From 63347c3c8019ead3a2606956b8e13e574028ac1b Mon Sep 17 00:00:00 2001 From: naddy Date: Sat, 27 Aug 2005 15:57:31 +0000 Subject: [PATCH] SECURITY: CAN-2005-2491, http://securitytracker.com/id?1014744 A remote or local user may be able to supply a specially crafted regular expression to trigger a heap integer overflow in PCRE. ok pvalchev@ --- lang/python/2.3/Makefile | 4 +- .../python/2.3/patches/patch-Modules_pypcre_c | 55 +++++++++++++++++++ mail/exim/Makefile | 6 +- mail/exim/patches/patch-src_pcre_pcre_c | 55 +++++++++++++++++++ mail/mixmaster/Makefile | 6 +- .../patches/patch-Src_pcre-2_08_pcre_c | 55 +++++++++++++++++++ 6 files changed, 173 insertions(+), 8 deletions(-) create mode 100644 lang/python/2.3/patches/patch-Modules_pypcre_c create mode 100644 mail/exim/patches/patch-src_pcre_pcre_c create mode 100644 mail/mixmaster/patches/patch-Src_pcre-2_08_pcre_c diff --git a/lang/python/2.3/Makefile b/lang/python/2.3/Makefile index f0a87b9eacd..2bd4dd2c9aa 100644 --- a/lang/python/2.3/Makefile +++ b/lang/python/2.3/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.17 2005/08/17 16:10:03 espie Exp $ +# $OpenBSD: Makefile,v 1.18 2005/08/27 15:57:31 naddy Exp $ .if ${MACHINE_ARCH} == "hppa" BROKEN= "compiler hangs on py-Checker for example" @@ -6,7 +6,7 @@ BROKEN= "compiler hangs on py-Checker for example" VERSION= 2.3 PATCHLEVEL= .5 -PKG_PATCHLEVEL= p1 +PKG_PATCHLEVEL= p2 # needed for www/zope THREAD_STACK_SIZE= 0x100000 diff --git a/lang/python/2.3/patches/patch-Modules_pypcre_c b/lang/python/2.3/patches/patch-Modules_pypcre_c new file mode 100644 index 00000000000..10b46287da8 --- /dev/null +++ b/lang/python/2.3/patches/patch-Modules_pypcre_c @@ -0,0 +1,55 @@ +$OpenBSD: patch-Modules_pypcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $ +--- Modules/pypcre.c.orig Fri Aug 26 20:41:33 2005 ++++ Modules/pypcre.c Fri Aug 26 20:44:56 2005 +@@ -1163,7 +1163,18 @@ read_repeat_counts(const uschar *p, int + int min = 0; + int max = -1; + ++/* Read the minimum value and do a paranoid check: a negative value indicates ++an integer overflow. */ ++ + while ((pcre_ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; ++if (min < 0 || min > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } ++ ++/* Read the maximum value if there is one, and again do a paranoid on its size. ++Also, max must not be less than min. */ + + if (*p == '}') max = min; else + { +@@ -1171,6 +1182,11 @@ if (*p == '}') max = min; else + { + max = 0; + while((pcre_ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; ++ if (max < 0 || max > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + if (max < min) + { + *errorptr = ERR4; +@@ -1179,16 +1195,11 @@ if (*p == '}') max = min; else + } + } + +-/* Do paranoid checks, then fill in the required variables, and pass back the +-pointer to the terminating '}'. */ ++/* Fill in the required variables, and pass back the pointer to the terminating ++'}'. */ + +-if (min > 65535 || max > 65535) +- *errorptr = ERR5; +-else +- { +- *minp = min; +- *maxp = max; +- } ++*minp = min; ++*maxp = max; + return p; + } + diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 7281efb3b3d..19c3149064b 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.49 2005/07/06 23:18:10 jolan Exp $ +# $OpenBSD: Makefile,v 1.50 2005/08/27 15:57:31 naddy Exp $ COMMENT= "Flexible mail transfer agent" -VERSION= 4.44 -DISTNAME= exim-${VERSION} +DISTNAME= exim-4.44 +PKGNAME= ${DISTNAME}p0 CATEGORIES= mail MASTER_SITES= ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/ \ http://ftp.planetmirror.com/pub/exim/exim4/ \ diff --git a/mail/exim/patches/patch-src_pcre_pcre_c b/mail/exim/patches/patch-src_pcre_pcre_c new file mode 100644 index 00000000000..803a85b5494 --- /dev/null +++ b/mail/exim/patches/patch-src_pcre_pcre_c @@ -0,0 +1,55 @@ +$OpenBSD: patch-src_pcre_pcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $ +--- src/pcre/pcre.c.orig Tue Jan 11 13:54:54 2005 ++++ src/pcre/pcre.c Fri Aug 26 19:59:53 2005 +@@ -1245,14 +1245,30 @@ read_repeat_counts(const uschar *p, int + int min = 0; + int max = -1; + ++/* Read the minimum value and do a paranoid check: a negative value indicates ++an integer overflow. */ ++ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; ++if (min < 0 || min > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + ++/* Read the maximum value if there is one, and again do a paranoid on its size. ++Also, max must not be less than min. */ ++ + if (*p == '}') max = min; else + { + if (*(++p) != '}') + { + max = 0; + while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; ++ if (max < 0 || max > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + if (max < min) + { + *errorptr = ERR4; +@@ -1261,16 +1277,11 @@ if (*p == '}') max = min; else + } + } + +-/* Do paranoid checks, then fill in the required variables, and pass back the +-pointer to the terminating '}'. */ ++/* Fill in the required variables, and pass back the pointer to the terminating ++'}'. */ + +-if (min > 65535 || max > 65535) +- *errorptr = ERR5; +-else +- { +- *minp = min; +- *maxp = max; +- } ++*minp = min; ++*maxp = max; + return p; + } + diff --git a/mail/mixmaster/Makefile b/mail/mixmaster/Makefile index f7e6a07edd2..57253cdf27e 100644 --- a/mail/mixmaster/Makefile +++ b/mail/mixmaster/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.12 2005/01/02 12:56:05 alek Exp $ +# $OpenBSD: Makefile,v 1.13 2005/08/27 15:57:31 naddy Exp $ COMMENT= "client for anonymous remailing" -VERSION= 2.9.1 -DISTNAME= mixmaster-${VERSION} +DISTNAME= mixmaster-2.9.1 +PKGNAME= ${DISTNAME}p0 CATEGORIES= mail security MAINTAINER= Nikolay Sturm diff --git a/mail/mixmaster/patches/patch-Src_pcre-2_08_pcre_c b/mail/mixmaster/patches/patch-Src_pcre-2_08_pcre_c new file mode 100644 index 00000000000..155b361bd11 --- /dev/null +++ b/mail/mixmaster/patches/patch-Src_pcre-2_08_pcre_c @@ -0,0 +1,55 @@ +$OpenBSD: patch-Src_pcre-2_08_pcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $ +--- Src/pcre-2.08/pcre.c.orig Fri Aug 26 20:12:43 2005 ++++ Src/pcre-2.08/pcre.c Fri Aug 26 20:16:47 2005 +@@ -435,14 +435,30 @@ read_repeat_counts(const uschar *p, int + int min = 0; + int max = -1; + ++/* Read the minimum value and do a paranoid check: a negative value indicates ++an integer overflow. */ ++ + while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; ++if (min < 0 || min > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + ++/* Read the maximum value if there is one, and again do a paranoid on its size. ++Also, max must not be less than min. */ ++ + if (*p == '}') max = min; else + { + if (*(++p) != '}') + { + max = 0; + while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; ++ if (max < 0 || max > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + if (max < min) + { + *errorptr = ERR4; +@@ -451,16 +467,11 @@ if (*p == '}') max = min; else + } + } + +-/* Do paranoid checks, then fill in the required variables, and pass back the +-pointer to the terminating '}'. */ ++/* Fill in the required variables, and pass back the pointer to the terminating ++'}'. */ + +-if (min > 65535 || max > 65535) +- *errorptr = ERR5; +-else +- { +- *minp = min; +- *maxp = max; +- } ++*minp = min; ++*maxp = max; + return p; + } +