Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release managers, Please unblock package pcre3 The uploaded fixes #855405, which maps to the BTS the CVE CVE-2017-6004 (the severity to grave is disputable, I admit that, but think would be good to release stretch without that CVE open; it is "just" that a specially crafted regular expression may cause a denial of service for an application using pcre3, as it was demostrated in the upstream bug for php). It builds on all release architectures: https://buildd.debian.org/status/package.php?p=pcre3 The changelog reads as: >pcre3 (2:8.39-2.1) unstable; urgency=high > > * Non-maintainer upload. > * CVE-2017-6004: crafted regular expression may cause denial of service > (Closes: #855405) > > -- Salvatore Bonaccorso <car...@debian.org> Fri, 17 Feb 2017 15:56:09 +0100 I'm including as requested the debdiff against the version in testing. The d-i release manager is X-Debbug-CC'ed since that would need an ack as well from him, afaict. unblock pcre3/2:8.39-2.1 Btw, thanks for your amazing work! Regards, Salvatore
diff -Nru pcre3-8.39/debian/changelog pcre3-8.39/debian/changelog --- pcre3-8.39/debian/changelog 2016-08-19 10:04:15.000000000 +0200 +++ pcre3-8.39/debian/changelog 2017-02-17 15:56:09.000000000 +0100 @@ -1,3 +1,11 @@ +pcre3 (2:8.39-2.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2017-6004: crafted regular expression may cause denial of service + (Closes: #855405) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 17 Feb 2017 15:56:09 +0100 + pcre3 (2:8.39-2) unstable; urgency=low * Update symbols file to reflect compilation with gcc6 (Closes: #811969) diff -Nru pcre3-8.39/debian/patches/CVE-2017-6004.patch pcre3-8.39/debian/patches/CVE-2017-6004.patch --- pcre3-8.39/debian/patches/CVE-2017-6004.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.39/debian/patches/CVE-2017-6004.patch 2017-02-17 15:56:09.000000000 +0100 @@ -0,0 +1,19 @@ +Description: CVE-2017-6004: crafted regular expression may cause denial of service +Origin: upstream, https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch +Bug: https://bugs.exim.org/show_bug.cgi?id=2035 +Bug-Debian: https://bugs.debian.org/855405 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2017-02-17 + +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -8111,7 +8111,7 @@ if (opcode == OP_COND || opcode == OP_SC + + if (*matchingpath == OP_FAIL) + stacksize = 0; +- if (*matchingpath == OP_RREF) ++ else if (*matchingpath == OP_RREF) + { + stacksize = GET2(matchingpath, 1); + if (common->currententry == NULL) diff -Nru pcre3-8.39/debian/patches/series pcre3-8.39/debian/patches/series --- pcre3-8.39/debian/patches/series 2016-07-28 17:43:57.000000000 +0200 +++ pcre3-8.39/debian/patches/series 2017-02-17 15:56:09.000000000 +0100 @@ -5,3 +5,4 @@ soname.patch no_jit_x32_powerpcspe.patch Disable_JIT_on_sparc64.patch +CVE-2017-6004.patch
