[pkgsrc/trunk]: pkgsrc Apply patches to fix CVE-2008-0171 in boost-headers an...

[jmmv <jmmv%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/77407ae8809f
branches:  trunk
changeset: 541952:77407ae8809f
user:      jmmv <jmmv%pkgsrc.org@localhost>
date:      Mon Apr 28 21:35:25 2008 +0000

description:
Apply patches to fix CVE-2008-0171 in boost-headers and boost-libs.
This is a fix for a possible DoS when using Boost.Regex in an application.

Note that the fix goes into a header, so all applications that use
Boost.Regex may be affected by the problem and need to be rebuilt.

diffstat:

 devel/boost-headers/Makefile         |   4 ++-
 devel/boost-libs/Makefile            |   4 ++-
 meta-pkgs/boost/distinfo             |   4 ++-
 meta-pkgs/boost/patches/patch-r42674 |  50 ++++++++++++++++++++++++++++++++++++
 meta-pkgs/boost/patches/patch-r42745 |  13 +++++++++
 5 files changed, 72 insertions(+), 3 deletions(-)

diffs (121 lines):

diff -r 362001efb62e -r 77407ae8809f devel/boost-headers/Makefile
--- a/devel/boost-headers/Makefile      Mon Apr 28 20:29:10 2008 +0000
+++ b/devel/boost-headers/Makefile      Mon Apr 28 21:35:25 2008 +0000
@@ -1,10 +1,12 @@
-# $NetBSD: Makefile,v 1.10 2008/02/05 23:00:27 heinz Exp $
+# $NetBSD: Makefile,v 1.11 2008/04/28 21:35:25 jmmv Exp $
 #
 
 BOOST_PACKAGE=         headers
 BOOST_COMMENT=         (build-time headers)
 BOOST_CONFIG=          generate
 
+PKGREVISION=           1
+
 PKG_DESTDIR_SUPPORT=   user-destdir
 
 .include "../../meta-pkgs/boost/Makefile.common"
diff -r 362001efb62e -r 77407ae8809f devel/boost-libs/Makefile
--- a/devel/boost-libs/Makefile Mon Apr 28 20:29:10 2008 +0000
+++ b/devel/boost-libs/Makefile Mon Apr 28 21:35:25 2008 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.9 2008/02/05 23:01:14 heinz Exp $
+# $NetBSD: Makefile,v 1.10 2008/04/28 21:35:25 jmmv Exp $
 #
 
 BOOST_PACKAGE=         libs
@@ -6,6 +6,8 @@
 BOOST_CONFIG=          installed
 BOOST_INSTALL_LIBS=    yes
 
+PKG_REVISION=          1
+
 PKG_DESTDIR_SUPPORT=   user-destdir
 
 .include "../../meta-pkgs/boost/Makefile.common"
diff -r 362001efb62e -r 77407ae8809f meta-pkgs/boost/distinfo
--- a/meta-pkgs/boost/distinfo  Mon Apr 28 20:29:10 2008 +0000
+++ b/meta-pkgs/boost/distinfo  Mon Apr 28 21:35:25 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.11 2008/01/04 19:58:41 jmmv Exp $
+$NetBSD: distinfo,v 1.12 2008/04/28 21:35:25 jmmv Exp $
 
 SHA1 (boost_1_34_1.tar.bz2) = b771271d5cbd3bdb0f119dd66dfd36bad7a66866
 RMD160 (boost_1_34_1.tar.bz2) = 303327ff852bc19dd7a94657fdef3c56f5882e06
@@ -12,3 +12,5 @@
 SHA1 (patch-am) = 07f1e1e15d4129c7a8762ad2e81632fdd24e9515
 SHA1 (patch-an) = 91887a9a37e9d891252e0556ee40b58a1c6bc6cf
 SHA1 (patch-ao) = a8499a326f72c9fbfd31f0b0f23014729a2a0dae
+SHA1 (patch-r42674) = f115b4ae5ab3e184d711a9d8968f3a435249e5f3
+SHA1 (patch-r42745) = 432417b0ad4944c9da9f68cf2e855d91c698c4f6
diff -r 362001efb62e -r 77407ae8809f meta-pkgs/boost/patches/patch-r42674
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/meta-pkgs/boost/patches/patch-r42674      Mon Apr 28 21:35:25 2008 +0000
@@ -0,0 +1,50 @@
+$NetBSD: patch-r42674,v 1.1 2008/04/28 21:35:25 jmmv Exp $
+
+Fix for CVE-2008-0171.  Patch from Boost's svn repository, r42674.
+
+--- boost/regex/v4/basic_regex_parser.hpp (revision 38864)
++++ boost/regex/v4/basic_regex_parser.hpp (revision 42674)
+@@ -785,4 +785,5 @@
+       case syntax_element_jump:
+       case syntax_element_startmark:
++      case syntax_element_backstep:
+          // can't legally repeat any of the above:
+          fail(regex_constants::error_badrepeat, m_position - m_base);
+@@ -1870,4 +1871,5 @@
+    {
+       re_syntax_base* b = this->getaddress(expected_alt_point);
++      // Make sure we have exactly one alternative following this state:
+       if(b->type != syntax_element_alt)
+       {
+@@ -1878,4 +1880,13 @@
+       {
+          fail(regex_constants::error_bad_pattern, m_position - m_base);
++         return false;
++      }
++      // check for invalid repetition of next state:
++      b = this->getaddress(expected_alt_point);
++      b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);
++      if((b->type != syntax_element_assert_backref)
++         && (b->type != syntax_element_startmark))
++      {
++         fail(regex_constants::error_badrepeat, m_position - m_base);
+          return false;
+       }
+--- libs/regex/test/regress/test_perl_ex.cpp (revision 30980)
++++ libs/regex/test/regress/test_perl_ex.cpp (revision 42674)
+@@ -122,4 +122,15 @@
+    TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl);
+    TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl);
++
++   TEST_INVALID_REGEX("(?(?!#?)+)", perl);
++   TEST_INVALID_REGEX("(?(?=:-){0})", perl);
++   TEST_INVALID_REGEX("(?(123){1})", perl);
++   TEST_INVALID_REGEX("(?(?<=A)*)", perl);
++   TEST_INVALID_REGEX("(?(?<=A)+)", perl);
++
++   TEST_INVALID_REGEX("(?<!*|^)", perl);
++   TEST_INVALID_REGEX("(?<!*|A)", perl);
++   TEST_INVALID_REGEX("(?<=?|A)", perl);
++   TEST_INVALID_REGEX("(?<=*|\B)", perl);
+ }
+ 
diff -r 362001efb62e -r 77407ae8809f meta-pkgs/boost/patches/patch-r42745
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/meta-pkgs/boost/patches/patch-r42745      Mon Apr 28 21:35:25 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-r42745,v 1.1 2008/04/28 21:35:25 jmmv Exp $
+
+Fix for CVE-2008-0171.  Patch from Boost's svn repository, r42745.
+
+--- libs/regex/test/regress/test_perl_ex.cpp (revision 42674)
++++ libs/regex/test/regress/test_perl_ex.cpp (revision 42745)
+@@ -132,5 +132,5 @@
+    TEST_INVALID_REGEX("(?<!*|A)", perl);
+    TEST_INVALID_REGEX("(?<=?|A)", perl);
+-   TEST_INVALID_REGEX("(?<=*|\B)", perl);
++   TEST_INVALID_REGEX("(?<=*|\\B)", perl);
+ }
+