aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-10 06:54:15 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-10 07:32:35 -0300
commitab6c8e84d1976b41f3648edf871090995620d1f1 (patch)
tree018857bd55aa694bb39743b2697a558b5e9308dc
parentd6419a61850ee4384d75190a6521a687278588e2 (diff)
downloadaports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.gz
aports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.bz2
aports-ab6c8e84d1976b41f3648edf871090995620d1f1.tar.xz
main/pcre: fix CVE-2020-14155
See: #11854
-rw-r--r--main/pcre/APKBUILD11
-rw-r--r--main/pcre/CVE-2020-14155.patch31
2 files changed, 39 insertions, 3 deletions
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD
index 9e5bbe684a..7cf50e19b2 100644
--- a/main/pcre/APKBUILD
+++ b/main/pcre/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pcre
pkgver=8.43
-pkgrel=0
+pkgrel=1
pkgdesc="Perl-compatible regular expression library"
url="http://pcre.sourceforge.net"
arch="all"
@@ -12,9 +12,13 @@ makedepends=""
checkdepends="paxmark"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
libpcrecpp libpcre16 libpcre32"
-source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
+source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2
+ CVE-2020-14155.patch
"
+
# secfixes:
+# 8.43-r1:
+# - CVE-2020-14155
# 8.40-r2:
# - CVE-2017-7186
# 7.8-r0:
@@ -94,4 +98,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2"
+sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2
+23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch"
diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch
new file mode 100644
index 0000000000..3bfa119f3b
--- /dev/null
+++ b/main/pcre/CVE-2020-14155.patch
@@ -0,0 +1,31 @@
+pcre: Fix int overflow when parsing "?C<arg>" callout args.
+
+Numerical args must be 0-255, so this shouldn't break correct usage.
+
+--- a/pcre_compile.c 2020/02/10 17:01:27 1760
++++ b/pcre_compile.c 2020/02/10 17:17:34 1761
+@@ -7130,17 +7130,19 @@
+ int n = 0;
+ ptr++;
+ while(IS_DIGIT(*ptr))
++ {
+ n = n * 10 + *ptr++ - CHAR_0;
++ if (n > 255)
++ {
++ *errorcodeptr = ERR38;
++ goto FAILED;
++ }
++ }
+ if (*ptr != CHAR_RIGHT_PARENTHESIS)
+ {
+ *errorcodeptr = ERR39;
+ goto FAILED;
+ }
+- if (n > 255)
+- {
+- *errorcodeptr = ERR38;
+- goto FAILED;
+- }
+ *code++ = n;
+ PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
+ PUT(code, LINK_SIZE, 0); /* Default length */