diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 06:54:15 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 07:32:35 -0300 |
commit | ab6c8e84d1976b41f3648edf871090995620d1f1 (patch) | |
tree | 018857bd55aa694bb39743b2697a558b5e9308dc | |
parent | d6419a61850ee4384d75190a6521a687278588e2 (diff) | |
download | aports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.gz aports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.bz2 aports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.xz |
main/pcre: fix CVE-2020-14155
See: #11854
-rw-r--r-- | main/pcre/APKBUILD | 11 | ||||
-rw-r--r-- | main/pcre/CVE-2020-14155.patch | 31 |
2 files changed, 39 insertions, 3 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index 9e5bbe684a..7cf50e19b2 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pcre pkgver=8.43 -pkgrel=0 +pkgrel=1 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" @@ -12,9 +12,13 @@ makedepends="" checkdepends="paxmark" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" -source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 +source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2 + CVE-2020-14155.patch " + # secfixes: +# 8.43-r1: +# - CVE-2020-14155 # 8.40-r2: # - CVE-2017-7186 # 7.8-r0: @@ -94,4 +98,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2" +sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2 +23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch" diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..3bfa119f3b --- /dev/null +++ b/main/pcre/CVE-2020-14155.patch @@ -0,0 +1,31 @@ +pcre: Fix int overflow when parsing "?C<arg>" callout args. + +Numerical args must be 0-255, so this shouldn't break correct usage. + +--- a/pcre_compile.c 2020/02/10 17:01:27 1760 ++++ b/pcre_compile.c 2020/02/10 17:17:34 1761 +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ |