Vulnerable packages in ports 20/03/2016

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerable packages in ports 20/03/2016

Sevan Janiyan-3
net/quagga - CVE-2016-2342
devel/pcre - CVE-2016-3191


Sevan

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable packages in ports 20/03/2016

Michael McConville-3
Sevan Janiyan wrote:
> net/quagga - CVE-2016-2342
> devel/pcre - CVE-2016-3191

Looks like PCRE 8.39 isn't being mirrored yet. Should we patch manually?
That looks like a pretty serious vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable packages in ports 20/03/2016

Sevan Janiyan-3


On 21/03/2016 02:46, Michael McConville wrote:
> Looks like PCRE 8.39 isn't being mirrored yet. Should we patch manually?
> That looks like a pretty serious vulnerability:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191

Hi Michael,
Ideally, it'll probably bring a revision bump for a plethora of packages
as they pull in pcre as well.


Sevan

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable packages in ports 20/03/2016

Christian Weisgerber
On 2016-03-21, Sevan Janiyan <[hidden email]> wrote:

> it'll probably bring a revision bump for a plethora of packages
> as they pull in pcre as well.

Presumably they use the shared library?

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable packages in ports 20/03/2016

Sevan / Venture37-2


> On 21 Mar 2016, at 16:36, Christian Weisgerber <[hidden email]> wrote:
>
> Presumably they use the shared library?

Correct.

Sevan

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable packages in ports 20/03/2016

Christian Weisgerber
On 2016-03-22, Sevan / Venture37 <[hidden email]> wrote:

>> Presumably they use the shared library?
>
> Correct.

Then they don't need a revision bump.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

pcre CVE-2016-3191 (was: Re: Vulnerable packages in ports 20/03/2016)

Jeremie Courreges-Anglas-2
In reply to this post by Sevan Janiyan-3
Sevan Janiyan <[hidden email]> writes:

> net/quagga - CVE-2016-2342

An update has been committed today, but I doubt that OpenBSD users would
be affected.

> devel/pcre - CVE-2016-3191

Blindly copy/pasted from upstream's repo.

Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/pcre/Makefile,v
retrieving revision 1.61
diff -u -p -r1.61 Makefile
--- Makefile 11 Mar 2016 20:28:24 -0000 1.61
+++ Makefile 22 Mar 2016 19:45:47 -0000
@@ -3,6 +3,7 @@
 COMMENT= perl-compatible regular expression library
 
 DISTNAME= pcre-8.38
+REVISION= 0
 
 SHARED_LIBS +=  pcre                 3.0      # 0.1
 SHARED_LIBS +=  pcre16               0.0      # 0.0
Index: patches/patch-pcre_compile_c
===================================================================
RCS file: patches/patch-pcre_compile_c
diff -N patches/patch-pcre_compile_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pcre_compile_c 22 Mar 2016 19:45:47 -0000
@@ -0,0 +1,59 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision&revision=1631
+
+--- pcre_compile.c.orig Tue Mar 22 20:27:48 2016
++++ pcre_compile.c Tue Mar 22 20:39:59 2016
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+                        Written by Philip Hazel
+-           Copyright (c) 1997-2014 University of Cambridge
++           Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -560,6 +560,7 @@ static const char error_texts[] =
+   /* 85 */
+   "parentheses are too deeply nested (stack check)\0"
+   "digits missing in \\x{} or \\o{}\0"
++  "regular expression is too complicated\0"
+   ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -4591,7 +4592,8 @@ for (;; ptr++)
+     if (code > cd->start_workspace + cd->workspace_size -
+         WORK_SIZE_SAFETY_MARGIN)                       /* Check for overrun */
+       {
+-      *errorcodeptr = ERR52;
++      *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
++       ERR52 : ERR87;
+       goto FAILED;
+       }
+
+@@ -6604,8 +6606,21 @@ for (;; ptr++)
+             cd->had_accept = TRUE;
+             for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+               {
+-              *code++ = OP_CLOSE;
+-              PUT2INC(code, 0, oc->number);
++              if (lengthptr != NULL)
++                {
++#ifdef COMPILE_PCRE8
++                *lengthptr += 1 + IMM2_SIZE;
++#elif defined COMPILE_PCRE16
++                *lengthptr += 2 + IMM2_SIZE;
++#elif defined COMPILE_PCRE32
++                *lengthptr += 4 + IMM2_SIZE;
++#endif
++                }
++              else
++                {
++                *code++ = OP_CLOSE;
++                PUT2INC(code, 0, oc->number);
++                }
+               }
+             setverb = *code++ =
+               (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
Index: patches/patch-pcre_internal_h
===================================================================
RCS file: patches/patch-pcre_internal_h
diff -N patches/patch-pcre_internal_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pcre_internal_h 22 Mar 2016 19:45:47 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision&revision=1631
+
+--- pcre_internal.h.orig Tue Mar 22 20:28:40 2016
++++ pcre_internal.h Tue Mar 22 20:30:29 2016
+@@ -7,7 +7,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+                        Written by Philip Hazel
+-           Copyright (c) 1997-2014 University of Cambridge
++           Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -2289,7 +2289,7 @@ enum { ERR0,  ERR1,  ERR2,  ERR3,  ERR4,  ERR5,  ERR6,
+        ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+        ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+        ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+-       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
++       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
+
+ /* JIT compiling modes. The function list is indexed by them. */
+
Index: patches/patch-pcreposix_c
===================================================================
RCS file: patches/patch-pcreposix_c
diff -N patches/patch-pcreposix_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pcreposix_c 22 Mar 2016 19:45:47 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+CVE-2016-3191
+
+  Upstream commit: http://vcs.pcre.org/pcre?view=revision&revision=1631
+
+--- pcreposix.c.orig Tue Mar 22 20:27:39 2016
++++ pcreposix.c Tue Mar 22 20:27:55 2016
+@@ -6,7 +6,7 @@
+ and semantics are as close as possible to those of the Perl 5 language.
+
+                        Written by Philip Hazel
+-           Copyright (c) 1997-2014 University of Cambridge
++           Copyright (c) 1997-2016 University of Cambridge
+
+ -----------------------------------------------------------------------------
+ Redistribution and use in source and binary forms, with or without
+@@ -173,7 +173,8 @@ static const int eint[] = {
+   REG_BADPAT,  /* group name must start with a non-digit */
+   /* 85 */
+   REG_BADPAT,  /* parentheses too deeply nested (stack check) */
+-  REG_BADPAT   /* missing digits in \x{} or \o{} */
++  REG_BADPAT,   /* missing digits in \x{} or \o{} */
++  REG_BADPAT   /* pattern too complicated */
+ };
+
+ /* Table of texts corresponding to POSIX error codes */


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: pcre CVE-2016-3191

Sevan Janiyan-3


On 22/03/2016 19:52, Jeremie Courreges-Anglas wrote:
>> > devel/pcre - CVE-2016-3191
> Blindly copy/pasted from upstream's repo.

Seems to be patch adopted elsewhere as well.
While we're here, pcre also appears to be missing a patch for CVE-2016-1283
http://vcs.pcre.org/pcre?view=revision&revision=1636


Sevan