HAVE_MALLOC_H */
++#include <stdint.h>
+
+ #include "tre-internal.h"
+ #include "tre-match-utils.h"
+@@ -150,11 +151,24 @@
+
+ /* Allocate memory for temporary data required for matching. This needs to
+ be done for every matching operation to be thread safe. This allocates
+- everything in a single large block from the stack frame using alloca()
+- or with malloc() if alloca is unavailable. */
++ everything in a single large block with calloc(). */
+ {
+- int tbytes, rbytes, pbytes, xbytes, total_bytes;
++ size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+ char *tmp_buf;
++
++ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++ if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++ return REG_BADPAT;
++
++ /* Likewise check rbytes. */
++ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++ return REG_BADPAT;
++
++ /* Likewise check pbytes. */
++ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++ return REG_BADPAT;
++
+ /* Compute the length of the block we need. */
+ tbytes = sizeof(*tmp_tags) * num_tags;
+ rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -168,11 +182,11 @@
+ #ifdef TRE_USE_ALLOCA
+ buf = alloca(total_bytes);
+ #else /* !TRE_USE_ALLOCA */
+- buf = xmalloc((unsigned)total_bytes);
++ buf = xmalloc(total_bytes);
+ #endif /* !TRE_USE_ALLOCA */
+ if (buf == NULL)
+ return REG_ESPACE;
+- memset(buf, 0, (size_t)total_bytes);
++ memset(buf, 0, total_bytes);
+
+ /* Get the various pointers within tmp_buf (properly aligned). */
+ tmp_tags = (void *)buf;
diff -Nru tre-0.8.0/debian/patches/series tre-0.8.0/debian/patches/series
--- tre-0.8.0/debian/patches/series 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/patches/series 2016-11-27 23:00:00.000000000 +0100
@@ -1,3 +1,4 @@
01-agrep-is-called-tre-agrep-here
02-added-de-po-translation
+03-cve-2016-8859
99-autoreconf
diff -Nru tre-0.8.0/debian/rules tre-0.8.0/debian/rules
--- tre-0.8.0/debian/rules 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/rules 2016-11-27 23:00:00.000000000 +0100
@@ -6,8 +6,6 @@
dh_clean
cd po && rm -f *.gmo
-override_dh_auto_test:
-
override_dh_auto_configure:
touch -d "2014-04-29 12:00" `cat debian/modified-files.txt`
dh_auto_configure -- --enable-static
--- End Message ---