Ubuntu
erlang package

Merge lp:~rdoering/ubuntu/jaunty/erlang/fix-535090 into lp:ubuntu/jaunty/erlang

  1. Jaunty (9.04)
  2. fix-535090
  3. Merge into jaunty
Proposed by Ralf Doering
Status: Merged
Merge reported by: James Westby
Merged at revision: not available
Proposed branch: lp:~rdoering/ubuntu/jaunty/erlang/fix-535090
Merge into: lp:ubuntu/jaunty/erlang
Diff against target: 102 lines (+82/-0)
3 files modified
debian/changelog (+13/-0)
debian/patches/pcre-crash.patch (+68/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~rdoering/ubuntu/jaunty/erlang/fix-535090
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+21282@code.launchpad.net

Description of the change

This fixes bug #535090 (potential DoS, CVE 2008-2371)

To post a comment you must log in.
Revision history for this message
Stefano Rivera (stefanor) wrote :

This has been merged and should be marked as such

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2009-02-15 16:42:52 +0000
+++ debian/changelog 2010-03-12 20:59:19 +0000
@@ -1,3 +1,16 @@
1erlang (1:12.b.5-dfsg-2ubuntu0.1) jaunty-security; urgency=low
2
3 * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
4 pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
5 library (LP: #535090)
6 - CVE-2008-2371
7 - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
8 http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
9 testsuite does not apply cleanly and is not needed for the fix so was
10 stripped. This fix is part of the current upstream OTP release R13B04.
11
12 -- Ralf Doering <rdoering@netsys-it.de> Fri, 12 Mar 2010 16:06:36 +0100
13
1erlang (1:12.b.5-dfsg-2) unstable; urgency=low14erlang (1:12.b.5-dfsg-2) unstable; urgency=low
215
3 * Upload to unstable after lenny is released.16 * Upload to unstable after lenny is released.
417
=== added file 'debian/patches/pcre-crash.patch'
--- debian/patches/pcre-crash.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/pcre-crash.patch 2010-03-12 20:59:19 +0000
@@ -0,0 +1,68 @@
1Origin: upstream http://github.com/erlang/otp/commit/bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3
2Bug-Ubuntu: https://bugs.launchpad.net/bugs/535090
3Author: Michael Santos <michael.santos@gmail.com>
4Date: Wed Feb 10 15:19:48 2010 -0500
5
6 Fix CVE-2008-2371 (outer level option with alternatives caused crash).
7
8 The patch is from:
9 http://vcs.pcre.org/viewvc?revision=360&view=revision
10
11 Test case:
12 re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).
13
14 An option change at the start of a pattern that had top-level
15 alternatives could cause overwriting and/or a crash.
16
17 This potential security problem was recorded as CVE-2008-2371.
18
19diff --git a/erts/emulator/pcre/pcre_compile.c b/erts/emulator/pcre/pcre_compile.c
20index 235617f..2974336 100644
21--- a/erts/emulator/pcre/pcre_compile.c
22+++ b/erts/emulator/pcre/pcre_compile.c
23@@ -4820,10 +4820,8 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
24 both phases.
25
26 If we are not at the pattern start, compile code to change the ims
27- options if this setting actually changes any of them. We also pass the
28- new setting back so that it can be put at the start of any following
29- branches, and when this group ends (if we are in a group), a resetting
30- item can be compiled. */
31+ options if this setting actually changes any of them, and reset the
32+ greedy defaults and the case value for firstbyte and reqbyte. */
33
34 if (*ptr == ')')
35 {
36@@ -4831,7 +4829,6 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
37 (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
38 {
39 cd->external_options = newoptions;
40- options = newoptions;
41 }
42 else
43 {
44@@ -4840,17 +4837,17 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
45 *code++ = OP_OPT;
46 *code++ = newoptions & PCRE_IMS;
47 }
48-
49- /* Change options at this level, and pass them back for use
50- in subsequent branches. Reset the greedy defaults and the case
51- value for firstbyte and reqbyte. */
52-
53- *optionsptr = options = newoptions;
54 greedy_default = ((newoptions & PCRE_UNGREEDY) != 0);
55 greedy_non_default = greedy_default ^ 1;
56- req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
57+ req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
58 }
59
60+ /* Change options at this level, and pass them back for use
61+ in subsequent branches. When not at the start of the pattern, this
62+ information is also necessary so that a resetting item can be
63+ compiled at the end of a group (if we are in a group). */
64+
65+ *optionsptr = options = newoptions;
66 previous = NULL; /* This item can't be repeated */
67 continue; /* It is complete */
68 }
069
=== modified file 'debian/patches/series'
--- debian/patches/series 2009-02-15 16:42:52 +0000
+++ debian/patches/series 2010-03-12 20:59:19 +0000
@@ -7,3 +7,4 @@
7sctp.patch7sctp.patch
8m68k.patch8m68k.patch
9#native.patch9#native.patch
10pcre-crash.patch

Subscribers

People subscribed via source and target branches

to all changes: