rpms/pcre/F-8 pcre-7.3-CVE-2008-2371.patch, NONE, 1.1 pcre.spec, 1.26, 1.27

Tomas Hoger (thoger) fedora-extras-commits at redhat.com
Fri Jul 4 16:15:10 UTC 2008 

Author: thoger

Update of /cvs/extras/rpms/pcre/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5603/F-8

Modified Files:
	pcre.spec 
Added Files:
	pcre-7.3-CVE-2008-2371.patch 
Log Message:
Add patch for CVE-2008-2371 reported by Tavis Ormandy.


pcre-7.3-CVE-2008-2371.patch:

--- NEW FILE pcre-7.3-CVE-2008-2371.patch ---
Patch for CVE-2008-2371:

Fix propsed by the reporter of the issue - Tavis Ormandy.
Reviewed by upstream, but not yet in upstream SVN as of 2008-07-04.

--- pcre-7.3/pcre_compile.c.orig	2008-07-04 16:19:28.000000000 +0200
+++ pcre-7.3/pcre_compile.c	2008-07-04 16:20:19.000000000 +0200
@@ -4709,7 +4709,7 @@ for (;; ptr++)
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
-            options = newoptions;
+            *optionsptr = options = newoptions;
             }
          else
             {


Index: pcre.spec
===================================================================
RCS file: /cvs/extras/rpms/pcre/F-8/pcre.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- pcre.spec	15 Feb 2008 09:01:54 -0000	1.26
+++ pcre.spec	4 Jul 2008 16:14:18 -0000	1.27
@@ -1,11 +1,12 @@
 Name: pcre
 Version: 7.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Perl-compatible regular expression library
 URL: http://www.pcre.org/
 Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{name}-%{version}.tar.bz2
 Patch0: pcre-7.3-multilib.patch
 Patch1: pcre-7.3-CVE-2008-0674.patch
+Patch2: pcre-7.3-CVE-2008-2371.patch
 License: BSD
 Group: System Environment/Libraries
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -29,7 +30,10 @@
 %prep
 %setup -q
 %patch0 -p1 -b .multilib
+# backport from the upstream 7.6
 %patch1 -p1 -b .CVE-2008-0674
+# not yet applied in upstream SVN (2008-07-04)
+%patch2 -p1 -b .CVE-2008-2371
 
 %build
 %configure --enable-utf8 --enable-unicode-properties
@@ -84,6 +88,9 @@
 
 
 %changelog
+* Fri Jul  4 2008 Tomas Hoger <thoger at redhat.com> - 7.3-4
+- Apply Tavis Ormandy's patch for CVE-2008-2371.
+
 * Tue Feb 12 2008 Tomas Hoger <thoger at redhat.com> - 7.3-3
 - Backport patch from upstream pcre 7.6 to address buffer overflow
   caused by "a character class containing a very large number of

More information about the fedora-extras-commits mailing list