Hi, I intent to upload an NMU to fix this. debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/pcre3-7.6-2_7.6-2.1.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u pcre3-7.6/debian/rules pcre3-7.6/debian/rules --- pcre3-7.6/debian/rules +++ pcre3-7.6/debian/rules @@ -101,7 +101,7 @@ dh_compress -a dh_fixperms -a dh_makeshlibs -plibpcre3 --add-udeb="libpcre3-udeb" -V 'libpcre3 (>= 7.4)' - dh_makeshlibs -plibpcrecpp0 -V 'libpcrecpp0' + dh_makeshlibs -plibpcrecpp0 -V 'libpcrecpp0 (>= 7.6)' dh_installdeb -a # dh_perl -a dh_shlibdeps -a -ldebian/libpcre3/usr/lib diff -u pcre3-7.6/debian/changelog pcre3-7.6/debian/changelog --- pcre3-7.6/debian/changelog +++ pcre3-7.6/debian/changelog @@ -1,3 +1,16 @@ +pcre3 (7.6-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix heap overflow in the pcre compiler triggered by + patterns which contain options and multiple branches + (CVE-2008-2371; Closes: #488919). + * debian/rules (patch by Bryan Donlan): Update shlibdeps invocation for + libpcrecpp0 due to new symbols (Closes: #476925). + * debian/copyright: replace license information with the current license + information shipped with upstream sources (Closes: #489318). + + -- Nico Golde <[EMAIL PROTECTED]> Mon, 14 Jul 2008 19:13:11 +0200 + pcre3 (7.6-2) unstable; urgency=low * pcrecpp.cc: Applied patch from PCRE bugzilla (bug 664) to fix ABI diff -u pcre3-7.6/debian/copyright pcre3-7.6/debian/copyright --- pcre3-7.6/debian/copyright +++ pcre3-7.6/debian/copyright @@ -13,42 +13,62 @@ -Written by: Philip Hazel <[EMAIL PROTECTED]> +Release 7 of PCRE is distributed under the terms of the "BSD" licence, as +specified below. The documentation for PCRE, supplied in the "doc" +directory, is distributed under the same terms as the software itself. + +The basic library functions are written in C and are freestanding. Also +included in the distribution is a set of C++ wrapper functions. + + +THE BASIC LIBRARY FUNCTIONS +--------------------------- + +Written by: Philip Hazel +Email local part: ph10 +Email domain: cam.ac.uk University of Cambridge Computing Service, -Cambridge, England. Phone: +44 1223 334714. +Cambridge, England. + +Copyright (c) 1997-2007 University of Cambridge +All rights reserved. -Copyright (c) 1997-2000 University of Cambridge -Permission is granted to anyone to use this software for any purpose on any -computer system, and to redistribute it freely, subject to the following -restrictions: +THE C++ WRAPPER FUNCTIONS +------------------------- -1. This software is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +Contributed by: Google Inc. -2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. In practice, this means that if you use - PCRE in software which you distribute to others, commercially or - otherwise, you must put a sentence like this +Copyright (c) 2007, Google Inc. +All rights reserved. - Regular expression support is provided by the PCRE library package, - which is open source software, written by Philip Hazel, and copyright - by the University of Cambridge, England. - somewhere reasonably visible in your documentation and in any relevant - files or online help data or similar. A reference to the ftp site for - the source, that is, to +THE "BSD" LICENCE +----------------- - ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: - should also be given in the documentation. + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -4. If PCRE is embedded in any software that is released under the GNU - General Purpose Licence (GPL), then the terms of that licence shall - supersede any condition above with which it is incompatible. + * Neither the name of the University of Cambridge nor the name of Google + Inc. nor the names of their contributors may be used to endorse or + promote products derived from this software without specific prior + written permission. +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. -On Debian GNU/Linux systems, the complete text of the GNU General -Public License can be found in `/usr/share/common-licenses/GPL'. +End only in patch2: unchanged: --- pcre3-7.6.orig/pcre_compile.c +++ pcre3-7.6/pcre_compile.c @@ -4831,7 +4831,7 @@ (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE)) { cd->external_options = newoptions; - options = newoptions; + options = *optionsptr = newoptions; } else {
pgp6RyBCvWf3D.pgp
Description: PGP signature
