Bug#846031: jessie-pu: package tre/0.8.0-4+deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2016-12-10 at 21:43 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2016-11-28 at 00:50 +0100, Santiago Vila wrote:
> > Salvatore told me that this does not warrant a DSA. so I've prepared
> > this upload for jessie-proposed-updates, to be considered for stable.
> > It fixes CVE-2016-8859.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#846031: jessie-pu: package tre/0.8.0-4+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2016-11-28 at 00:50 +0100, Santiago Vila wrote:
> Salvatore told me that this does not warrant a DSA. so I've prepared
> this upload for jessie-proposed-updates, to be considered for stable.
> It fixes CVE-2016-8859.

Please go ahead.

Regards,

Adam

Bug#846031: jessie-pu: package tre/0.8.0-4+deb8u1

[Santiago Vila]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Managers:

Salvatore told me that this does not warrant a DSA. so I've prepared
this upload for jessie-proposed-updates, to be considered for stable.
It fixes CVE-2016-8859.

Debdiff is attached.

Thanks.diff -Nru tre-0.8.0/debian/changelog tre-0.8.0/debian/changelog
--- tre-0.8.0/debian/changelog  2014-04-30 00:38:40.0 +0200
+++ tre-0.8.0/debian/changelog  2016-11-28 00:31:36.0 +0100
@@ -1,3 +1,12 @@
+tre (0.8.0-4+deb8u1) jessie; urgency=medium
+
+  * Add debian/patches/03-cve-2016-8859 to fix CVE-2016-8859.
+Patch borrowed from wheezy LTS. Closes: #842169.
+  * Add locales-all to Build-Depends, required to run the test suite.
+  * Add debian/clean with files generated/modified during the build.
+
+ -- Santiago Vila   Mon, 28 Nov 2016 00:31:36 +0100
+
 tre (0.8.0-4) unstable; urgency=medium
 
   * I'm having a déjà vu.
diff -Nru tre-0.8.0/debian/clean tre-0.8.0/debian/clean
--- tre-0.8.0/debian/clean  1970-01-01 01:00:00.0 +0100
+++ tre-0.8.0/debian/clean  2016-11-27 23:00:00.0 +0100
@@ -0,0 +1,4 @@
+tests/agrep/basic.in
+tests/agrep/delimiters.in
+tests/agrep/exitstatus.in
+tests/agrep/records.in
diff -Nru tre-0.8.0/debian/control tre-0.8.0/debian/control
--- tre-0.8.0/debian/control2014-04-29 12:00:00.0 +0200
+++ tre-0.8.0/debian/control2016-11-27 23:00:00.0 +0100
@@ -4,7 +4,7 @@
 Maintainer: Santiago Vila 
 Uploaders: Milan Zamazal 
 Standards-Version: 3.9.5
-Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9)
+Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9), locales-all
 
 Package: libtre5
 Architecture: any
diff -Nru tre-0.8.0/debian/patches/03-cve-2016-8859 
tre-0.8.0/debian/patches/03-cve-2016-8859
--- tre-0.8.0/debian/patches/03-cve-2016-8859   1970-01-01 01:00:00.0 
+0100
+++ tre-0.8.0/debian/patches/03-cve-2016-8859   2016-11-27 23:03:00.0 
+0100
@@ -0,0 +1,73 @@
+From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
+From: Rich Felker 
+Date: Thu, 6 Oct 2016 18:34:58 -0400
+Subject: fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+---
+ src/regex/regexec.c | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+Note: patch was modified to apply to tre, parts were taken from
+https://github.com/laurikari/tre/issues/37
+
+--- a/lib/tre-match-parallel.c
 b/lib/tre-match-parallel.c
+@@ -59,6 +59,7 @@
+ #ifdef HAVE_MALLOC_H
+ #include 
+ #endif /* HAVE_MALLOC_H */
++#include 
+ 
+ #include "tre-internal.h"
+ #include "tre-match-utils.h"
+@@ -150,11 +151,24 @@
+ 
+   /* Allocate memory for temporary data required for matching.This 
needs to
+  be done for every matching operation to be thread safe.  This allocates
+- everything in a single large block from the stack frame using alloca()
+- or with malloc() if alloca is unavailable. */
++ everything in a single large block with calloc(). */
+   {
+-int tbytes, rbytes, pbytes, xbytes, total_bytes;
++size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+ char *tmp_buf;
++
++/* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++  return REG_BADPAT;
++
++/* Likewise check rbytes. */
++if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++  return REG_BADPAT;
++
++/* Likewise check pbytes. */
++if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++  return REG_BADPAT;
++
+ /* Compute the length of the block we need. */
+ tbytes = sizeof(*tmp_tags) * num_tags;
+ rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -168,11 +182,11 @@
+ #ifdef TRE_USE_ALLOCA
+ buf = alloca(total_bytes);
+ #else /* !TRE_USE_ALLOCA */
+-buf = xmalloc((unsigned)total_bytes);
++buf = xmalloc(total_bytes);
+ #endif /* !TRE_USE_ALLOCA */
+ if (buf == NULL)
+   return REG_ESPACE;
+-memset(buf, 0, (size_t)total_bytes);
++memset(buf, 0, total_bytes);
+ 
+ /* Get the various pointers within tmp_buf (properly aligned). */
+ tmp_tags = (void *)buf;
diff -Nru tre-0.8.0/debian/patches/series tre-0.8.0/debian/patches/series
--- tre-0.8.0/debian/patches/series 2014-04-29 12:00:00.0 +0200
+++ tre-0.8.0/debian/patches/series