SECURITY:

CAN-2005-2491, http://securitytracker.com/id?1014744
A remote or local user may be able to supply a specially crafted
regular expression to trigger a heap integer overflow in PCRE.

ok pvalchev@

lang/python/2.3/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.17 2005/08/17 16:10:03 espie Exp $
+# $OpenBSD: Makefile,v 1.18 2005/08/27 15:57:31 naddy Exp $
 
 .if ${MACHINE_ARCH} == "hppa"
 BROKEN=			"compiler hangs on py-Checker for example"
@@ -6,7 +6,7 @@ BROKEN=			"compiler hangs on py-Checker for example"
 
 VERSION=		2.3
 PATCHLEVEL=		.5
-PKG_PATCHLEVEL=		p1
+PKG_PATCHLEVEL=		p2
 
 # needed for www/zope
 THREAD_STACK_SIZE=	0x100000

lang/python/2.3/patches/patch-Modules_pypcre_c

@@ -0,0 +1,55 @@
+$OpenBSD: patch-Modules_pypcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $
+--- Modules/pypcre.c.orig	Fri Aug 26 20:41:33 2005
++++ Modules/pypcre.c	Fri Aug 26 20:44:56 2005
+@@ -1163,7 +1163,18 @@ read_repeat_counts(const uschar *p, int 
+ int min = 0;
+ int max = -1;
+ 
++/* Read the minimum value and do a paranoid check: a negative value indicates
++an integer overflow. */
++
+ while ((pcre_ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
++if (min < 0 || min > 65535)
++  {
++  *errorptr = ERR5;
++  return p;
++  }
++ 
++/* Read the maximum value if there is one, and again do a paranoid on its size.
++Also, max must not be less than min. */
+ 
+ if (*p == '}') max = min; else
+   {
+@@ -1171,6 +1182,11 @@ if (*p == '}') max = min; else
+     {
+     max = 0;
+     while((pcre_ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
++    if (max < 0 || max > 65535)
++      {
++      *errorptr = ERR5;
++      return p;
++      }
+     if (max < min)
+       {
+       *errorptr = ERR4;
+@@ -1179,16 +1195,11 @@ if (*p == '}') max = min; else
+     }
+   }
+ 
+-/* Do paranoid checks, then fill in the required variables, and pass back the
+-pointer to the terminating '}'. */
++/* Fill in the required variables, and pass back the pointer to the terminating
++'}'. */
+ 
+-if (min > 65535 || max > 65535)
+-  *errorptr = ERR5;
+-else
+-  {
+-  *minp = min;
+-  *maxp = max;
+-  }
++*minp = min;
++*maxp = max;
+ return p;
+ }
+ 

mail/exim/Makefile

@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.49 2005/07/06 23:18:10 jolan Exp $
+# $OpenBSD: Makefile,v 1.50 2005/08/27 15:57:31 naddy Exp $
 
 COMMENT=	"Flexible mail transfer agent"
-VERSION=	4.44
+DISTNAME=	exim-4.44
-DISTNAME=	exim-${VERSION}
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	mail
 MASTER_SITES=	ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/ \
 		http://ftp.planetmirror.com/pub/exim/exim4/ \

mail/exim/patches/patch-src_pcre_pcre_c

@@ -0,0 +1,55 @@
+$OpenBSD: patch-src_pcre_pcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $
+--- src/pcre/pcre.c.orig	Tue Jan 11 13:54:54 2005
++++ src/pcre/pcre.c	Fri Aug 26 19:59:53 2005
+@@ -1245,14 +1245,30 @@ read_repeat_counts(const uschar *p, int 
+ int min = 0;
+ int max = -1;
+ 
++/* Read the minimum value and do a paranoid check: a negative value indicates
++an integer overflow. */
++
+ while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
++if (min < 0 || min > 65535)
++  {
++  *errorptr = ERR5;
++  return p;
++  }
+ 
++/* Read the maximum value if there is one, and again do a paranoid on its size.
++Also, max must not be less than min. */
++
+ if (*p == '}') max = min; else
+   {
+   if (*(++p) != '}')
+     {
+     max = 0;
+     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
++    if (max < 0 || max > 65535)
++      {
++      *errorptr = ERR5;
++      return p;
++      }
+     if (max < min)
+       {
+       *errorptr = ERR4;
+@@ -1261,16 +1277,11 @@ if (*p == '}') max = min; else
+     }
+   }
+ 
+-/* Do paranoid checks, then fill in the required variables, and pass back the
+-pointer to the terminating '}'. */
++/* Fill in the required variables, and pass back the pointer to the terminating
++'}'. */
+ 
+-if (min > 65535 || max > 65535)
+-  *errorptr = ERR5;
+-else
+-  {
+-  *minp = min;
+-  *maxp = max;
+-  }
++*minp = min;
++*maxp = max;
+ return p;
+ }
+ 

mail/mixmaster/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.12 2005/01/02 12:56:05 alek Exp $
+# $OpenBSD: Makefile,v 1.13 2005/08/27 15:57:31 naddy Exp $
 
 COMMENT=	"client for anonymous remailing"
 
-VERSION=	2.9.1
+DISTNAME=	mixmaster-2.9.1
-DISTNAME=	mixmaster-${VERSION}
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	mail security
 
 MAINTAINER=	Nikolay Sturm <sturm@openbsd.org>

mail/mixmaster/patches/patch-Src_pcre-2_08_pcre_c

@@ -0,0 +1,55 @@
+$OpenBSD: patch-Src_pcre-2_08_pcre_c,v 1.1 2005/08/27 15:57:31 naddy Exp $
+--- Src/pcre-2.08/pcre.c.orig	Fri Aug 26 20:12:43 2005
++++ Src/pcre-2.08/pcre.c	Fri Aug 26 20:16:47 2005
+@@ -435,14 +435,30 @@ read_repeat_counts(const uschar *p, int 
+ int min = 0;
+ int max = -1;
+ 
++/* Read the minimum value and do a paranoid check: a negative value indicates
++an integer overflow. */
++
+ while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
++if (min < 0 || min > 65535)
++  {
++  *errorptr = ERR5;
++  return p;
++  }
+ 
++/* Read the maximum value if there is one, and again do a paranoid on its size.
++Also, max must not be less than min. */
++
+ if (*p == '}') max = min; else
+   {
+   if (*(++p) != '}')
+     {
+     max = 0;
+     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
++    if (max < 0 || max > 65535)
++      {
++      *errorptr = ERR5;
++      return p;
++      }
+     if (max < min)
+       {
+       *errorptr = ERR4;
+@@ -451,16 +467,11 @@ if (*p == '}') max = min; else
+     }
+   }
+ 
+-/* Do paranoid checks, then fill in the required variables, and pass back the
+-pointer to the terminating '}'. */
++/* Fill in the required variables, and pass back the pointer to the terminating
++'}'. */
+ 
+-if (min > 65535 || max > 65535)
+-  *errorptr = ERR5;
+-else
+-  {
+-  *minp = min;
+-  *maxp = max;
+-  }
++*minp = min;
++*maxp = max;
+ return p;
+ }
+