Pullup ticket #4565 - requested by he

devel/pcre: security update

Revisions pulled up:
- devel/pcre/Makefile                                           1.73,1.75
- devel/pcre/distinfo                                           1.54-1.55
- devel/pcre/patches/patch-CVE-2014-8964                        1.1
- devel/pcre/patches/patch-aa                                   1.16
- devel/pcre/patches/patch-ab                                   1.9

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Wed Oct  1 11:45:00 UTC 2014

   Modified Files:
   	pkgsrc/devel/pcre: Makefile distinfo

   Log Message:
   Update to 8.36:

   Version 8.36 26-September-2014
   ------------------------------

   1.  Got rid of some compiler warnings in the C++ modules that were shown up by
       -Wmissing-field-initializers and -Wunused-parameter.

   2.  The tests for quantifiers being too big (greater than 65535) were being
       applied after reading the number, and stupidly assuming that integer
       overflow would give a negative number. The tests are now applied as the
       numbers are read.

   3.  Tidy code in pcre_exec.c where two branches that used to be different are
       now the same.

   4.  The JIT compiler did not generate match limit checks for certain
       bracketed expressions with quantifiers. This may lead to exponential
       backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
       issue should be resolved now.

   5.  Fixed an issue, which occures when nested alternatives are optimized
       with table jumps.

   6.  Inserted two casts and changed some ints to size_t in the light of some
       reported 64-bit compiler warnings (Bugzilla 1477).

   7.  Fixed a bug concerned with zero-minimum possessive groups that could match
       an empty string, which sometimes were behaving incorrectly in the
       interpreter (though correctly in the JIT matcher). This pcretest input is
       an example:

         '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
         NON QUOTED "QUOT""ED" AFTER "NOT MATCHED

       the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
       JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
       for an empty string was breaking the inner loop and carrying on at a lower
       level, when possessive repeated groups should always return to a higher
       level as they have no backtrack points in them. The empty string test now
       occurs at the outer level.

   8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
       ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".

   9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
       doesn't).

   10. Change 8.34/15 introduced a bug that caused the amount of memory needed
       to hold a pattern to be incorrectly computed (too small) when there were
       named back references to duplicated names. This could cause "internal
       error: code overflow" or "double free or corruption" or other memory
       handling errors.

   11. When named subpatterns had the same prefixes, back references could be
       confused. For example, in this pattern:

         /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/

       the reference to 'Name' was incorrectly treated as a reference to a
       duplicate name.

   12. A pattern such as /^s?c/mi8 where the optional character has more than
       one "other case" was incorrectly compiled such that it would only try to
       match starting at "c".

   13. When a pattern starting with \s was studied, VT was not included in the
       list of possible starting characters; this should have been part of the
       8.34/18 patch.

   14. If a character class started [\Qx]... where x is any character, the class
       was incorrectly terminated at the ].

   15. If a pattern that started with a caseless match for a character with more
       than one "other case" was studied, PCRE did not set up the starting code
       unit bit map for the list of possible characters. Now it does. This is an
       optimization improvement, not a bug fix.

   16. The Unicode data tables have been updated to Unicode 7.0.0.

   17. Fixed a number of memory leaks in pcregrep.

   18. Avoid a compiler warning (from some compilers) for a function call with
       a cast that removes "const" from an lvalue by using an intermediate
       variable (to which the compiler does not object).

   19. Incorrect code was compiled if a group that contained an internal recursive
       back reference was optional (had quantifier with a minimum of zero). This
       example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
       caused segmentation faults because of stack overflows at compile time.

   20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
       group that is quantified with an indefinite repeat, caused a compile-time
       loop which used up all the system stack and provoked a segmentation fault.
       This was not the same bug as 19 above.

   21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
       Patch by Mike Frysinger.

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Sun Nov 30 14:48:43 UTC 2014

   Modified Files:
   	pkgsrc/devel/pcre: Makefile distinfo
   	pkgsrc/devel/pcre/patches: patch-aa patch-ab
   Added Files:
   	pkgsrc/devel/pcre/patches: patch-CVE-2014-8964

   Log Message:
   patch for CVE-2014-8964 from upstream

   also, patch refresh

5 files changed, 37 insertions, 16 deletions

diff --git a/devel/pcre/Makefile b/devel/pcre/Makefile
index 7fbb262b464..c2341f9e6a7 100644
--- a/devel/pcre/Makefile
+++ b/devel/pcre/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.72 2014/06/10 19:45:17 wiz Exp $
+# $NetBSD: Makefile,v 1.72.4.1 2014/12/04 19:28:20 tron Exp $
 
-DISTNAME=	pcre-8.35
+DISTNAME=	pcre-8.36
 PKGREVISION=	1
 CATEGORIES=	devel
 MASTER_SITES=	ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ \
diff --git a/devel/pcre/distinfo b/devel/pcre/distinfo
index 174e7a4885c..37e220e9603 100644
--- a/devel/pcre/distinfo
+++ b/devel/pcre/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.53 2014/06/10 19:45:17 wiz Exp $
+$NetBSD: distinfo,v 1.53.4.1 2014/12/04 19:28:20 tron Exp $
 
-SHA1 (pcre-8.35.tar.bz2) = a10e0040475644bfc97f7d0c0556988acfc52c6f
-RMD160 (pcre-8.35.tar.bz2) = 85565cfb183fdef1408309b9f02d19c4d85ff458
-Size (pcre-8.35.tar.bz2) = 1522220 bytes
-SHA1 (patch-aa) = 02c03145827eaf5ce5d267836d0a4c5f6c00ba99
-SHA1 (patch-ab) = 2e680087b9b302cf2ba2fbafc758820dfd85d9e1
+SHA1 (pcre-8.36.tar.bz2) = 9a074e9cbf3eb9f05213fd9ca5bc188644845ccc
+RMD160 (pcre-8.36.tar.bz2) = e13ce590fbb12aaa375645edeea6fa4938d31efb
+Size (pcre-8.36.tar.bz2) = 1533818 bytes
+SHA1 (patch-CVE-2014-8964) = 4779bf53dd08d7be070c3860c35ab896a26d29e9
+SHA1 (patch-aa) = ed20cfb5ca7b1e620e368c8e41a7f691d6f93282
+SHA1 (patch-ab) = 0b8fbde09c27e2716e5bfa32abce8ee4a79fb7fb
 SHA1 (patch-doc_pcredemo.3) = 90f9b3a021f58973149d839735d40c5e2e245912
diff --git a/devel/pcre/patches/patch-CVE-2014-8964 b/devel/pcre/patches/patch-CVE-2014-8964
new file mode 100644
index 00000000000..3fecc399211
--- /dev/null
+++ b/devel/pcre/patches/patch-CVE-2014-8964
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2014-8964,v 1.1.2.2 2014/12/04 19:28:20 tron Exp $
+
+patch for CVE-2014-8964 taken from
+http://bugs.exim.org/show_bug.cgi?id=1546
+
+--- pcre_exec.c.orig	2014-09-15 13:48:59.000000000 +0000
++++ pcre_exec.c
+@@ -1404,8 +1404,11 @@ for (;;)
+         condition = TRUE;
+ 
+         /* Advance ecode past the assertion to the start of the first branch,
+-        but adjust it so that the general choosing code below works. */
++        but adjust it so that the general choosing code below works. If the
++        assertion has a quantifier that allows zero repeats we must skip over
++        the BRAZERO. This is a lunatic thing to do, but somebody did! */
+ 
++        if (*ecode == OP_BRAZERO) ecode++;
+         ecode += GET(ecode, 1);
+         while (*ecode == OP_ALT) ecode += GET(ecode, 1);
+         ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];
diff --git a/devel/pcre/patches/patch-aa b/devel/pcre/patches/patch-aa
index 9b5c4367b5e..522bf099bfe 100644
--- a/devel/pcre/patches/patch-aa
+++ b/devel/pcre/patches/patch-aa
@@ -1,10 +1,10 @@
-$NetBSD: patch-aa,v 1.15 2012/03/02 15:24:48 wiz Exp $
+$NetBSD: patch-aa,v 1.15.22.1 2014/12/04 19:28:20 tron Exp $
 
 Use pkgsrc's COMPILER_RPATH_FLAG variable, so this works on all pkgsrc platforms.
 
---- pcre-config.in.orig	2012-01-21 16:00:28.000000000 +0000
+--- pcre-config.in.orig	2014-01-31 14:32:51.000000000 +0000
 +++ pcre-config.in
-@@ -28,15 +28,7 @@ if test $# -eq 0; then
+@@ -32,15 +32,7 @@ if test $# -eq 0; then
        exit 1
  fi
  
diff --git a/devel/pcre/patches/patch-ab b/devel/pcre/patches/patch-ab
index 7c21960f2b9..f1cd04c9ae2 100644
--- a/devel/pcre/patches/patch-ab
+++ b/devel/pcre/patches/patch-ab
@@ -1,4 +1,4 @@
-$NetBSD: patch-ab,v 1.8 2012/03/10 08:03:57 sbd Exp $
+$NetBSD: patch-ab,v 1.8.22.1 2014/12/04 19:28:20 tron Exp $
 
 Remove a feeble attempt at providing ABI compatibility for the C++ portion
 of the PCRE library. Relying on the C++ compiler to crunch symbols in a
@@ -6,9 +6,9 @@ particular way is platform dependent at best, and the comments indicate
 that this was done for OSX.
 Also, the test misfired on SunOS leading to breakage (PR pkg/38768).
 
---- configure.orig	2012-02-04 12:55:43.000000000 +0000
+--- configure.orig	2014-09-26 09:06:46.000000000 +0000
 +++ configure
-@@ -16189,6 +16189,8 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS
+@@ -17603,6 +17603,8 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS 
  ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
  ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
  
@@ -17,7 +17,7 @@ Also, the test misfired on SunOS leading to breakage (PR pkg/38768).
  
  # Older versions of pcre defined pcrecpp::no_arg, but in new versions
  # it's called pcrecpp::RE::no_arg.  For backwards ABI compatibility,
-@@ -16231,6 +16233,9 @@ rm -f core conftest.err conftest.$ac_obj
+@@ -17645,6 +17647,9 @@ rm -f core conftest.err conftest.$ac_obj
  done
  LDFLAGS="$OLD_LDFLAGS"
  
@@ -27,7 +27,7 @@ Also, the test misfired on SunOS leading to breakage (PR pkg/38768).
  # We could be more clever here, given we're doing AC_SUBST with this
  # (eg set a var to be the name of the include file we want). But we're not
  # so it's easy to change back to 'regular' autoconf vars if we needed to.
-@@ -17014,6 +17019,10 @@ if test "$enable_pcretest_libreadline" =
+@@ -18952,6 +18957,10 @@ elif test "$enable_pcretest_libreadline"
  
  $as_echo "#define SUPPORT_LIBREADLINE /**/" >>confdefs.h