GNU bug report logs -
#26431
[PATCH 0/2] Fix CVE-2017-7186 in pcre and pcre2
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Mon, 10 Apr 2017 13:41:01 UTC
Severity: normal
Tags: patch
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26431 in the body.
You can then email your comments to 26431 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#26431; Package
guix-patches.
(Mon, 10 Apr 2017 13:41:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 10 Apr 2017 13:41:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
in pcre and pcre2 using the upstream patches referenced in the CVE database.
Ludo'.
Ludovic Courtès (2):
gnu: pcre2: Patch CVE-2017-7186.
gnu: pcre: Patch CVE-2017-7186.
gnu/local.mk | 2 +
gnu/packages/patches/pcre-CVE-2017-7186.patch | 55 +++++++++++++++++++++
gnu/packages/patches/pcre2-CVE-2017-7186.patch | 67 ++++++++++++++++++++++++++
gnu/packages/pcre.scm | 13 ++++-
4 files changed, 136 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/pcre-CVE-2017-7186.patch
create mode 100644 gnu/packages/patches/pcre2-CVE-2017-7186.patch
--
2.12.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#26431; Package
guix-patches.
(Mon, 10 Apr 2017 13:44:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 26431 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/pcre2-CVE-2017-7186.patch: New file.
* gnu/packages/pcre.scm (pcre2)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/patches/pcre2-CVE-2017-7186.patch | 67 ++++++++++++++++++++++++++
gnu/packages/pcre.scm | 3 +-
3 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/pcre2-CVE-2017-7186.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a8d006601..c3a65789a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -825,6 +825,7 @@ dist_patch_DATA = \
%D%/packages/patches/patchelf-rework-for-arm.patch \
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
%D%/packages/patches/patch-hurd-path-max.patch \
+ %D%/packages/patches/pcre2-CVE-2017-7186.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/patches/pcre2-CVE-2017-7186.patch b/gnu/packages/patches/pcre2-CVE-2017-7186.patch
new file mode 100644
index 000000000..482f07a1f
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2017-7186.patch
@@ -0,0 +1,67 @@
+Upstream patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>.
+
+--- trunk/src/pcre2_internal.h 2016/11/19 12:46:24 600
++++ trunk/src/pcre2_internal.h 2017/02/24 18:25:32 670
+@@ -1774,10 +1774,17 @@
+ /* UCD access macros */
+
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+ PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+ UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
+
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
++
+ #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch) GET_UCD(ch)->script
+ #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
+@@ -1834,6 +1841,9 @@
+ #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
+ #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
+ #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
++#endif
+ #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
+ #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
+ #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
+@@ -1858,6 +1868,9 @@
+ extern const uint32_t PRIV(vspace_list)[];
+ extern const uint32_t PRIV(ucd_caseless_sets)[];
+ extern const ucd_record PRIV(ucd_records)[];
++#if PCRE2_CODE_UNIT_WIDTH == 32
++extern const ucd_record PRIV(dummy_ucd_record)[];
++#endif
+ extern const uint8_t PRIV(ucd_stage1)[];
+ extern const uint16_t PRIV(ucd_stage2)[];
+ extern const uint32_t PRIV(ucp_gbtable)[];
+
+--- trunk/src/pcre2_ucd.c 2015/07/17 15:44:51 316
++++ trunk/src/pcre2_ucd.c 2017/02/24 18:25:32 670
+@@ -41,6 +41,20 @@
+
+ const char *PRIV(unicode_version) = "8.0.0";
+
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#if PCRE2_CODE_UNIT_WIDTH == 32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++ ucp_Common, /* script */
++ ucp_Cn, /* type unassigned */
++ ucp_gbOther, /* grapheme break property */
++ 0, /* case set */
++ 0, /* other case */
++ }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre2_internal.h (the actual
+ field names will be different):
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 011a30dd3..9f610e59f 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -81,7 +81,8 @@ POSIX regular expression API.")
(sha256
(base32
- "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))))
+ "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))
+ (patches (search-patches "pcre2-CVE-2017-7186.patch"))))
(build-system gnu-build-system)
(inputs `(("bzip2" ,bzip2)
("readline" ,readline)
--
2.12.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#26431; Package
guix-patches.
(Mon, 10 Apr 2017 13:44:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 26431 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/pcre-CVE-2017-7186.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pcre.scm (pcre)[replacement]: New field.
(pcre/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/patches/pcre-CVE-2017-7186.patch | 55 +++++++++++++++++++++++++++
gnu/packages/pcre.scm | 10 +++++
3 files changed, 66 insertions(+)
create mode 100644 gnu/packages/patches/pcre-CVE-2017-7186.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c3a65789a..5782f8390 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -825,6 +825,7 @@ dist_patch_DATA = \
%D%/packages/patches/patchelf-rework-for-arm.patch \
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
%D%/packages/patches/patch-hurd-path-max.patch \
+ %D%/packages/patches/pcre-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-7186.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
new file mode 100644
index 000000000..b8b112230
--- /dev/null
+++ b/gnu/packages/patches/pcre-CVE-2017-7186.patch
@@ -0,0 +1,55 @@
+Upstream patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>.
+
+--- trunk/pcre_internal.h 2016/05/21 13:34:44 1649
++++ trunk/pcre_internal.h 2017/02/24 17:30:30 1688
+@@ -2772,6 +2772,9 @@
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@
+ /* UCD access macros */
+
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+ PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+ UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
+
+ #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch) GET_UCD(ch)->script
+
+--- trunk/pcre_ucd.c 2014/06/19 07:51:39 1490
++++ trunk/pcre_ucd.c 2017/02/24 17:30:30 1688
+@@ -38,6 +38,20 @@
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++ ucp_Common, /* script */
++ ucp_Cn, /* type unassigned */
++ ucp_gbOther, /* grapheme break property */
++ 0, /* case set */
++ 0, /* other case */
++ }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 9f610e59f..1946f5229 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2016 Leo Famulari <leo <at> famulari.name>
;;; Copyright © 2017 Marius Bakke <mbakke <at> fastmail.com>
+;;; Copyright © 2017 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -33,6 +34,7 @@
(package
(name "pcre")
(version "8.40")
+ (replacement pcre/fixed)
(source (origin
(method url-fetch)
(uri (list
@@ -70,6 +72,14 @@ POSIX regular expression API.")
(license license:bsd-3)
(home-page "http://www.pcre.org/")))
+(define pcre/fixed
+ (package
+ (inherit pcre)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source pcre))
+ (patches (search-patches "pcre-CVE-2017-7186.patch"))))))
+
(define-public pcre2
(package
(name "pcre2")
--
2.12.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#26431; Package
guix-patches.
(Mon, 10 Apr 2017 17:02:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 26431 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello,
>
> These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
> in pcre and pcre2 using the upstream patches referenced in the CVE database.
>
> Ludo'.
>
> Ludovic Courtès (2):
> gnu: pcre2: Patch CVE-2017-7186.
> gnu: pcre: Patch CVE-2017-7186.
Thank you for these! Please add URLs to the upstream fixes in the patch
headers:
https://vcs.pcre.org/pcre?view=revision&revision=1688
https://vcs.pcre.org/pcre2?view=revision&revision=670
LGTM apart from that :)
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Mon, 10 Apr 2017 21:58:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer.
(Mon, 10 Apr 2017 21:58:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 26431-done <at> debbugs.gnu.org (full text, mbox):
Heya,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Hello,
>>
>> These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
>> in pcre and pcre2 using the upstream patches referenced in the CVE database.
>>
>> Ludo'.
>>
>> Ludovic Courtès (2):
>> gnu: pcre2: Patch CVE-2017-7186.
>> gnu: pcre: Patch CVE-2017-7186.
>
> Thank you for these! Please add URLs to the upstream fixes in the patch
> headers:
>
> https://vcs.pcre.org/pcre?view=revision&revision=1688
> https://vcs.pcre.org/pcre2?view=revision&revision=670
Done and pushed, thanks for your quick reply!
FWIW there’s still work to do on pcre:
$ ./pre-inst-env guix lint -c cve pcre pcre2
gnu/packages/pcre.scm:76:2: pcre <at> 8.40: probably vulnerable to CVE-2017-7244, CVE-2017-7245, CVE-2017-7246
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 09 May 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 44 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.