[OE-core] [PATCH] libpcre2: fix CVE-2017-7186

ChenQi Qi.Chen at windriver.com
Thu Mar 7 08:52:34 UTC 2019 

This patch seems to cause 
https://autobuilder.yoctoproject.org/typhoon/#/builders/73/builds/370/steps/7/logs/errors

Best Regards,
Chen Qi

On 03/07/2019 06:51 AM, Ross Burton wrote:
> Signed-off-by: Ross Burton <ross.burton at intel.com>
> ---
>   .../libpcre/libpcre2/CVE-2017-7186.patch           | 83 ++++++++++++++++++++++
>   meta/recipes-support/libpcre/libpcre2_10.32.bb     |  1 +
>   2 files changed, 84 insertions(+)
>   create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> new file mode 100644
> index 00000000000..7cd7c27c6c0
> --- /dev/null
> +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
> @@ -0,0 +1,83 @@
> +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to
> +cause a denial of service (segmentation violation for read access, and
> +application crash) by triggering an invalid Unicode property lookup.	
> +
> +CVE: CVE-2017-7186
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton at intel.com>
> +
> +---
> + src/pcre2_internal.h | 15 ++++++++++++++-
> + src/pcre2_ucd.c      | 14 ++++++++++++++
> + 2 files changed, 28 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h
> +index 6a8774c..720bbc9 100644
> +--- a/src/pcre2_internal.h
> ++++ b/src/pcre2_internal.h
> +@@ -1774,10 +1774,17 @@ typedef struct {
> + /* UCD access macros */
> +
> + #define UCD_BLOCK_SIZE 128
> +-#define GET_UCD(ch) (PRIV(ucd_records) + \
> ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
> +         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
> +         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
> +
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
> ++  PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
> ++#else
> ++#define GET_UCD(ch) REAL_GET_UCD(ch)
> ++#endif
> ++
> + #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
> + #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
> + #define UCD_CATEGORY(ch)    PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
> +@@ -1834,6 +1841,9 @@ extern const uint8_t          PRIV(utf8_table4)[];
> + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
> + #define _pcre2_default_match_context   PCRE2_SUFFIX(_pcre2_default_match_context_)
> + #define _pcre2_default_tables          PCRE2_SUFFIX(_pcre2_default_tables_)
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++#define _pcre2_dummy_ucd_record        PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
> ++#endif
> + #define _pcre2_hspace_list             PCRE2_SUFFIX(_pcre2_hspace_list_)
> + #define _pcre2_vspace_list             PCRE2_SUFFIX(_pcre2_vspace_list_)
> + #define _pcre2_ucd_caseless_sets       PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
> +@@ -1858,6 +1868,9 @@ extern const uint32_t                  PRIV(hspace_list)[];
> + extern const uint32_t                  PRIV(vspace_list)[];
> + extern const uint32_t                  PRIV(ucd_caseless_sets)[];
> + extern const ucd_record                PRIV(ucd_records)[];
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++extern const ucd_record                PRIV(dummy_ucd_record)[];
> ++#endif
> + extern const uint8_t                   PRIV(ucd_stage1)[];
> + extern const uint16_t                  PRIV(ucd_stage2)[];
> + extern const uint32_t                  PRIV(ucp_gbtable)[];
> +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c
> +index 116f537..56aa29d 100644
> +--- a/src/pcre2_ucd.c
> ++++ b/src/pcre2_ucd.c
> +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0};
> +
> + const char *PRIV(unicode_version) = "8.0.0";
> +
> ++/* If the 32-bit library is run in non-32-bit mode, character values
> ++greater than 0x10ffff may be encountered. For these we set up a
> ++special record. */
> ++
> ++#if PCRE2_CODE_UNIT_WIDTH == 32
> ++const ucd_record PRIV(dummy_ucd_record)[] = {{
> ++  ucp_Common,    /* script */
> ++  ucp_Cn,        /* type unassigned */
> ++  ucp_gbOther,   /* grapheme break property */
> ++  0,             /* case set */
> ++  0,             /* other case */
> ++  }};
> ++#endif
> ++
> + /* When recompiling tables with a new Unicode version, please check the
> + types in this structure definition from pcre2_internal.h (the actual
> + field names will be different):
> +--
> +2.12.1
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> index 3a0aa53029f..59953626c74 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb
> @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0"
>   
>   SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
>              file://pcre-cross.patch \
> +           file://CVE-2017-7186.patch \
>   "
>   
>   SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5"

More information about the Openembedded-core mailing list