Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi! The #858313 (see [1] for details) affects jessie as well, so I'd like to propose an updated package to fix it. The bug is in the bundled with Erlang PCRE library, and causes the whole Erlang virtual machine crash. It's currently being tracked at [2]. The diff between the current package and the updated one is attached. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313 https://security-tracker.debian.org/tracker/CVE-2016-10253 -- System Information: Debian Release: 9.0 APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru erlang-17.3-dfsg/debian/changelog erlang-17.3-dfsg/debian/changelog --- erlang-17.3-dfsg/debian/changelog 2015-04-04 17:00:58.000000000 +0300 +++ erlang-17.3-dfsg/debian/changelog 2017-03-22 17:21:52.000000000 +0300 @@ -1,3 +1,12 @@ +erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium + + * Applied a patch from the PCRE upstream which fixes CVE-2016-10253 + vulnerability (heap overflow while compiling certain regular expressions). + The patch is taken from https://github.com/erlang/otp/pull/1108 and + modified to match the original patch by PCRE developers (closes: #858313). + + -- Sergei Golovan <sgolo...@debian.org> Wed, 22 Mar 2017 17:21:52 +0300 + erlang (1:17.3-dfsg-4) unstable; urgency=medium * Added a patch from upstream which fixes TLS POODLE vulnerability in diff -Nru erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch --- erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch 1970-01-01 03:00:00.000000000 +0300 +++ erlang-17.3-dfsg/debian/patches/cve-2016-10253.patch 2017-03-22 17:20:04.000000000 +0300 @@ -0,0 +1,116 @@ +Author: PCRE upstream +Description: A fix for CVE-2016-10253 which is the heap overflow during + a regular expression compile phase. The offending regexp could be + "(?<=((?2))((?1)))". + The patch was found at https://github.com/erlang/otp/pull/1108 and + the original version from https://vcs.pcre.org/pcre?view=revision&revision=1542 + and https://vcs.pcre.org/pcre?view=revision&revision=1560 and + https://vcs.pcre.org/pcre?view=revision&revision=1571 + has been adapted. +Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313 +Bug-Upstream: https://bugs.erlang.org/browse/ERL-208 + +--- a/erts/emulator/pcre/pcre_compile.c ++++ b/erts/emulator/pcre/pcre_compile.c +@@ -649,6 +649,14 @@ + #endif + + ++/* Structure for mutual recursion detection. */ ++ ++typedef struct recurse_check { ++ struct recurse_check *prev; ++ const pcre_uchar *group; ++} recurse_check; ++ ++ + + /************************************************* + * Find an error text * +@@ -1734,6 +1742,7 @@ + utf TRUE in UTF-8 / UTF-16 / UTF-32 mode + atend TRUE if called when the pattern is complete + cd the "compile data" structure ++ recurses chain of recurse_check to catch mutual recursion + + Returns: the fixed length, + or -1 if there is no fixed length, +@@ -1743,10 +1752,11 @@ + */ + + static int +-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd) ++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd, ++ recurse_check *recurses) + { + int length = -1; +- ++recurse_check this_recurse; + register int branchlength = 0; + register pcre_uchar *cc = code + 1 + LINK_SIZE; + +@@ -1771,7 +1781,8 @@ + case OP_ONCE: + case OP_ONCE_NC: + case OP_COND: +- d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd); ++ d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd, ++ recurses); + if (d < 0) return d; + branchlength += d; + do cc += GET(cc, 1); while (*cc == OP_ALT); +@@ -1805,7 +1816,16 @@ + cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1); /* Start subpattern */ + do ce += GET(ce, 1); while (*ce == OP_ALT); /* End subpattern */ + if (cc > cs && cc < ce) return -1; /* Recursion */ +- d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd); ++ else /* Check for mutual recursion */ ++ { ++ recurse_check *r = recurses; ++ for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break; ++ if (r != NULL) return -1; /* Mutual recursion */ ++ } ++ this_recurse.prev = recurses; ++ this_recurse.group = cs; ++ d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse); ++ + if (d < 0) return d; + branchlength += d; + cc += 1 + LINK_SIZE; +@@ -1818,7 +1838,7 @@ + case OP_ASSERTBACK: + case OP_ASSERTBACK_NOT: + do cc += GET(cc, 1); while (*cc == OP_ALT); +- cc += PRIV(OP_lengths)[*cc]; ++ cc += 1 + LINK_SIZE; + break; + + /* Skip over things that don't match chars */ +@@ -7255,7 +7275,7 @@ + int fixed_length; + *code = OP_END; + fixed_length = find_fixedlength(last_branch, (options & PCRE_UTF8) != 0, +- FALSE, cd); ++ FALSE, cd, NULL); + DPRINTF(("fixed length = %d\n", fixed_length)); + if (fixed_length == -3) + { +@@ -8249,7 +8269,7 @@ + exceptional ones forgo this. We scan the pattern to check that they are fixed + length, and set their lengths. */ + +-if (cd->check_lookbehind) ++if (errorcode == 0 && cd->check_lookbehind) + { + pcre_uchar *cc = (pcre_uchar *)codestart; + +@@ -8269,7 +8289,7 @@ + int end_op = *be; + *be = OP_END; + fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE, +- cd); ++ cd, NULL); + *be = end_op; + DPRINTF(("fixed length = %d\n", fixed_length)); + if (fixed_length < 0) diff -Nru erlang-17.3-dfsg/debian/patches/series erlang-17.3-dfsg/debian/patches/series --- erlang-17.3-dfsg/debian/patches/series 2015-04-04 16:58:41.000000000 +0300 +++ erlang-17.3-dfsg/debian/patches/series 2017-03-22 17:20:27.000000000 +0300 @@ -13,3 +13,4 @@ sslv3disable.patch ssltlspoodle.patch beamload.patch +cve-2016-10253.patch
