diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog --- pcre3-8.35/debian/changelog 2015-07-09 22:40:21.000000000 +0900 +++ pcre3-8.35/debian/changelog 2015-07-21 15:48:16.000000000 +0900 @@ -1,3 +1,28 @@ +pcre3 (2:8.35-7ubuntu2) wily; urgency=low + + * SECURITY UPDATE: PCRE Library Heap Overflow Vulnerability + - debian/patches/cve-2015-2325.patch: change some variables + pointer to integer, and related contents. Based on upstream patch + - CVE-2015-2325 + + * SECURITY UPDATE: PCRE Library Heap overflow Vulnerability II + - debian/patches/cve-2015-2326.patch: take save_hwm_offset out + from adjust_recurse. Based on upstream patch + - CVE-2015-2326 + + * SECURITY UPDATE: PCRE Library Heap Overflow Vulnerability + - debian/patches/cve-2015-3210.patch: change checking if + oc->number == recno code, Based on upstream patch + - CVE-2015-3210 + + * SECURITY UPDATE: PCRE Library Heap Overflow Vulnerability in + find_fixedlength() + - debian/patches/cve-2015-5073.patch: missing test code + Based on upstream patch + - CVE-2015-5073 + + -- Seyeong Kim Tue, 21 Jul 2015 15:42:03 +0900 + pcre3 (2:8.35-7ubuntu1) wily; urgency=low * Merge with Debian unstable, remaining changes: diff -Nru pcre3-8.35/debian/patches/cve-2015-2325.patch pcre3-8.35/debian/patches/cve-2015-2325.patch --- pcre3-8.35/debian/patches/cve-2015-2325.patch 1970-01-01 09:00:00.000000000 +0900 +++ pcre3-8.35/debian/patches/cve-2015-2325.patch 2015-07-21 15:40:07.000000000 +0900 @@ -0,0 +1,388 @@ +Description: PCRE Library Heap Overflow Vulnerability + PCRE library is prone to a heap overflow vulnerability. Due to insufficient + bounds checking inside compile_branch(), the heap memory could be overflowed + via a crafted regular expression. Since PCRE library is widely used, this + vulnerability should affect many applications using it. An attacker may exploit + this issue to execute arbitrary code in the context of the user running the + affected application. +Author: Philip Hazel +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1495 + http://vcs.pcre.org/pcre?view=revision&revision=1528 +Bug: https://bugs.exim.org/show_bug.cgi?id=1591 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2015-2325 +Last-Update: 2015-02-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: pcre3-8.35/pcre_compile.c +=================================================================== +--- pcre3-8.35.orig/pcre_compile.c ++++ pcre3-8.35/pcre_compile.c +@@ -549,6 +549,7 @@ static const char error_texts[] = + "group name must start with a non-digit\0" + /* 85 */ + "parentheses are too deeply nested (stack check)\0" ++ "digits missing in \\x{} or \\o{}\0" + ; + + /* Table to identify digits and hex digits. This is used when compiling +@@ -3936,14 +3937,14 @@ Arguments: + adjust the amount by which the group is to be moved + utf TRUE in UTF-8 / UTF-16 / UTF-32 mode + cd contains pointers to tables etc. +- save_hwm the hwm forward reference pointer at the start of the group ++ save_hwm_offset the hwm forward reference offset at the start of the group + + Returns: nothing + */ + + static void + adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd, +- pcre_uchar *save_hwm) ++ size_t save_hwm_offset) + { + pcre_uchar *ptr = group; + +@@ -3955,7 +3956,8 @@ while ((ptr = (pcre_uchar *)find_recurse + /* See if this recursion is on the forward reference list. If so, adjust the + reference. */ + +- for (hc = save_hwm; hc < cd->hwm; hc += LINK_SIZE) ++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm; ++ hc += LINK_SIZE) + { + offset = (int)GET(hc, 0); + if (cd->start_code + offset == ptr + 1) +@@ -4400,7 +4402,7 @@ const pcre_uchar *tempptr; + const pcre_uchar *nestptr = NULL; + pcre_uchar *previous = NULL; + pcre_uchar *previous_callout = NULL; +-pcre_uchar *save_hwm = NULL; ++size_t save_hwm_offset = 0; + pcre_uint8 classbits[32]; + + /* We can fish out the UTF-8 setting once and for all into a BOOL, but we +@@ -5912,7 +5914,7 @@ for (;; ptr++) + if (repeat_max <= 1) /* Covers 0, 1, and unlimited */ + { + *code = OP_END; +- adjust_recurse(previous, 1, utf, cd, save_hwm); ++ adjust_recurse(previous, 1, utf, cd, save_hwm_offset); + memmove(previous + 1, previous, IN_UCHARS(len)); + code++; + if (repeat_max == 0) +@@ -5936,7 +5938,7 @@ for (;; ptr++) + { + int offset; + *code = OP_END; +- adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm); ++ adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm_offset); + memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len)); + code += 2 + LINK_SIZE; + *previous++ = OP_BRAZERO + repeat_type; +@@ -5999,26 +6001,25 @@ for (;; ptr++) + for (i = 1; i < repeat_min; i++) + { + pcre_uchar *hc; +- pcre_uchar *this_hwm = cd->hwm; ++ size_t this_hwm_offset = cd->hwm - cd->start_workspace; + memcpy(code, previous, IN_UCHARS(len)); + + while (cd->hwm > cd->start_workspace + cd->workspace_size - +- WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm)) ++ WORK_SIZE_SAFETY_MARGIN - ++ (this_hwm_offset - save_hwm_offset)) + { +- int save_offset = save_hwm - cd->start_workspace; +- int this_offset = this_hwm - cd->start_workspace; + *errorcodeptr = expand_workspace(cd); + if (*errorcodeptr != 0) goto FAILED; +- save_hwm = (pcre_uchar *)cd->start_workspace + save_offset; +- this_hwm = (pcre_uchar *)cd->start_workspace + this_offset; + } + +- for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE) ++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; ++ hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset; ++ hc += LINK_SIZE) + { + PUT(cd->hwm, 0, GET(hc, 0) + len); + cd->hwm += LINK_SIZE; + } +- save_hwm = this_hwm; ++ save_hwm_offset = this_hwm_offset; + code += len; + } + } +@@ -6063,7 +6064,7 @@ for (;; ptr++) + else for (i = repeat_max - 1; i >= 0; i--) + { + pcre_uchar *hc; +- pcre_uchar *this_hwm = cd->hwm; ++ size_t this_hwm_offset = cd->hwm - cd->start_workspace; + + *code++ = OP_BRAZERO + repeat_type; + +@@ -6085,22 +6086,21 @@ for (;; ptr++) + copying them. */ + + while (cd->hwm > cd->start_workspace + cd->workspace_size - +- WORK_SIZE_SAFETY_MARGIN - (this_hwm - save_hwm)) ++ WORK_SIZE_SAFETY_MARGIN - ++ (this_hwm_offset - save_hwm_offset)) + { +- int save_offset = save_hwm - cd->start_workspace; +- int this_offset = this_hwm - cd->start_workspace; + *errorcodeptr = expand_workspace(cd); + if (*errorcodeptr != 0) goto FAILED; +- save_hwm = (pcre_uchar *)cd->start_workspace + save_offset; +- this_hwm = (pcre_uchar *)cd->start_workspace + this_offset; + } + +- for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE) ++ for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; ++ hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset; ++ hc += LINK_SIZE) + { + PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1)); + cd->hwm += LINK_SIZE; + } +- save_hwm = this_hwm; ++ save_hwm_offset = this_hwm_offset; + code += len; + } + +@@ -6196,7 +6196,7 @@ for (;; ptr++) + { + int nlen = (int)(code - bracode); + *code = OP_END; +- adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm); ++ adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm_offset); + memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen)); + code += 1 + LINK_SIZE; + nlen += 1 + LINK_SIZE; +@@ -6330,7 +6330,7 @@ for (;; ptr++) + else + { + *code = OP_END; +- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm); ++ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset); + memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len)); + code += 1 + LINK_SIZE; + len += 1 + LINK_SIZE; +@@ -6379,7 +6379,7 @@ for (;; ptr++) + + default: + *code = OP_END; +- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm); ++ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset); + memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len)); + code += 1 + LINK_SIZE; + len += 1 + LINK_SIZE; +@@ -6411,7 +6411,7 @@ for (;; ptr++) + newoptions = options; + skipbytes = 0; + bravalue = OP_CBRA; +- save_hwm = cd->hwm; ++ save_hwm_offset = cd->hwm - cd->start_workspace; + reset_bracount = FALSE; + + /* First deal with various "verbs" that can be introduced by '*'. */ +@@ -7704,7 +7704,7 @@ for (;; ptr++) + const pcre_uchar *p; + pcre_uint32 cf; + +- save_hwm = cd->hwm; /* Normally this is set when '(' is read */ ++ save_hwm_offset = cd->hwm - cd->start_workspace; /* Normally this is set when '(' is read */ + terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)? + CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE; + +@@ -8241,12 +8241,16 @@ for (;;) + + /* If it was a capturing subpattern, check to see if it contained any + recursive back references. If so, we must wrap it in atomic brackets. +- In any event, remove the block from the chain. */ ++ Because we are moving code along, we must ensure that any pending recursive ++ references are updated. In any event, remove the block from the chain. */ + + if (capnumber > 0) + { + if (cd->open_caps->flag) + { ++ *code = OP_END; ++ adjust_recurse(start_bracket, 1 + LINK_SIZE, ++ (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace); + memmove(start_bracket + 1 + LINK_SIZE, start_bracket, + IN_UCHARS(code - start_bracket)); + *start_bracket = OP_ONCE; +Index: pcre3-8.35/testdata/testinput11 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput11 ++++ pcre3-8.35/testdata/testinput11 +@@ -132,4 +132,6 @@ is required for these tests. --/ + + /abc(d|e)(*THEN)x(123(*THEN)4|567(b|q)(*THEN)xx)/B + ++/(((a\2)|(a*)\g<-1>))*a?/B ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testinput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput2 ++++ pcre3-8.35/testdata/testinput2 +@@ -4035,6 +4035,8 @@ backtracking verbs. --/ + + /(?(R&6yh)abc)/ + ++/(((a\2)|(a*)\g<-1>))*a?/BZ ++ + /-- Test the ugly "start or end of word" compatibility syntax --/ + + /[[:<:]]red[[:>:]]/BZ +@@ -4062,4 +4064,6 @@ backtracking verbs. --/ + + /(((((a)))))/Q + ++"((?2){0,1999}())?" ++ + /-- End of testinput2 --/ +Index: pcre3-8.35/testdata/testoutput11-16 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-16 ++++ pcre3-8.35/testdata/testoutput11-16 +@@ -709,4 +709,28 @@ Memory allocation (code space): 14 + 62 End + ------------------------------------------------------------------ + ++/(((a\2)|(a*)\g<-1>))*a?/B ++------------------------------------------------------------------ ++ 0 39 Bra ++ 2 Brazero ++ 3 32 SCBra 1 ++ 6 27 Once ++ 8 12 CBra 2 ++ 11 7 CBra 3 ++ 14 a ++ 16 \2 ++ 18 7 Ket ++ 20 11 Alt ++ 22 5 CBra 4 ++ 25 a* ++ 27 5 Ket ++ 29 22 Recurse ++ 31 23 Ket ++ 33 27 Ket ++ 35 32 KetRmax ++ 37 a?+ ++ 39 39 Ket ++ 41 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput11-32 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-32 ++++ pcre3-8.35/testdata/testoutput11-32 +@@ -709,4 +709,28 @@ Memory allocation (code space): 28 + 62 End + ------------------------------------------------------------------ + ++/(((a\2)|(a*)\g<-1>))*a?/B ++------------------------------------------------------------------ ++ 0 39 Bra ++ 2 Brazero ++ 3 32 SCBra 1 ++ 6 27 Once ++ 8 12 CBra 2 ++ 11 7 CBra 3 ++ 14 a ++ 16 \2 ++ 18 7 Ket ++ 20 11 Alt ++ 22 5 CBra 4 ++ 25 a* ++ 27 5 Ket ++ 29 22 Recurse ++ 31 23 Ket ++ 33 27 Ket ++ 35 32 KetRmax ++ 37 a?+ ++ 39 39 Ket ++ 41 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput11-8 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-8 ++++ pcre3-8.35/testdata/testoutput11-8 +@@ -709,4 +709,28 @@ Memory allocation (code space): 10 + 76 End + ------------------------------------------------------------------ + ++/(((a\2)|(a*)\g<-1>))*a?/B ++------------------------------------------------------------------ ++ 0 57 Bra ++ 3 Brazero ++ 4 48 SCBra 1 ++ 9 40 Once ++ 12 18 CBra 2 ++ 17 10 CBra 3 ++ 22 a ++ 24 \2 ++ 27 10 Ket ++ 30 16 Alt ++ 33 7 CBra 4 ++ 38 a* ++ 40 7 Ket ++ 43 33 Recurse ++ 46 34 Ket ++ 49 40 Ket ++ 52 48 KetRmax ++ 55 a?+ ++ 57 57 Ket ++ 60 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput2 ++++ pcre3-8.35/testdata/testoutput2 +@@ -14093,6 +14093,30 @@ Failed: malformed number or name after ( + /(?(R&6yh)abc)/ + Failed: group name must start with a non-digit at offset 5 + ++/(((a\2)|(a*)\g<-1>))*a?/BZ ++------------------------------------------------------------------ ++ Bra ++ Brazero ++ SCBra 1 ++ Once ++ CBra 2 ++ CBra 3 ++ a ++ \2 ++ Ket ++ Alt ++ CBra 4 ++ a* ++ Ket ++ Recurse ++ Ket ++ Ket ++ KetRmax ++ a?+ ++ Ket ++ End ++------------------------------------------------------------------ ++ + /-- Test the ugly "start or end of word" compatibility syntax --/ + + /[[:<:]]red[[:>:]]/BZ +@@ -14149,4 +14173,6 @@ Failed: parentheses are too deeply neste + /(((((a)))))/Q + ** Missing 0 or 1 after /Q + ++"((?2){0,1999}())?" ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/cve-2015-2326.patch pcre3-8.35/debian/patches/cve-2015-2326.patch --- pcre3-8.35/debian/patches/cve-2015-2326.patch 1970-01-01 09:00:00.000000000 +0900 +++ pcre3-8.35/debian/patches/cve-2015-2326.patch 2015-07-21 15:41:36.000000000 +0900 @@ -0,0 +1,162 @@ +Description: PCRE Library Heap overflow Vulnerability II + PCRE library is prone to a vulnerability which leads to Heap overflow. Without + enough bound checking inside pcre_compile2(), the heap memory could be + overflowed via a crafted regular expression. Since PCRE library is widely used, + this vulnerability should affect many applications. An attacker may exploit + this issue to execute arbitrary code in the context of the user running the + affected application +Author: Philip Hazel +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529 +Bug: http://bugs.exim.org/show_bug.cgi?id=1592 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2015-2326 +Last-Update: 2015-03-02 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: pcre3-8.35/pcre_compile.c +=================================================================== +--- pcre3-8.35.orig/pcre_compile.c ++++ pcre3-8.35/pcre_compile.c +@@ -8031,6 +8031,7 @@ int length; + unsigned int orig_bracount; + unsigned int max_bracount; + branch_chain bc; ++size_t save_hwm_offset; + + /* If set, call the external function that checks for stack availability. */ + +@@ -8048,6 +8049,8 @@ bc.current_branch = code; + firstchar = reqchar = 0; + firstcharflags = reqcharflags = REQ_UNSET; + ++save_hwm_offset = cd->hwm - cd->start_workspace; ++ + /* Accumulate the length for use in the pre-compile phase. Start with the + length of the BRA and KET and any extra bytes that are required at the + beginning. We accumulate in a local variable to save frequent testing of +@@ -8250,7 +8253,7 @@ for (;;) + { + *code = OP_END; + adjust_recurse(start_bracket, 1 + LINK_SIZE, +- (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace); ++ (options & PCRE_UTF8) != 0, cd, save_hwm_offset); + memmove(start_bracket + 1 + LINK_SIZE, start_bracket, + IN_UCHARS(code - start_bracket)); + *start_bracket = OP_ONCE; +Index: pcre3-8.35/testdata/testinput11 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput11 ++++ pcre3-8.35/testdata/testinput11 +@@ -134,4 +134,6 @@ is required for these tests. --/ + + /(((a\2)|(a*)\g<-1>))*a?/B + ++/((?+1)(\1))/B ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testinput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput2 ++++ pcre3-8.35/testdata/testinput2 +@@ -4066,4 +4066,6 @@ backtracking verbs. --/ + + "((?2){0,1999}())?" + ++/((?+1)(\1))/BZ ++ + /-- End of testinput2 --/ +Index: pcre3-8.35/testdata/testoutput11-16 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-16 ++++ pcre3-8.35/testdata/testoutput11-16 +@@ -733,4 +733,19 @@ Memory allocation (code space): 14 + 41 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 20 Bra ++ 2 16 Once ++ 4 12 CBra 1 ++ 7 9 Recurse ++ 9 5 CBra 2 ++ 12 \1 ++ 14 5 Ket ++ 16 12 Ket ++ 18 16 Ket ++ 20 20 Ket ++ 22 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput11-32 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-32 ++++ pcre3-8.35/testdata/testoutput11-32 +@@ -733,4 +733,19 @@ Memory allocation (code space): 28 + 41 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 20 Bra ++ 2 16 Once ++ 4 12 CBra 1 ++ 7 9 Recurse ++ 9 5 CBra 2 ++ 12 \1 ++ 14 5 Ket ++ 16 12 Ket ++ 18 16 Ket ++ 20 20 Ket ++ 22 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput11-8 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput11-8 ++++ pcre3-8.35/testdata/testoutput11-8 +@@ -733,4 +733,19 @@ Memory allocation (code space): 10 + 60 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 31 Bra ++ 3 25 Once ++ 6 19 CBra 1 ++ 11 14 Recurse ++ 14 8 CBra 2 ++ 19 \1 ++ 22 8 Ket ++ 25 19 Ket ++ 28 25 Ket ++ 31 31 Ket ++ 34 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +Index: pcre3-8.35/testdata/testoutput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput2 ++++ pcre3-8.35/testdata/testoutput2 +@@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste + + "((?2){0,1999}())?" + ++/((?+1)(\1))/BZ ++------------------------------------------------------------------ ++ Bra ++ Once ++ CBra 1 ++ Recurse ++ CBra 2 ++ \1 ++ Ket ++ Ket ++ Ket ++ Ket ++ End ++------------------------------------------------------------------ ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/cve-2015-3210.patch pcre3-8.35/debian/patches/cve-2015-3210.patch --- pcre3-8.35/debian/patches/cve-2015-3210.patch 1970-01-01 09:00:00.000000000 +0900 +++ pcre3-8.35/debian/patches/cve-2015-3210.patch 2015-07-21 15:41:40.000000000 +0900 @@ -0,0 +1,73 @@ +Description: PCRE Library Heap Overflow Vulnerability + PCRE is a regular expression C library inspired by the regular + expression capabilities in the Perl programming language. The + PCRE library is incorporated into a number of prominent programs, + such as Adobe Flash, Apache, Nginx, PHP. + PCRE library is prone to a vulnerability which leads to Heap Overflow. + During the compilation of a malformed regular expression, more data is + written on the malloced block than the expected size output by + compile_regex. Exploits with advanced Heap Fengshui techniques may + allow an attacker to execute arbitrary code in the context of the user + running the affected application. +Author: Philip Hazel +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1558 +Bug: https://bugs.exim.org/show_bug.cgi?id=1636 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2015-3210 +Last-Update: 2015-05-15 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: pcre3-8.35/pcre_compile.c +=================================================================== +--- pcre3-8.35.orig/pcre_compile.c ++++ pcre3-8.35/pcre_compile.c +@@ -7086,14 +7086,26 @@ for (;; ptr++) + number. If the name is not found, set the value to 0 for a forward + reference. */ + ++ recno = 0; + ng = cd->named_groups; + for (i = 0; i < cd->names_found; i++, ng++) + { + if (namelen == ng->length && + STRNCMP_UC_UC(name, ng->name, namelen) == 0) +- break; ++ { ++ open_capitem *oc; ++ recno = ng->number; ++ if (is_recurse) break; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; ++ break; ++ } ++ } ++ } + } +- recno = (i < cd->names_found)? ng->number : 0; + + /* Count named back references. */ + +Index: pcre3-8.35/testdata/testinput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput2 ++++ pcre3-8.35/testdata/testinput2 +@@ -4068,4 +4068,6 @@ backtracking verbs. --/ + + /((?+1)(\1))/BZ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ +Index: pcre3-8.35/testdata/testoutput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput2 ++++ pcre3-8.35/testdata/testoutput2 +@@ -14190,4 +14190,6 @@ Failed: parentheses are too deeply neste + End + ------------------------------------------------------------------ + ++"(?J)(?'d'(?'d'\g{d}))" ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/cve-2015-5073.patch pcre3-8.35/debian/patches/cve-2015-5073.patch --- pcre3-8.35/debian/patches/cve-2015-5073.patch 1970-01-01 09:00:00.000000000 +0900 +++ pcre3-8.35/debian/patches/cve-2015-5073.patch 2015-07-21 15:41:47.000000000 +0900 @@ -0,0 +1,38 @@ +Description: PCRE Library Heap Overflow Vulnerability in find_fixedlength() + PCRE library is prone to a vulnerability which leads to Heap Overflow. + During subpattern calculation of a malformed regular expression, an offset + that is used as an array index is fully controlled and can be large enough + so that unexpected heap memory regions are accessed. + One could at least exploit this issue to read objects nearby of the affected + application's memory. + Such information disclosure may also be used to bypass memory protection method such as ASLR. +Author: Philip Hazel +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1571 +Bug: https://bugs.exim.org/show_bug.cgi?id=1651 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2015-5073 +Last-Update: 2015-06-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: pcre3-8.35/testdata/testinput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testinput2 ++++ pcre3-8.35/testdata/testinput2 +@@ -4070,4 +4070,6 @@ backtracking verbs. --/ + + "(?J)(?'d'(?'d'\g{d}))" + ++/(?=di(?<=(?1))|(?=(.))))/ ++ + /-- End of testinput2 --/ +Index: pcre3-8.35/testdata/testoutput2 +=================================================================== +--- pcre3-8.35.orig/testdata/testoutput2 ++++ pcre3-8.35/testdata/testoutput2 +@@ -14192,4 +14192,7 @@ Failed: parentheses are too deeply neste + + "(?J)(?'d'(?'d'\g{d}))" + ++/(?=di(?<=(?1))|(?=(.))))/ ++Failed: unmatched parentheses at offset 23 ++ + /-- End of testinput2 --/ diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series --- pcre3-8.35/debian/patches/series 2015-06-26 19:09:14.000000000 +0900 +++ pcre3-8.35/debian/patches/series 2015-07-21 15:41:47.000000000 +0900 @@ -7,3 +7,7 @@ cve-2014-8964.patch no_jit_x32_powerpcspe.patch fix_find_fixedlength.patch +cve-2015-2325.patch +cve-2015-2326.patch +cve-2015-3210.patch +cve-2015-5073.patch