Accepting request 523391 from devel:libraries:c_c++

pcre2 10.30: + bsc#1037165: crash for forward reference in lookbehind with PCRE2_ANCHORED + CVE-2017-8786: heap-based buffer overflow write in pcre2test (bsc#1036942) + CVE-2017-7186: DoS by triggering an invalid Unicode property lookup (bsc#1030066) OBS-URL: https://build.opensuse.org/request/show/523391 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pcre2?expand=0&rev=8
2017-09-13 19:34:24 +00:00 · 2017-09-13 19:34:24 +00:00 · 36da1ae9c9
commit 36da1ae9c9
parent 7fa4cd4734
7 changed files with 49 additions and 13 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,4 +1,4 @@
 libpcre2-8-0
 libpcre2-16-0
 libpcre2-32-0
-libpcre2-posix1
+libpcre2-posix2
--- a/pcre2-10.23.tar.bz2
+++ b/pcre2-10.23.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dfc79b918771f02d33968bd34a749ad7487fa1014aeb787fad29dd392b78c56e
-size 1515314
--- a/pcre2-10.23.tar.bz2.sig
+++ b/pcre2-10.23.tar.bz2.sig
--- a/pcre2-10.30.tar.bz2
+++ b/pcre2-10.30.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90bd41c605d30e3745771eb81928d779f158081a51b2f314bbcc1f73de5773db
+size 1583543
--- a/pcre2-10.30.tar.bz2.sig
+++ b/pcre2-10.30.tar.bz2.sig
--- a/pcre2.changes
+++ b/pcre2.changes
@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Sep 11 18:14:30 UTC 2017 - jengelh@inai.de
+
+- Update to new upstream release 10.30
+  * The main interpreter, pcre2_match(), has been refactored into
+    a new version that does not use recursive function calls for
+    remembering backtracking positions. The new implementation
+    allows backtracking into recursive group calls in patterns,
+    making it more compatible with Perl. For patterns that have a
+    lot of backtracking, the heap is now used, and there is
+    explicit limit on the amount, settable by
+    pcre2_set_heap_limit(). The "recursion limit" is retained,
+    but is renamed as "depth limit".
+  * The new option PCRE2_ENDANCHORED insists that a pattern match
+    must end at the end of the subject.
+  * The new option PCRE2_EXTENDED_MORE implements Perl's /xx
+    feature, and pcre2test is upgraded to support it. Setting
+    within the pattern by (?xx) is Also supported.
+  * (?n) can be used to set PCRE2_NO_AUTO_CAPTURE, because Perl
+    now has this.
+  * Additional pattern compile options in the compile context are
+    now available: PCRE2_EXTRA_ALLOW_SURROGATE_ESCAPES and
+    PCRE2_EXTRA_BAD_ESCAPE_IS LITERAL.
+  * The newline type PCRE2_NEWLINE_NUL is now available.
+  * The match limit value now also applies to pcre2_dfa_match()
+    as there are patterns that can use up a lot of resources
+    without necessarily recursing very deeply.
+  * Various minor security fixes found by fuzzers:
+    + bsc#1037165: crash for forward reference in lookbehind with 
+                   PCRE2_ANCHORED
+    + CVE-2017-8786: heap-based buffer overflow write in pcre2test
+                     (bsc#1036942)
+    + CVE-2017-7186: DoS by triggering an invalid Unicode property
+                     lookup (bsc#1030066) 
+- Switch source URLs to use HTTP.
+
 -------------------------------------------------------------------
 Sat Aug  5 17:34:26 UTC 2017 - astieger@suse.com

--- a/pcre2.spec
+++ b/pcre2.spec
@ -18,15 +18,15 @@

 %define with_libedit 0%{?suse_version} > 1110
 Name:           pcre2
-Version:        10.23
+Version:        10.30
 Release:        0
 Summary:        A library for Perl-compatible regular expressions
 License:        BSD-3-Clause
 Group:          Development/Libraries/C and C++
 Url:            http://www.pcre.org/
 #SVN-Clone:	svn://vcs.exim.org/pcre/code/trunk
-Source:         ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{name}-%{version}.tar.bz2
-Source2:        ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{name}-%{version}.tar.bz2.sig
+Source:         https://ftp.pcre.org/pub/pcre/%{name}-%{version}.tar.bz2
+Source2:        https://ftp.pcre.org/pub/pcre/%{name}-%{version}.tar.bz2.sig
 Source3:        %{name}.keyring
 Source4:        baselibs.conf
 #PATCH-FIX-OPENSUSE tchvatal@suse.cz upstream thinks it is good idea to use rpath, taken from RH
@ -57,7 +57,7 @@ Group:          Development/Libraries/C and C++
 Requires:       libpcre2-16-0 = %{version}
 Requires:       libpcre2-32-0 = %{version}
 Requires:       libpcre2-8-0 = %{version}
-Requires:       libpcre2-posix1 = %{version}
+Requires:       libpcre2-posix2 = %{version}
 Requires:       libstdc++-devel

 %description devel
@ -126,11 +126,11 @@ API.

 libpcre2-32 supports 32-bit and UTF-32 strings.

-%package -n libpcre2-posix1
+%package -n libpcre2-posix2
 Summary:        A library for Perl-compatible regular expressions
 Group:          System/Libraries

-%description -n libpcre2-posix1
+%description -n libpcre2-posix2
 The PCRE2 library is a set of functions that implement regular
 expression pattern matching using the same syntax and semantics
 as Perl 5.
@ -211,8 +211,8 @@ make check -j1
 %postun -n libpcre2-16-0 -p /sbin/ldconfig
 %post -n libpcre2-32-0 -p /sbin/ldconfig
 %postun -n libpcre2-32-0 -p /sbin/ldconfig
-%post -n libpcre2-posix1 -p /sbin/ldconfig
-%postun -n libpcre2-posix1 -p /sbin/ldconfig
+%post -n libpcre2-posix2 -p /sbin/ldconfig
+%postun -n libpcre2-posix2 -p /sbin/ldconfig

 %files -n libpcre2-8-0
 %defattr(-,root,root)
@ -229,7 +229,7 @@ make check -j1
 %doc LICENCE
 %{_libdir}/libpcre2-32.so.*

-%files -n libpcre2-posix1
+%files -n libpcre2-posix2
 %defattr(-,root,root)
 %doc LICENCE
 %{_libdir}/libpcre2-posix.so.*