From 7dfa609028c77ce914bec3ad48f58b34fc1129b6 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 20 Apr 2020 18:32:56 -0500 Subject: user/re2c: patch CVE-2020-11958 https://www.openwall.com/lists/oss-security/2020/04/19/1 --- user/re2c/APKBUILD | 13 ++++++++++--- user/re2c/CVE-2020-11958.patch | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 user/re2c/CVE-2020-11958.patch diff --git a/user/re2c/APKBUILD b/user/re2c/APKBUILD index d039a5baf..aad7b839e 100644 --- a/user/re2c/APKBUILD +++ b/user/re2c/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=re2c pkgver=1.3 -pkgrel=0 +pkgrel=1 pkgdesc="Fast lexer generator for C and C++" url="http://re2c.org/" arch="all" @@ -11,7 +11,13 @@ depends="" checkdepends="bash" makedepends="" subpackages="$pkgname-doc" -source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz" +source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz + CVE-2020-11958.patch + " + +# secfixes: +# 1.3-r1: +# - CVE-2020-11958 build() { ./configure \ @@ -32,4 +38,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz" +sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz +f4376b8e0724d500f665fa60dfd6fb35685a281af50c500d2ff90d781a829fb78f21e8c93c5745a4519acd55a62ec48a570dbfacf0a9ee977502e06f3e2e474a CVE-2020-11958.patch" diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch new file mode 100644 index 000000000..b982b87e6 --- /dev/null +++ b/user/re2c/CVE-2020-11958.patch @@ -0,0 +1,37 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); -- cgit v1.2.3-70-g09d2