Ubuntu
erlang package

Merge lp:~rdoering/ubuntu/karmic/erlang/fix-535090 into lp:ubuntu/karmic/erlang

  1. Karmic (9.10)
  2. fix-535090
  3. Merge into karmic
Proposed by Ralf Doering
Status: Merged
Approved by: Micah Gersten
Approved revision: 25
Merge reported by: Micah Gersten
Merged at revision: not available
Proposed branch: lp:~rdoering/ubuntu/karmic/erlang/fix-535090
Merge into: lp:ubuntu/karmic/erlang
Diff against target: 102 lines (+82/-0)
3 files modified
debian/changelog (+13/-0)
debian/patches/pcre-crash.patch (+68/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~rdoering/ubuntu/karmic/erlang/fix-535090
Reviewer Review Type Date Requested Status
Steve Beattie (community) Approve
James Westby (community) Abstain
Review via email: mp+21241@code.launchpad.net

Description of the change

This fixes bug #535090 (potential DoS, CVE 2008-2371)

To post a comment you must log in.
lp:~rdoering/ubuntu/karmic/erlang/fix-535090 updated
25. By Ralf Doering

Fix spelling for changelog entry

Revision history for this message
James Westby (james-w) :
review: Abstain
Revision history for this message
Steve Beattie (sbeattie) wrote :

This branch was merged and published in the karmic-security pocket.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2009-10-16 09:40:16 +0000
3+++ debian/changelog 2010-03-12 14:28:28 +0000
4@@ -1,3 +1,16 @@
5+erlang (1:13.b.1-dfsg-2ubuntu1.1) karmic-security; urgency=low
6+
7+ * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
8+ pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
9+ library (LP: #535090)
10+ - CVE-2008-2371
11+ - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
12+ http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
13+ testsuite does not apply cleanly and is not needed for the fix so was
14+ stripped. This fix is part of the current upstream OTP release R13B04.
15+
16+ -- Ralf Doering <rdoering@netsys-it.de> Fri, 12 Mar 2010 09:40:49 +0100
17+
18 erlang (1:13.b.1-dfsg-2ubuntu1) karmic; urgency=low
19
20 * debian/control:
21
22=== added file 'debian/patches/pcre-crash.patch'
23--- debian/patches/pcre-crash.patch 1970-01-01 00:00:00 +0000
24+++ debian/patches/pcre-crash.patch 2010-03-12 14:28:28 +0000
25@@ -0,0 +1,68 @@
26+Origin: upstream http://github.com/erlang/otp/commit/bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3
27+Bug-Ubuntu: https://bugs.launchpad.net/bugs/535090
28+Author: Michael Santos <michael.santos@gmail.com>
29+Date: Wed Feb 10 15:19:48 2010 -0500
30+
31+ Fix CVE-2008-2371 (outer level option with alternatives caused crash).
32+
33+ The patch is from:
34+ http://vcs.pcre.org/viewvc?revision=360&view=revision
35+
36+ Test case:
37+ re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).
38+
39+ An option change at the start of a pattern that had top-level
40+ alternatives could cause overwriting and/or a crash.
41+
42+ This potential security problem was recorded as CVE-2008-2371.
43+
44+diff --git a/erts/emulator/pcre/pcre_compile.c b/erts/emulator/pcre/pcre_compile.c
45+index 235617f..2974336 100644
46+--- a/erts/emulator/pcre/pcre_compile.c
47++++ b/erts/emulator/pcre/pcre_compile.c
48+@@ -4820,10 +4820,8 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
49+ both phases.
50+
51+ If we are not at the pattern start, compile code to change the ims
52+- options if this setting actually changes any of them. We also pass the
53+- new setting back so that it can be put at the start of any following
54+- branches, and when this group ends (if we are in a group), a resetting
55+- item can be compiled. */
56++ options if this setting actually changes any of them, and reset the
57++ greedy defaults and the case value for firstbyte and reqbyte. */
58+
59+ if (*ptr == ')')
60+ {
61+@@ -4831,7 +4829,6 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
62+ (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
63+ {
64+ cd->external_options = newoptions;
65+- options = newoptions;
66+ }
67+ else
68+ {
69+@@ -4840,17 +4837,17 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
70+ *code++ = OP_OPT;
71+ *code++ = newoptions & PCRE_IMS;
72+ }
73+-
74+- /* Change options at this level, and pass them back for use
75+- in subsequent branches. Reset the greedy defaults and the case
76+- value for firstbyte and reqbyte. */
77+-
78+- *optionsptr = options = newoptions;
79+ greedy_default = ((newoptions & PCRE_UNGREEDY) != 0);
80+ greedy_non_default = greedy_default ^ 1;
81+- req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
82++ req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
83+ }
84+
85++ /* Change options at this level, and pass them back for use
86++ in subsequent branches. When not at the start of the pattern, this
87++ information is also necessary so that a resetting item can be
88++ compiled at the end of a group (if we are in a group). */
89++
90++ *optionsptr = options = newoptions;
91+ previous = NULL; /* This item can't be repeated */
92+ continue; /* It is complete */
93+ }
94
95=== modified file 'debian/patches/series'
96--- debian/patches/series 2009-06-17 08:49:38 +0000
97+++ debian/patches/series 2010-03-12 14:28:28 +0000
98@@ -7,3 +7,4 @@
99 m68k.patch
100 #native.patch
101 build-options.patch
102+pcre-crash.patch

Subscribers

People subscribed via source and target branches

to all changes: