| Message ID | 20190306225101.10727-1-ross.burton@intel.com |
|---|---|
| State | New |
| Headers | show |
| Series | libpcre2: fix CVE-2017-7186 | expand |
This patch seems to cause https://autobuilder.yoctoproject.org/typhoon/#/builders/73/builds/370/steps/7/logs/errors Best Regards, Chen Qi On 03/07/2019 06:51 AM, Ross Burton wrote: > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++ > meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 + > 2 files changed, 84 insertions(+) > create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > > diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > new file mode 100644 > index 00000000000..7cd7c27c6c0 > --- /dev/null > +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > @@ -0,0 +1,83 @@ > +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to > +cause a denial of service (segmentation violation for read access, and > +application crash) by triggering an invalid Unicode property lookup. > + > +CVE: CVE-2017-7186 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.burton@intel.com> > + > +--- > + src/pcre2_internal.h | 15 ++++++++++++++- > + src/pcre2_ucd.c | 14 ++++++++++++++ > + 2 files changed, 28 insertions(+), 1 deletion(-) > + > +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h > +index 6a8774c..720bbc9 100644 > +--- a/src/pcre2_internal.h > ++++ b/src/pcre2_internal.h > +@@ -1774,10 +1774,17 @@ typedef struct { > + /* UCD access macros */ > + > + #define UCD_BLOCK_SIZE 128 > +-#define GET_UCD(ch) (PRIV(ucd_records) + \ > ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ > + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ > + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) > + > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \ > ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) > ++#else > ++#define GET_UCD(ch) REAL_GET_UCD(ch) > ++#endif > ++ > + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype > + #define UCD_SCRIPT(ch) GET_UCD(ch)->script > + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)] > +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[]; > + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_) > + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_) > + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_) > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_) > ++#endif > + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_) > + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_) > + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_) > +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[]; > + extern const uint32_t PRIV(vspace_list)[]; > + extern const uint32_t PRIV(ucd_caseless_sets)[]; > + extern const ucd_record PRIV(ucd_records)[]; > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++extern const ucd_record PRIV(dummy_ucd_record)[]; > ++#endif > + extern const uint8_t PRIV(ucd_stage1)[]; > + extern const uint16_t PRIV(ucd_stage2)[]; > + extern const uint32_t PRIV(ucp_gbtable)[]; > +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c > +index 116f537..56aa29d 100644 > +--- a/src/pcre2_ucd.c > ++++ b/src/pcre2_ucd.c > +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0}; > + > + const char *PRIV(unicode_version) = "8.0.0"; > + > ++/* If the 32-bit library is run in non-32-bit mode, character values > ++greater than 0x10ffff may be encountered. For these we set up a > ++special record. */ > ++ > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++const ucd_record PRIV(dummy_ucd_record)[] = {{ > ++ ucp_Common, /* script */ > ++ ucp_Cn, /* type unassigned */ > ++ ucp_gbOther, /* grapheme break property */ > ++ 0, /* case set */ > ++ 0, /* other case */ > ++ }}; > ++#endif > ++ > + /* When recompiling tables with a new Unicode version, please check the > + types in this structure definition from pcre2_internal.h (the actual > + field names will be different): > +-- > +2.12.1 > diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb > index 3a0aa53029f..59953626c74 100644 > --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb > +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb > @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0" > > SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ > file://pcre-cross.patch \ > + file://CVE-2017-7186.patch \ > " > > SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5" -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Retracting this, I can't tell the difference between 10.32 and 10.23. Ross On Wed, 6 Mar 2019 at 22:51, Ross Burton <ross.burton@intel.com> wrote: > > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++ > meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 + > 2 files changed, 84 insertions(+) > create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > > diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > new file mode 100644 > index 00000000000..7cd7c27c6c0 > --- /dev/null > +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch > @@ -0,0 +1,83 @@ > +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to > +cause a denial of service (segmentation violation for read access, and > +application crash) by triggering an invalid Unicode property lookup. > + > +CVE: CVE-2017-7186 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.burton@intel.com> > + > +--- > + src/pcre2_internal.h | 15 ++++++++++++++- > + src/pcre2_ucd.c | 14 ++++++++++++++ > + 2 files changed, 28 insertions(+), 1 deletion(-) > + > +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h > +index 6a8774c..720bbc9 100644 > +--- a/src/pcre2_internal.h > ++++ b/src/pcre2_internal.h > +@@ -1774,10 +1774,17 @@ typedef struct { > + /* UCD access macros */ > + > + #define UCD_BLOCK_SIZE 128 > +-#define GET_UCD(ch) (PRIV(ucd_records) + \ > ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ > + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ > + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) > + > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \ > ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) > ++#else > ++#define GET_UCD(ch) REAL_GET_UCD(ch) > ++#endif > ++ > + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype > + #define UCD_SCRIPT(ch) GET_UCD(ch)->script > + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)] > +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[]; > + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_) > + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_) > + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_) > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_) > ++#endif > + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_) > + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_) > + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_) > +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[]; > + extern const uint32_t PRIV(vspace_list)[]; > + extern const uint32_t PRIV(ucd_caseless_sets)[]; > + extern const ucd_record PRIV(ucd_records)[]; > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++extern const ucd_record PRIV(dummy_ucd_record)[]; > ++#endif > + extern const uint8_t PRIV(ucd_stage1)[]; > + extern const uint16_t PRIV(ucd_stage2)[]; > + extern const uint32_t PRIV(ucp_gbtable)[]; > +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c > +index 116f537..56aa29d 100644 > +--- a/src/pcre2_ucd.c > ++++ b/src/pcre2_ucd.c > +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0}; > + > + const char *PRIV(unicode_version) = "8.0.0"; > + > ++/* If the 32-bit library is run in non-32-bit mode, character values > ++greater than 0x10ffff may be encountered. For these we set up a > ++special record. */ > ++ > ++#if PCRE2_CODE_UNIT_WIDTH == 32 > ++const ucd_record PRIV(dummy_ucd_record)[] = {{ > ++ ucp_Common, /* script */ > ++ ucp_Cn, /* type unassigned */ > ++ ucp_gbOther, /* grapheme break property */ > ++ 0, /* case set */ > ++ 0, /* other case */ > ++ }}; > ++#endif > ++ > + /* When recompiling tables with a new Unicode version, please check the > + types in this structure definition from pcre2_internal.h (the actual > + field names will be different): > +-- > +2.12.1 > diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb > index 3a0aa53029f..59953626c74 100644 > --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb > +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb > @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0" > > SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ > file://pcre-cross.patch \ > + file://CVE-2017-7186.patch \ > " > > SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5" > -- > 2.11.0 > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch new file mode 100644 index 00000000000..7cd7c27c6c0 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch @@ -0,0 +1,83 @@ +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to +cause a denial of service (segmentation violation for read access, and +application crash) by triggering an invalid Unicode property lookup. + +CVE: CVE-2017-7186 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +--- + src/pcre2_internal.h | 15 ++++++++++++++- + src/pcre2_ucd.c | 14 ++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h +index 6a8774c..720bbc9 100644 +--- a/src/pcre2_internal.h ++++ b/src/pcre2_internal.h +@@ -1774,10 +1774,17 @@ typedef struct { + /* UCD access macros */ + + #define UCD_BLOCK_SIZE 128 +-#define GET_UCD(ch) (PRIV(ucd_records) + \ ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) + ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \ ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) ++#else ++#define GET_UCD(ch) REAL_GET_UCD(ch) ++#endif ++ + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype + #define UCD_SCRIPT(ch) GET_UCD(ch)->script + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)] +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[]; + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_) + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_) + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_) ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_) ++#endif + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_) + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_) + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_) +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[]; + extern const uint32_t PRIV(vspace_list)[]; + extern const uint32_t PRIV(ucd_caseless_sets)[]; + extern const ucd_record PRIV(ucd_records)[]; ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++extern const ucd_record PRIV(dummy_ucd_record)[]; ++#endif + extern const uint8_t PRIV(ucd_stage1)[]; + extern const uint16_t PRIV(ucd_stage2)[]; + extern const uint32_t PRIV(ucp_gbtable)[]; +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c +index 116f537..56aa29d 100644 +--- a/src/pcre2_ucd.c ++++ b/src/pcre2_ucd.c +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0}; + + const char *PRIV(unicode_version) = "8.0.0"; + ++/* If the 32-bit library is run in non-32-bit mode, character values ++greater than 0x10ffff may be encountered. For these we set up a ++special record. */ ++ ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++const ucd_record PRIV(dummy_ucd_record)[] = {{ ++ ucp_Common, /* script */ ++ ucp_Cn, /* type unassigned */ ++ ucp_gbOther, /* grapheme break property */ ++ 0, /* case set */ ++ 0, /* other case */ ++ }}; ++#endif ++ + /* When recompiling tables with a new Unicode version, please check the + types in this structure definition from pcre2_internal.h (the actual + field names will be different): +-- +2.12.1 diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb index 3a0aa53029f..59953626c74 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0" SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ + file://CVE-2017-7186.patch \ " SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"
Signed-off-by: Ross Burton <ross.burton@intel.com> --- .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++ meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core