Signed-off-by: Ross Burton <ross.bur...@intel.com> --- .../libpcre/libpcre2/CVE-2017-7186.patch | 83 ++++++++++++++++++++++ meta/recipes-support/libpcre/libpcre2_10.32.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch new file mode 100644 index 00000000000..7cd7c27c6c0 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2017-7186.patch @@ -0,0 +1,83 @@ +libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to +cause a denial of service (segmentation violation for read access, and +application crash) by triggering an invalid Unicode property lookup. + +CVE: CVE-2017-7186 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.bur...@intel.com> + +--- + src/pcre2_internal.h | 15 ++++++++++++++- + src/pcre2_ucd.c | 14 ++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/pcre2_internal.h b/src/pcre2_internal.h +index 6a8774c..720bbc9 100644 +--- a/src/pcre2_internal.h ++++ b/src/pcre2_internal.h +@@ -1774,10 +1774,17 @@ typedef struct { + /* UCD access macros */ + + #define UCD_BLOCK_SIZE 128 +-#define GET_UCD(ch) (PRIV(ucd_records) + \ ++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \ + PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \ + UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE]) + ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \ ++ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch)) ++#else ++#define GET_UCD(ch) REAL_GET_UCD(ch) ++#endif ++ + #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype + #define UCD_SCRIPT(ch) GET_UCD(ch)->script + #define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)] +@@ -1834,6 +1841,9 @@ extern const uint8_t PRIV(utf8_table4)[]; + #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_) + #define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_) + #define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_) ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_) ++#endif + #define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_) + #define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_) + #define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_) +@@ -1858,6 +1868,9 @@ extern const uint32_t PRIV(hspace_list)[]; + extern const uint32_t PRIV(vspace_list)[]; + extern const uint32_t PRIV(ucd_caseless_sets)[]; + extern const ucd_record PRIV(ucd_records)[]; ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++extern const ucd_record PRIV(dummy_ucd_record)[]; ++#endif + extern const uint8_t PRIV(ucd_stage1)[]; + extern const uint16_t PRIV(ucd_stage2)[]; + extern const uint32_t PRIV(ucp_gbtable)[]; +diff --git a/src/pcre2_ucd.c b/src/pcre2_ucd.c +index 116f537..56aa29d 100644 +--- a/src/pcre2_ucd.c ++++ b/src/pcre2_ucd.c +@@ -41,6 +41,20 @@ const uint32_t PRIV(ucd_caseless_sets)[] = {0}; + + const char *PRIV(unicode_version) = "8.0.0"; + ++/* If the 32-bit library is run in non-32-bit mode, character values ++greater than 0x10ffff may be encountered. For these we set up a ++special record. */ ++ ++#if PCRE2_CODE_UNIT_WIDTH == 32 ++const ucd_record PRIV(dummy_ucd_record)[] = {{ ++ ucp_Common, /* script */ ++ ucp_Cn, /* type unassigned */ ++ ucp_gbOther, /* grapheme break property */ ++ 0, /* case set */ ++ 0, /* other case */ ++ }}; ++#endif ++ + /* When recompiling tables with a new Unicode version, please check the + types in this structure definition from pcre2_internal.h (the actual + field names will be different): +-- +2.12.1 diff --git a/meta/recipes-support/libpcre/libpcre2_10.32.bb b/meta/recipes-support/libpcre/libpcre2_10.32.bb index 3a0aa53029f..59953626c74 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.32.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.32.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=cf66d307bf03bae65d413eb7a8e603a0" SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ + file://CVE-2017-7186.patch \ " SRC_URI[md5sum] = "8a096287153fb994970df3570e90fcb5" -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core