Ubuntu
pcre3 package

Bug #20215
Comment #37

Comment 37 for bug 20215

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-09-22:

#37

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:20:46 +0200
From: Sven Mueller <email address hidden>
To: Stefan Fritsch <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

--------------enigB3732CC888BA43FFB30E0C94
Content-Type: multipart/mixed;
boundary="------------010908040407040509020704"

This is a multi-part message in MIME format.
--------------010908040407040509020704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.

Alright, this time I attach the correct patches (only source patches, no
debian changelog entry) for all three versions of libpcre3 currently in
the archive (3.4, 4.5, 5.0), attached. I could prepare a NMU, but as I
am no DD, I would need a sponsor for that (plus I don't really know how
to do the security-NMU to stable/oldstable anyhow - yet).

cu,
sven

--------------010908040407040509020704
Content-Type: text/plain;
name="pcre3-4.5-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pcre3-4.5-CAN2005-2491.diff"

diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c 2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c 2005-08-24 15:09:17.265537494 +0200
@@ -1047,7 +1047,18 @@
int min = 0;
int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

if (*p == '}') max = min; else
   {
@@ -1055,6 +1066,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1063,16 +1079,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}

--------------010908040407040509020704
Content-Type: text/plain;
name="pcre3-5.0-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pcre3-5.0-CAN2005-2491.diff"

diff -ur pcre3-5.0.orig/pcre.c pcre3-5.0/pcre.c
--- pcre3-5.0.orig/pcre.c 2004-09-13 16:20:00.000000000 +0200
+++ pcre3-5.0/pcre.c 2005-08-24 15:10:28.346633583 +0200
@@ -1245,7 +1245,18 @@
int min = 0;
int max = -1;

if (*p == '}') max = min; else
   {
@@ -1253,6 +1264,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1261,16 +1277,11 @@
     }
   }

-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}

Only in pcre3-5.0: pcre.c.orig

--------------010908040407040509020704
Content-Type: text/plain;
name="pcre3-3.4-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pcre3-3.4-CAN2005-2491.diff"

diff -ur pcre3-3.4.orig/pcre.c pcre3-3.4/pcre.c
--- pcre3-3.4.orig/pcre.c 2000-08-22 11:05:43.000000000 +0200
+++ pcre3-3.4/pcre.c 2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
int min = 0;
int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

if (*p == '}') max = min; else
   {
@@ -719,6 +730,11 @@
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -727,16 +743,11 @@
     }
   }

-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}

--------------010908040407040509020704--

--------------enigB3732CC888BA43FFB30E0C94
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFDDHQuDcs5RBTUBgsRAinlAKCxbmDCjNbn2gThwf8fHSnVpqFMWACgoW5o
wXmMFoH3IvVwb5ds8DUkoDI=
=PpEo
-----END PGP SIGNATURE-----

--------------enigB3732CC888BA43FFB30E0C94--

Message-ID: <430C742E.1020707@incase.de>
Date: Wed, 24 Aug 2005 15:20:46 +0200
From: Sven Mueller <debian@incase.de>
To: Stefan Fritsch <sf@sfritsch.de>,  324531@bugs.debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

--------------enigB3732CC888BA43FFB30E0C94
Content-Type: multipart/mixed;
 boundary="------------010908040407040509020704"

This is a multi-part message in MIME format.
--------------010908040407040509020704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

cu,
sven

--------------010908040407040509020704
Content-Type: text/plain;
 name="pcre3-4.5-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-4.5-CAN2005-2491.diff"

diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c	2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c	2005-08-24 15:09:17.265537494 +0200
@@ -1047,7 +1047,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

if (*p == '}') max = min; else
   {
@@ -1055,6 +1066,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1063,16 +1079,11 @@
     }
   }

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

--------------010908040407040509020704
Content-Type: text/plain;
 name="pcre3-5.0-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-5.0-CAN2005-2491.diff"

diff -ur pcre3-5.0.orig/pcre.c pcre3-5.0/pcre.c
--- pcre3-5.0.orig/pcre.c	2004-09-13 16:20:00.000000000 +0200
+++ pcre3-5.0/pcre.c	2005-08-24 15:10:28.346633583 +0200
@@ -1245,7 +1245,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

if (*p == '}') max = min; else
   {
@@ -1253,6 +1264,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1261,16 +1277,11 @@
     }
   }

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

Only in pcre3-5.0: pcre.c.orig

--------------010908040407040509020704
Content-Type: text/plain;
 name="pcre3-3.4-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-3.4-CAN2005-2491.diff"

diff -ur pcre3-3.4.orig/pcre.c pcre3-3.4/pcre.c
--- pcre3-3.4.orig/pcre.c	2000-08-22 11:05:43.000000000 +0200
+++ pcre3-3.4/pcre.c	2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

if (*p == '}') max = min; else
   {
@@ -719,6 +730,11 @@
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -727,16 +743,11 @@
     }
   }

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

--------------010908040407040509020704--

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFDDHQuDcs5RBTUBgsRAinlAKCxbmDCjNbn2gThwf8fHSnVpqFMWACgoW5o
wXmMFoH3IvVwb5ds8DUkoDI=
=PpEo
-----END PGP SIGNATURE-----

--------------enigB3732CC888BA43FFB30E0C94--

Ubuntupcre3 package

Comment 37 for bug 20215

Ubuntu
pcre3 package