[OE-core] [PATCH] libpcre2: fix CVE-2017-7186
ChenQi
Qi.Chen at windriver.com
Thu Mar 7 08:52:34 UTC 2019
This patch seems to cause
https://autobuilder.yoctoproject.org/typhoon/#/builders/73/builds/370/steps/7/logs/errors
Best Regards,
Chen Qi
On 03/07/2019 06:51 AM, Ross Burton wrote:
> Signed-off-by: Ross Burton <ross.burton at intel.com>
> ---
> .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++
> meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 +
> 2 files changed, 84 insertions(+)
> create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> new file mode 100644
> index 00000000000..7cd7c27c6c0
> --- /dev/null
> +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> @@ -0,0 +1,83 @@
> +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to
> +cause a denial of service (segmentation violation for read access, and
> +application crash) by triggering an invalid Unicode property lookup.
> +
> +CVE: CVE-2017-7186
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton at intel.com>
> +
> +---
> + src/pcre2_internal.h | 15 ++++++++++++++-
> + src/pcre2_ucd.c | 14 ++++++++++++++
> + 2 files changed, 28 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h
> +index 6a8774c..720bbc9 100644
> +--- a/src/pcre2_internal.h
> ++++ b/src/pcre2_internal.h
> +@@ -1774,10 +1774,17 @@ typedef struct {
> + /* UCD access macros */
> +
> + #define UCD_BLOCK_SIZE 128
> +-#define GET_UCD(ch) (PRIV(ucd_records) + \
> ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
> + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
> + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
> +
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
> ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
> ++#else
> ++#define GET_UCD(ch) REAL_GET_UCD(ch)
> ++#endif
> ++
> + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
> + #define UCD_SCRIPT(ch) GET_UCD(ch)->script
> + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
> +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[];
> + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
> + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
> + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
> ++#endif
> + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
> + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
> + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
> +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[];
> + extern const uint32_t PRIV(vspace_list)[];
> + extern const uint32_t PRIV(ucd_caseless_sets)[];
> + extern const ucd_record PRIV(ucd_records)[];
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++extern const ucd_record PRIV(dummy_ucd_record)[];
> ++#endif
> + extern const uint8_t PRIV(ucd_stage1)[];
> + extern const uint16_t PRIV(ucd_stage2)[];
> + extern const uint32_t PRIV(ucp_gbtable)[];
> +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c
> +index 116f537..56aa29d 100644
> +--- a/src/pcre2_ucd.c
> ++++ b/src/pcre2_ucd.c
> +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0};
> +
> + const char *PRIV(unicode_version) = "8.0.0";
> +
> ++/* If the 32-bit library is run in non-32-bit mode, character values
> ++greater than 0x10ffff may be encountered. For these we set up a
> ++special record. */
> ++
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++const ucd_record PRIV(dummy_ucd_record)[] = {{
> ++ ucp_Common, /* script */
> ++ ucp_Cn, /* type unassigned */
> ++ ucp_gbOther, /* grapheme break property */
> ++ 0, /* case set */
> ++ 0, /* other case */
> ++ }};
> ++#endif
> ++
> + /* When recompiling tables with a new Unicode version, please check the
> + types in this structure definition from pcre2_internal.h (the actual
> + field names will be different):
> +--
> +2.12.1
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> index 3a0aa53029f..59953626c74 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0"
>
> SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
> file://pcre-cross.patch \
> + file://CVE-2017-7186.patch \
> "
>
> SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"
More information about the Openembedded-core
mailing list