bug#26431: [PATCH 0/2] Fix CVE-2017-7186 in pcre and pcre2

bug#26431: [PATCH 0/2] Fix CVE-2017-7186 in pcre and pcre2

[Ludovic Courtès]

Hello,

These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
in pcre and pcre2 using the upstream patches referenced in the CVE database.

Ludo'.

Ludovic Courtès (2):
  gnu: pcre2: Patch CVE-2017-7186.
  gnu: pcre: Patch CVE-2017-7186.

 gnu/local.mk                                   |  2 +
 gnu/packages/patches/pcre-CVE-2017-7186.patch  | 55 +++++++++++++++++++++
 gnu/packages/patches/pcre2-CVE-2017-7186.patch | 67 ++++++++++++++++++++++++++
 gnu/packages/pcre.scm                          | 13 ++++-
 4 files changed, 136 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/pcre-CVE-2017-7186.patch
 create mode 100644 gnu/packages/patches/pcre2-CVE-2017-7186.patch

-- 
2.12.2

bug#26431: [PATCH 1/2] gnu: pcre2: Patch CVE-2017-7186.

[Ludovic Courtès]

* gnu/packages/patches/pcre2-CVE-2017-7186.patch: New file.
* gnu/packages/pcre.scm (pcre2)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                   |  1 +
 gnu/packages/patches/pcre2-CVE-2017-7186.patch | 67 ++++++++++++++++++++++++++
 gnu/packages/pcre.scm                          |  3 +-
 3 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/pcre2-CVE-2017-7186.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a8d006601..c3a65789a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -825,6 +825,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
+  %D%/packages/patches/pcre2-CVE-2017-7186.patch		\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/patches/pcre2-CVE-2017-7186.patch b/gnu/packages/patches/pcre2-CVE-2017-7186.patch
new file mode 100644
index 000000000..482f07a1f
--- /dev/null
+++ b/gnu/packages/patches/pcre2-CVE-2017-7186.patch
@@ -0,0 +1,67 @@
+Upstream patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>.
+
+--- trunk/src/pcre2_internal.h	2016/11/19 12:46:24	600
++++ trunk/src/pcre2_internal.h	2017/02/24 18:25:32	670
+@@ -1774,10 +1774,17 @@
+ /* UCD access macros */
+ 
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
+ 
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
++  PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif
++
+ #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
+ #define UCD_CATEGORY(ch)    PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
+@@ -1834,6 +1841,9 @@
+ #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
+ #define _pcre2_default_match_context   PCRE2_SUFFIX(_pcre2_default_match_context_)
+ #define _pcre2_default_tables          PCRE2_SUFFIX(_pcre2_default_tables_)
++#if PCRE2_CODE_UNIT_WIDTH == 32
++#define _pcre2_dummy_ucd_record        PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
++#endif
+ #define _pcre2_hspace_list             PCRE2_SUFFIX(_pcre2_hspace_list_)
+ #define _pcre2_vspace_list             PCRE2_SUFFIX(_pcre2_vspace_list_)
+ #define _pcre2_ucd_caseless_sets       PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
+@@ -1858,6 +1868,9 @@
+ extern const uint32_t                  PRIV(vspace_list)[];
+ extern const uint32_t                  PRIV(ucd_caseless_sets)[];
+ extern const ucd_record                PRIV(ucd_records)[];
++#if PCRE2_CODE_UNIT_WIDTH == 32
++extern const ucd_record                PRIV(dummy_ucd_record)[];
++#endif
+ extern const uint8_t                   PRIV(ucd_stage1)[];
+ extern const uint16_t                  PRIV(ucd_stage2)[];
+ extern const uint32_t                  PRIV(ucp_gbtable)[];
+
+--- trunk/src/pcre2_ucd.c	2015/07/17 15:44:51	316
++++ trunk/src/pcre2_ucd.c	2017/02/24 18:25:32	670
+@@ -41,6 +41,20 @@
+ 
+ const char *PRIV(unicode_version) = "8.0.0";
+ 
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#if PCRE2_CODE_UNIT_WIDTH == 32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++  ucp_Common,    /* script */
++  ucp_Cn,        /* type unassigned */
++  ucp_gbOther,   /* grapheme break property */
++  0,             /* case set */
++  0,             /* other case */
++  }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre2_internal.h (the actual
+ field names will be different):
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 011a30dd3..9f610e59f 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -81,7 +81,8 @@ POSIX regular expression API.")
 
               (sha256
                (base32
-                "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))))
+                "0vn5g0mkkp99mmzpissa06hpyj6pk9s4mlwbjqrjvw3ihy8rpiyz"))
+              (patches (search-patches "pcre2-CVE-2017-7186.patch"))))
    (build-system gnu-build-system)
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)
-- 
2.12.2

bug#26431: [PATCH 2/2] gnu: pcre: Patch CVE-2017-7186.

[Ludovic Courtès]

* gnu/packages/patches/pcre-CVE-2017-7186.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pcre.scm (pcre)[replacement]: New field.
(pcre/fixed): New variable.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/patches/pcre-CVE-2017-7186.patch | 55 +++++++++++++++++++++++++++
 gnu/packages/pcre.scm                         | 10 +++++
 3 files changed, 66 insertions(+)
 create mode 100644 gnu/packages/patches/pcre-CVE-2017-7186.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c3a65789a..5782f8390 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -825,6 +825,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
+  %D%/packages/patches/pcre-CVE-2017-7186.patch			\
   %D%/packages/patches/pcre2-CVE-2017-7186.patch		\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
new file mode 100644
index 000000000..b8b112230
--- /dev/null
+++ b/gnu/packages/patches/pcre-CVE-2017-7186.patch
@@ -0,0 +1,55 @@
+Upstream patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>.
+
+--- trunk/pcre_internal.h	2016/05/21 13:34:44	1649
++++ trunk/pcre_internal.h	2017/02/24 17:30:30	1688
+@@ -2772,6 +2772,9 @@
+ extern const pcre_uint16 PRIV(ucd_stage2)[];
+ extern const pcre_uint32 PRIV(ucp_gentype)[];
+ extern const pcre_uint32 PRIV(ucp_gbtable)[];
++#ifdef COMPILE_PCRE32
++extern const ucd_record  PRIV(dummy_ucd_record)[];
++#endif
+ #ifdef SUPPORT_JIT
+ extern const int         PRIV(ucp_typerange)[];
+ #endif
+@@ -2780,9 +2783,15 @@
+ /* UCD access macros */
+ 
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
++#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
++        
++#ifdef COMPILE_PCRE32
++#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
++#else
++#define GET_UCD(ch) REAL_GET_UCD(ch)
++#endif 
+ 
+ #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
+
+--- trunk/pcre_ucd.c	2014/06/19 07:51:39	1490
++++ trunk/pcre_ucd.c	2017/02/24 17:30:30	1688
+@@ -38,6 +38,20 @@
+ const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
+ #else
+ 
++/* If the 32-bit library is run in non-32-bit mode, character values
++greater than 0x10ffff may be encountered. For these we set up a
++special record. */
++
++#ifdef COMPILE_PCRE32
++const ucd_record PRIV(dummy_ucd_record)[] = {{
++  ucp_Common,    /* script */
++  ucp_Cn,        /* type unassigned */
++  ucp_gbOther,   /* grapheme break property */
++  0,             /* case set */
++  0,             /* other case */
++  }};
++#endif
++
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre_internal.h (the actual
+ field names will be different):
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 9f610e59f..1946f5229 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,6 +34,7 @@
   (package
    (name "pcre")
    (version "8.40")
+   (replacement pcre/fixed)
    (source (origin
             (method url-fetch)
             (uri (list
@@ -70,6 +72,14 @@ POSIX regular expression API.")
    (license license:bsd-3)
    (home-page "http://www.pcre.org/")))
 
+(define pcre/fixed
+  (package
+    (inherit pcre)
+    (replacement #f)
+    (source (origin
+              (inherit (package-source pcre))
+              (patches (search-patches "pcre-CVE-2017-7186.patch"))))))
+
 (define-public pcre2
   (package
     (name "pcre2")
-- 
2.12.2

bug#26431: [PATCH 0/2] Fix CVE-2017-7186 in pcre and pcre2

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Hello,
>
> These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
> in pcre and pcre2 using the upstream patches referenced in the CVE database.
>
> Ludo'.
>
> Ludovic Courtès (2):
>   gnu: pcre2: Patch CVE-2017-7186.
>   gnu: pcre: Patch CVE-2017-7186.

Thank you for these! Please add URLs to the upstream fixes in the patch
headers:

https://vcs.pcre.org/pcre?view=revision&revision=1688
https://vcs.pcre.org/pcre2?view=revision&revision=670

LGTM apart from that :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 483 bytes --]

bug#26431: [PATCH 0/2] Fix CVE-2017-7186 in pcre and pcre2

[Ludovic Courtès]

Heya,

Marius Bakke <mbakke@fastmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello,
>>
>> These patches fix <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
>> in pcre and pcre2 using the upstream patches referenced in the CVE database.
>>
>> Ludo'.
>>
>> Ludovic Courtès (2):
>>   gnu: pcre2: Patch CVE-2017-7186.
>>   gnu: pcre: Patch CVE-2017-7186.
>
> Thank you for these! Please add URLs to the upstream fixes in the patch
> headers:
>
> https://vcs.pcre.org/pcre?view=revision&revision=1688
> https://vcs.pcre.org/pcre2?view=revision&revision=670

Done and pushed, thanks for your quick reply!

FWIW there’s still work to do on pcre:

  $ ./pre-inst-env guix lint -c cve pcre pcre2
  gnu/packages/pcre.scm:76:2: pcre@8.40: probably vulnerable to CVE-2017-7244, CVE-2017-7245, CVE-2017-7246

Ludo’.