Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, I'd like to upload the new erlang/1:19.2.1+dfsg-2 which fixes CVE-2016-10253 (heap overflow in bundled PCRE library). The diff of the proposed upload is attached. Will you unblock it after the upload? unblock erlang/19.2.1+dfsg-2 -- System Information: Debian Release: 9.0 APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog erlang-19.2.1+dfsg/debian/changelog --- erlang-19.2.1+dfsg/debian/changelog 2017-01-16 23:02:47.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/changelog 2017-03-22 15:31:29.000000000 +0300 @@ -1,3 +1,12 @@ +erlang (1:19.2.1+dfsg-2) unstable; urgency=high + + * Applied a patch from the PCRE upstream which fixes CVE-2016-10253 + vulnerability (heap overflow while compiling certain regular expressions). + The patch is taken from https://github.com/erlang/otp/pull/1108 and + modified to match the original patch by PCRE developers (closes: #858313). + + -- Sergei Golovan <sgolo...@debian.org> Wed, 22 Mar 2017 15:31:29 +0300 + erlang (1:19.2.1+dfsg-1) unstable; urgency=medium * New upstream bugfix release. diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch --- erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch 1970-01-01 03:00:00.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/patches/cve-2016-10253.patch 2017-03-22 15:31:29.000000000 +0300 @@ -0,0 +1,116 @@ +Author: PCRE upstream +Description: A fix for CVE-2016-10253 which is the heap overflow during + a regular expression compile phase. The offending regexp could be + "(?<=((?2))((?1)))". + The patch was found at https://github.com/erlang/otp/pull/1108 and + the original version from https://vcs.pcre.org/pcre?view=revision&revision=1542 + and https://vcs.pcre.org/pcre?view=revision&revision=1560 and + https://vcs.pcre.org/pcre?view=revision&revision=1571 + has been adapted. +Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313 +Bug-Upstream: https://bugs.erlang.org/browse/ERL-208 + +--- a/erts/emulator/pcre/pcre_compile.c ++++ b/erts/emulator/pcre/pcre_compile.c +@@ -649,6 +649,14 @@ + #endif + + ++/* Structure for mutual recursion detection. */ ++ ++typedef struct recurse_check { ++ struct recurse_check *prev; ++ const pcre_uchar *group; ++} recurse_check; ++ ++ + + /************************************************* + * Find an error text * +@@ -1734,6 +1742,7 @@ + utf TRUE in UTF-8 / UTF-16 / UTF-32 mode + atend TRUE if called when the pattern is complete + cd the "compile data" structure ++ recurses chain of recurse_check to catch mutual recursion + + Returns: the fixed length, + or -1 if there is no fixed length, +@@ -1743,10 +1752,11 @@ + */ + + static int +-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd) ++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd, ++ recurse_check *recurses) + { + int length = -1; +- ++recurse_check this_recurse; + register int branchlength = 0; + register pcre_uchar *cc = code + 1 + LINK_SIZE; + +@@ -1771,7 +1781,8 @@ + case OP_ONCE: + case OP_ONCE_NC: + case OP_COND: +- d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd); ++ d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd, ++ recurses); + if (d < 0) return d; + branchlength += d; + do cc += GET(cc, 1); while (*cc == OP_ALT); +@@ -1805,7 +1816,16 @@ + cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1); /* Start subpattern */ + do ce += GET(ce, 1); while (*ce == OP_ALT); /* End subpattern */ + if (cc > cs && cc < ce) return -1; /* Recursion */ +- d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd); ++ else /* Check for mutual recursion */ ++ { ++ recurse_check *r = recurses; ++ for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break; ++ if (r != NULL) return -1; /* Mutual recursion */ ++ } ++ this_recurse.prev = recurses; ++ this_recurse.group = cs; ++ d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse); ++ + if (d < 0) return d; + branchlength += d; + cc += 1 + LINK_SIZE; +@@ -1818,7 +1838,7 @@ + case OP_ASSERTBACK: + case OP_ASSERTBACK_NOT: + do cc += GET(cc, 1); while (*cc == OP_ALT); +- cc += PRIV(OP_lengths)[*cc]; ++ cc += 1 + LINK_SIZE; + break; + + /* Skip over things that don't match chars */ +@@ -7255,7 +7275,7 @@ + int fixed_length; + *code = OP_END; + fixed_length = find_fixedlength(last_branch, (options & PCRE_UTF8) != 0, +- FALSE, cd); ++ FALSE, cd, NULL); + DPRINTF(("fixed length = %d\n", fixed_length)); + if (fixed_length == -3) + { +@@ -8249,7 +8269,7 @@ + exceptional ones forgo this. We scan the pattern to check that they are fixed + length, and set their lengths. */ + +-if (cd->check_lookbehind) ++if (errorcode == 0 && cd->check_lookbehind) + { + pcre_uchar *cc = (pcre_uchar *)codestart; + +@@ -8269,7 +8289,7 @@ + int end_op = *be; + *be = OP_END; + fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE, +- cd); ++ cd, NULL); + *be = end_op; + DPRINTF(("fixed length = %d\n", fixed_length)); + if (fixed_length < 0) diff -Nru erlang-19.2.1+dfsg/debian/patches/series erlang-19.2.1+dfsg/debian/patches/series --- erlang-19.2.1+dfsg/debian/patches/series 2016-12-15 00:12:13.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/patches/series 2017-03-22 15:31:29.000000000 +0300 @@ -10,3 +10,4 @@ wx3.0-constants.patch beamload.patch x32.patch +cve-2016-10253.patch
