1 Patch from upstream: |
|
2 http://vcs.pcre.org/pcre?view=revision&revision=1566 |
|
3 to fix CVE-2015-3217 for this upstream bug |
|
4 https://bugs.exim.org/show_bug.cgi?id=1638 |
|
5 |
|
6 This patch may be removed when pcre is upgraded from version 8.37 |
|
7 |
|
8 --- pcre-8.37-orig/ChangeLog 2015-06-18 14:42:05.162869794 -0700 |
|
9 +++ pcre-8.37/ChangeLog 2015-06-18 14:42:49.750142570 -0700 |
|
10 @@ -23,6 +23,10 @@ Changes since Version 8.37 |
|
11 another group caused a buffer overflow. For example: |
|
12 /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer. |
|
13 |
|
14 +5. If a non-capturing group containing a conditional group that could match |
|
15 + an empty string was repeated, it was not identified as matching an empty |
|
16 + string itself. For example: /^(?:(?(1)x|)+)+$()/. |
|
17 + |
|
18 |
|
19 Version 8.37 28-April-2015 |
|
20 -------------------------- |
|
21 --- pcre-8.37-orig/pcre_compile.c 2015-06-18 14:43:18.613383953 -0700 |
|
22 +++ pcre-8.37/pcre_compile.c 2015-06-18 14:44:14.866515479 -0700 |
|
23 @@ -2487,7 +2487,7 @@ for (code = first_significant_code(code |
|
24 if (c == OP_BRA || c == OP_BRAPOS || |
|
25 c == OP_CBRA || c == OP_CBRAPOS || |
|
26 c == OP_ONCE || c == OP_ONCE_NC || |
|
27 - c == OP_COND) |
|
28 + c == OP_COND || c == OP_SCOND) |
|
29 { |
|
30 BOOL empty_branch; |
|
31 if (GET(code, 1) == 0) return TRUE; /* Hit unclosed bracket */ |
|
32 --- pcre-8.37-orig/testdata/testinput2 2015-06-18 14:45:30.453719449 -0700 |
|
33 +++ pcre-8.37/testdata/testinput2 2015-06-18 14:46:14.175672070 -0700 |
|
34 @@ -4168,4 +4168,6 @@ backtracking verbs. --/ |
|
35 |
|
36 "(?J)(?'d'(?'d'\g{d}))" |
|
37 |
|
38 +/^(?:(?(1)x|)+)+$()/BZ |
|
39 + |
|
40 /-- End of testinput2 --/ |
|
41 --- pcre-8.37-orig/testdata/testoutput2 2015-06-18 14:45:38.047882931 -0700 |
|
42 +++ pcre-8.37/testdata/testoutput2 2015-06-18 14:47:02.815368178 -0700 |
|
43 @@ -14456,4 +14456,22 @@ Failed: reference to non-existent subpat |
|
44 |
|
45 "(?J)(?'d'(?'d'\g{d}))" |
|
46 |
|
47 +/^(?:(?(1)x|)+)+$()/BZ |
|
48 +------------------------------------------------------------------ |
|
49 + Bra |
|
50 + ^ |
|
51 + SBra |
|
52 + SCond |
|
53 + 1 Cond ref |
|
54 + x |
|
55 + Alt |
|
56 + KetRmax |
|
57 + KetRmax |
|
58 + $ |
|
59 + CBra 1 |
|
60 + Ket |
|
61 + Ket |
|
62 + End |
|
63 +------------------------------------------------------------------ |
|
64 + |
|
65 /-- End of testinput2 --/ |
|