From 10f9ed3570fb24a6c5ef296d7f565ae5a03dc24e3f434966838074aa2f9ca3d1 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Mon, 11 Sep 2017 19:08:31 +0000 Subject: [PATCH 1/2] Accepting request 523377 from home:jengelh:branches:devel:libraries:c_c++ - Update to new upstream release 10.30 OBS-URL: https://build.opensuse.org/request/show/523377 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/pcre2?expand=0&rev=21 --- baselibs.conf | 2 +- pcre2-10.23.tar.bz2 | 3 --- pcre2-10.23.tar.bz2.sig | Bin 310 -> 0 bytes pcre2-10.30.tar.bz2 | 3 +++ pcre2-10.30.tar.bz2.sig | Bin 0 -> 310 bytes pcre2.changes | 29 +++++++++++++++++++++++++++++ pcre2.spec | 18 +++++++++--------- 7 files changed, 42 insertions(+), 13 deletions(-) delete mode 100644 pcre2-10.23.tar.bz2 delete mode 100644 pcre2-10.23.tar.bz2.sig create mode 100644 pcre2-10.30.tar.bz2 create mode 100644 pcre2-10.30.tar.bz2.sig diff --git a/baselibs.conf b/baselibs.conf index 11d131e..d038d79 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,4 @@ libpcre2-8-0 libpcre2-16-0 libpcre2-32-0 -libpcre2-posix1 +libpcre2-posix2 diff --git a/pcre2-10.23.tar.bz2 b/pcre2-10.23.tar.bz2 deleted file mode 100644 index 2b8a3ac..0000000 --- a/pcre2-10.23.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dfc79b918771f02d33968bd34a749ad7487fa1014aeb787fad29dd392b78c56e -size 1515314 diff --git a/pcre2-10.23.tar.bz2.sig b/pcre2-10.23.tar.bz2.sig deleted file mode 100644 index 00208e674dbecca4f0687a0cccfd8f3f30367ec49f7422b9f70bb52b1fe641a1..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*h_Kj4#;y<$kn?~iAX5fVT4@1}m0$8Hn9smjn5SM1) zg!>Oe*oN8%|3yyx)E$S*1*NNTB*UO?%LovYg_9+!JJ$fgs?c{#Wt7ULmQIM<`T;J9 z^;e0hVh4k7k$#`9;pH82mosxS9qR7YNR z1DwtAJoE~L3%H=ZqW+#X=*Rm*Px(czwf(|JM-my!jeOlQmDE@>^6B_bzDL@M${RU& zta3;aJP@E!enpFq(~h~<7p?rFY&LGi;}aDzElSyWSVmM2zD+c@4SDj6taKn-v I+WR=LG=e^tdH?_b diff --git a/pcre2-10.30.tar.bz2 b/pcre2-10.30.tar.bz2 new file mode 100644 index 0000000..e341070 --- /dev/null +++ b/pcre2-10.30.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90bd41c605d30e3745771eb81928d779f158081a51b2f314bbcc1f73de5773db +size 1583543 diff --git a/pcre2-10.30.tar.bz2.sig b/pcre2-10.30.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..5cb3206f1342d616106f8499b07457c91fa36d8d084b38cb853e5cef43c5db31 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j*h_Kj4#;y<$kn?~iAX5fVT4@1}m0$GyNh5!l)5SM1) zg!>Oe*k|Vm0Gb+9(aBr+o^I{x)_VeImU`Vp{nrpBC^VFf1l@GBq0OEDs>A0%FuN2K zO1f3KV%-!xUSMIVKbDLg6$0X46T!WwAI7nZ{zI!eaTILacTj77SmvyNb+)zSgB;>P zqL-IzS1fPaG-w#GPo#g$Ynzt-o+(j-93TZYTB(J$f!C@V#$w+Y2WbE|^9(MrPB3qj z61>f5;L4oKETdU~m7y&Gy(X~yuCFIF9bE}iwAp3bLv19#193q#L?OUyC2P%Jv1n-K zL9P1}fUv+J+qeH4Jb6o( IeBdKM9GugV%K!iX literal 0 HcmV?d00001 diff --git a/pcre2.changes b/pcre2.changes index dbd124b..ab562d5 100644 --- a/pcre2.changes +++ b/pcre2.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Mon Sep 11 18:14:30 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 10.30 + * The main interpreter, pcre2_match(), has been refactored into + a new version that does not use recursive function calls for + remembering backtracking positions. The new implementation + allows backtracking into recursive group calls in patterns, + making it more compatible with Perl. For patterns that have a + lot of backtracking, the heap is now used, and there is + explicit limit on the amount, settable by + pcre2_set_heap_limit(). The "recursion limit" is retained, + but is renamed as "depth limit". + * The new option PCRE2_ENDANCHORED insists that a pattern match + must end at the end of the subject. + * The new option PCRE2_EXTENDED_MORE implements Perl's /xx + feature, and pcre2test is upgraded to support it. Setting + within the pattern by (?xx) is Also supported. + * (?n) can be used to set PCRE2_NO_AUTO_CAPTURE, because Perl + now has this. + * Additional pattern compile options in the compile context are + now available: PCRE2_EXTRA_ALLOW_SURROGATE_ESCAPES and + PCRE2_EXTRA_BAD_ESCAPE_IS LITERAL. + * The newline type PCRE2_NEWLINE_NUL is now available. + * The match limit value now also applies to pcre2_dfa_match() + as there are patterns that can use up a lot of resources + without necessarily recursing very deeply. +- Switch source URLs to use HTTP. + ------------------------------------------------------------------- Sat Aug 5 17:34:26 UTC 2017 - astieger@suse.com diff --git a/pcre2.spec b/pcre2.spec index 727696c..6b6bf29 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -18,15 +18,15 @@ %define with_libedit 0%{?suse_version} > 1110 Name: pcre2 -Version: 10.23 +Version: 10.30 Release: 0 Summary: A library for Perl-compatible regular expressions License: BSD-3-Clause Group: Development/Libraries/C and C++ Url: http://www.pcre.org/ #SVN-Clone: svn://vcs.exim.org/pcre/code/trunk -Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{name}-%{version}.tar.bz2 -Source2: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{name}-%{version}.tar.bz2.sig +Source: https://ftp.pcre.org/pub/pcre/%{name}-%{version}.tar.bz2 +Source2: https://ftp.pcre.org/pub/pcre/%{name}-%{version}.tar.bz2.sig Source3: %{name}.keyring Source4: baselibs.conf #PATCH-FIX-OPENSUSE tchvatal@suse.cz upstream thinks it is good idea to use rpath, taken from RH @@ -57,7 +57,7 @@ Group: Development/Libraries/C and C++ Requires: libpcre2-16-0 = %{version} Requires: libpcre2-32-0 = %{version} Requires: libpcre2-8-0 = %{version} -Requires: libpcre2-posix1 = %{version} +Requires: libpcre2-posix2 = %{version} Requires: libstdc++-devel %description devel @@ -126,11 +126,11 @@ API. libpcre2-32 supports 32-bit and UTF-32 strings. -%package -n libpcre2-posix1 +%package -n libpcre2-posix2 Summary: A library for Perl-compatible regular expressions Group: System/Libraries -%description -n libpcre2-posix1 +%description -n libpcre2-posix2 The PCRE2 library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. @@ -211,8 +211,8 @@ make check -j1 %postun -n libpcre2-16-0 -p /sbin/ldconfig %post -n libpcre2-32-0 -p /sbin/ldconfig %postun -n libpcre2-32-0 -p /sbin/ldconfig -%post -n libpcre2-posix1 -p /sbin/ldconfig -%postun -n libpcre2-posix1 -p /sbin/ldconfig +%post -n libpcre2-posix2 -p /sbin/ldconfig +%postun -n libpcre2-posix2 -p /sbin/ldconfig %files -n libpcre2-8-0 %defattr(-,root,root) @@ -229,7 +229,7 @@ make check -j1 %doc LICENCE %{_libdir}/libpcre2-32.so.* -%files -n libpcre2-posix1 +%files -n libpcre2-posix2 %defattr(-,root,root) %doc LICENCE %{_libdir}/libpcre2-posix.so.* From d038c3e5711790bed326c47199c8d172f89d78cce98002806f079ca0d4cf0486 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Mon, 11 Sep 2017 19:12:21 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/pcre2?expand=0&rev=22 --- pcre2.changes | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pcre2.changes b/pcre2.changes index ab562d5..3689b6b 100644 --- a/pcre2.changes +++ b/pcre2.changes @@ -25,6 +25,13 @@ Mon Sep 11 18:14:30 UTC 2017 - jengelh@inai.de * The match limit value now also applies to pcre2_dfa_match() as there are patterns that can use up a lot of resources without necessarily recursing very deeply. + * Various minor security fixes found by fuzzers: + + bsc#1037165: crash for forward reference in lookbehind with + PCRE2_ANCHORED + + CVE-2017-8786: heap-based buffer overflow write in pcre2test + (bsc#1036942) + + CVE-2017-7186: DoS by triggering an invalid Unicode property + lookup (bsc#1030066) - Switch source URLs to use HTTP. -------------------------------------------------------------------