From 753a2937f663d6e7dc630319ae903dc595b0ddd9 Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Sat, 13 Dec 2014 20:34:04 +0200 Subject: [PATCH] pcre: add a patch fixing CVE-2014-8964 Patch taken from the Debian package. Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard --- package/pcre/0003-fix-CVE-2014-8964.patch | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 package/pcre/0003-fix-CVE-2014-8964.patch diff --git a/package/pcre/0003-fix-CVE-2014-8964.patch b/package/pcre/0003-fix-CVE-2014-8964.patch new file mode 100644 index 0000000000..bfc586034e --- /dev/null +++ b/package/pcre/0003-fix-CVE-2014-8964.patch @@ -0,0 +1,25 @@ +Description: CVE-2014-8964, heap buffer overflow + Heap buffer overflow if an assertion with a zero minimum repeat is used as + the condition in a conditional group. +Origin: upstream http://bugs.exim.org/show_bug.cgi?id=1546 +Bug: http://bugs.exim.org/show_bug.cgi?id=1546 +Applied-Upstream: Yes, after 8.36 + +Signed-off-by: Baruch Siach +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/pcre_exec.c ++++ b/pcre_exec.c +@@ -1404,8 +1404,11 @@ + condition = TRUE; + + /* Advance ecode past the assertion to the start of the first branch, +- but adjust it so that the general choosing code below works. */ ++ but adjust it so that the general choosing code below works. If the ++ assertion has a quantifier that allows zero repeats we must skip over ++ the BRAZERO. This is a lunatic thing to do, but somebody did! */ + ++ if (*ecode == OP_BRAZERO) ecode++; + ecode += GET(ecode, 1); + while (*ecode == OP_ALT) ecode += GET(ecode, 1); + ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode]; -- 2.30.2